From ada63f8164d2a638956393fe9d612259954528cf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 18 Jun 2020 14:27:46 -0700 Subject: [PATCH 001/415] Acrolinx spelling: "sesnsitive" and "ogranization" --- windows/security/information-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 84ea720232..e72f8d6c68 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -1,6 +1,6 @@ --- title: Information protection (Windows 10) -description: Learn more about how to protect sesnsitive data across your ogranization. +description: Learn more about how to protect sensitive data across your organization. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library From 75809ac5aab94a007e9185a63db2601cfecbc7de Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 11 Feb 2021 17:57:04 +0530 Subject: [PATCH 002/415] typo correction : make to manufacturer as per user report #9103 , so i changed **Make** to **Manufacturer** --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 5c8972471b..17c923be2d 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -339,7 +339,7 @@ On **MDT01**: 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% + 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% 2. Configure the **Inject Drivers** action with the following settings: 1. Choose a selection profile: Nothing 2. Install all drivers from the selection profile From 3b16e01e520aabec17ad05ef3aebce755dc90e2d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 5 Mar 2021 12:04:09 -0800 Subject: [PATCH 003/415] pencil edit --- .../threat-protection/microsoft-defender-atp/machine-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 1370c628f9..1826c31d95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,6 +1,6 @@ --- title: Create and manage device groups in Microsoft Defender ATP -description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group +description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 From e7fce2daf65480282bb7adea84fb892ccb35093b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 9 Mar 2021 23:43:16 +0530 Subject: [PATCH 004/415] Update windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 901e211995..aec9e43f39 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -372,7 +372,6 @@ On **MDT01**: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% - 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing - Install all drivers from the selection profile From 14a27c2044882159fd35327751247ac9c156330c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 9 Mar 2021 23:55:11 +0530 Subject: [PATCH 005/415] Update windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index aec9e43f39..05f4eb980c 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -372,6 +372,7 @@ On **MDT01**: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% + 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing - Install all drivers from the selection profile From 77d18b1ba6294fd57f6448064366ad420f374cdd Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 10 Mar 2021 15:51:34 +0530 Subject: [PATCH 006/415] Updated --- .../mdm/Language-pack-management-csp.md | 65 +++++++++++++++++++ ...onfiguration-service-provider-reference.md | 27 ++++++++ 2 files changed, 92 insertions(+) create mode 100644 windows/client-management/mdm/Language-pack-management-csp.md diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md new file mode 100644 index 0000000000..ba439c06a3 --- /dev/null +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -0,0 +1,65 @@ +--- +title: LanguagePackManagement CSP +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 03/12/2021 +--- + +# LanguagePackManagement CSP + + +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. + + +Device context +1. Enumerate installed languages with GET command on the "InstalledLanguges" node + +Sample command +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** + +The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. + +2. Install language pack features with EXECUTE command on the "StartInstall" node of the language + +Sample command +**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** +**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + +The installation is an asynchronous operation. IT admin can query the ‘Status’ node using + +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** + +Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed +> [!NOTE] +> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. + +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. + +Sample command +**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** + +4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node + +Sample command +**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** + + + + + + + + + + + + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dcf8eec173..727a6c5348 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1374,6 +1374,33 @@ Additional lists: + +[LanguagePackManagement CSP](languagepackmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck markcheck markcheck mark
+ + + [Maps CSP](maps-csp.md) From 4eb06c120dde73dbf61b6f1420d5cf59692b3250 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 15 Mar 2021 15:46:47 +0530 Subject: [PATCH 007/415] updated --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- .../mdm/configuration-service-provider-reference.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ba439c06a3..755472b5af 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: LanguagePackManagement CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. ms.reviewer: manager: dansimp @@ -11,7 +11,7 @@ author: nimishasatapathy ms.date: 03/12/2021 --- -# LanguagePackManagement CSP +# Language Pack Management CSP Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 727a6c5348..d689057684 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](languagepackmanagement-csp.md) +[Language Pack Management CSP](language- pack-management-csp.md) From d0b796a849b273ba7018052b64bae1572d11d1a3 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 10:55:08 +0100 Subject: [PATCH 008/415] Adding all Failure Code for event 4771 according to RFC 4120 Adding all error codes for event 4771 according to RFC 4120 https://tools.ietf.org/html/rfc4120#section-7.5.9 --- .../threat-protection/auditing/event-4771.md | 73 ++++++++++++++++++- 1 file changed, 69 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 840d05eefb..1da05686b7 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -166,13 +166,78 @@ The most common values: > Table 6. Kerberos ticket flags. -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9): | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | -| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | +| 0x00 | KDC\_ERR\_NONE | No error | +| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | +| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match | +| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | +| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | +| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use | +| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER | +| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT | +| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | +| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | +| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | +| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From a7e6af7ebe8ae09198fef13df68536867f3ec518 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 12:28:09 +0100 Subject: [PATCH 009/415] fix codes to lowercase --- .../threat-protection/auditing/event-4771.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 1da05686b7..8aba6b4428 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -170,22 +170,22 @@ The most common values: | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x00 | KDC\_ERR\_NONE | No error | -| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | -| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | -| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | -| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | -| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | -| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | -| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | -| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | -| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | -| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | -| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | -| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | -| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | -| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | -| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x0 | KDC\_ERR\_NONE | No error | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | @@ -196,11 +196,11 @@ The most common values: | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | -| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | -| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | -| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | -| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | -| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | | 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | @@ -211,20 +211,20 @@ The most common values: | 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | | 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | | 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | -| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | -| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | -| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | -| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | -| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | | 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | | 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | -| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | -| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | -| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | -| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | | 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | | 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | | 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | @@ -235,9 +235,9 @@ The most common values: | 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | | 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | | 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | -| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | -| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | -| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From 07920ba872a88179aebf8d5458fcf08c71f1ed96 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 12:16:50 +0530 Subject: [PATCH 010/415] updated --- .../mdm/configuration-service-provider-reference.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d689057684..867a99d7d0 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[Language Pack Management CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language- pack-management-csp.md)
@@ -1389,13 +1389,13 @@ Additional lists: - - + + + + - -
Mobile Enterprise
cross markcross markcross markcross mark cross markcheck markcheck mark check markcheck markcheck mark
From f3672663d6f118bb9e0f8b91c847e86a9529cd1c Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 14:55:48 +0530 Subject: [PATCH 011/415] updated --- .../mdm/configuration-service-provider-reference.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 867a99d7d0..2f152af35b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language-pack-management-csp.md) @@ -1389,13 +1389,12 @@ Additional lists: - - - - - - + + + + +
Mobile Enterprise
cross markcross markcross markcheck mark check markcheck markcheck markcross markcheck markcheck markcross mark
From c3662db20df84dde7f7b89434c6161c10d7d1378 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 12 Apr 2021 22:01:26 +0500 Subject: [PATCH 012/415] Update deploy-a-windows-10-image-using-mdt.md --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index ebe98a9061..02c7c46f5e 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -50,7 +50,7 @@ On **DC01**: 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: ```powershell - New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true + New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true ``` 3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt: @@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine. [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file +[Configure MDT settings](configure-mdt-settings.md)
From 49cedb0a06c9837193c4f06b29c933de594434a2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:16:50 +0500 Subject: [PATCH 013/415] Device Health Monitoring Device health monitoring is also available in Windows 10 Pro version 1903 and later https://docs.microsoft.com/en-us/mem/analytics/troubleshoot#bkmk_2016281112 https://docs.microsoft.com/en-us/mem/intune/configuration/windows-health-monitoring Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9339 --- .../mdm/policy-csp-devicehealthmonitoring.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 60d4832fae..35190895c9 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -51,7 +51,7 @@ manager: dansimp Pro - cross mark + check mark6 Business @@ -115,7 +115,7 @@ The following list shows the supported values: Pro - cross mark + check mark6 Business @@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to Pro - cross mark + check mark6 Business From ca3dc27a1b80d596826273116d3749b0d5851647 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:21:46 +0500 Subject: [PATCH 014/415] IPv4 is not optional For WIP, IPv4 is not optional, but mandatory to be configured. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9208 --- .../create-wip-policy-using-intune-azure.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..ca584f750a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com ### IPv4 ranges -Starting with Windows 10, version 1703, this field is optional. - Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t supported. From 333ab5ae96ccc53e7f0a1aed91e4f9b17ab0e13a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 00:06:31 +0500 Subject: [PATCH 015/415] addition of note The event Ids mentioned in this document don't apply to the windows server core edition. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9429 --- .../event-id-explanations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b464707f61..369f4d7f3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +> [!Note] +> These event IDs are not applicable on Windows Server Core edition. + ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | From 45106d15403cb0e2cd96913da916fb61a11d089e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 17:50:40 +0500 Subject: [PATCH 016/415] Update windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 369f4d7f3a..423f952e38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,7 +26,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script -> [!Note] +> [!NOTE] > These event IDs are not applicable on Windows Server Core edition. ## Microsoft Windows CodeIntegrity Operational log event IDs From 826fe872bf33019548a281c472378d2dd0f9d689 Mon Sep 17 00:00:00 2001 From: Rittwika Rudra <33437129+RittwikaR@users.noreply.github.com> Date: Fri, 30 Apr 2021 13:46:12 -0700 Subject: [PATCH 017/415] Non administrator settings page update --- windows/deployment/update/fod-and-lang-packs.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 1ae3f99648..193b4d95ad 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 +As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. + As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. @@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). \ No newline at end of file +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). From 03d3eeecd2f6ee5152ea73b87df4460b0733cab0 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 2 May 2021 23:47:44 +0530 Subject: [PATCH 018/415] Delete configmgr-assets.png --- windows/deployment/images/configmgr-assets.png | Bin 139547 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/deployment/images/configmgr-assets.png diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png deleted file mode 100644 index ac315148c5f7fa276cb84521b26d1332adcb144c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 139547 zcmZs?byQnH*Ed=(6f5pfG^Mx{hqOS82MV;fmqH3jfDjzgqQ%`MMGB?3I}|Avthl=- zI0Pr$KF@pKb=UpY_s3at=B%^U?3ww^o-Mx}q770edBX7I&Ye3Xswzr4ckbNJzjNnq z0KubwU-}w9wEb)D!gZ7t?vxBNZU5^$uzjuh`p%v5D57i2hyVJ7jw*)mJ9j8t{`1^j z_{8dd=g#d9Ri)Q@?q)lt55F*vkK;32aRX3UMmP2cB%Ey-><>e$3<7J$5=QVrr`nAdW-DNp6zjM(fJkIsKP4>C`;O2nv?c;O!2;sLts7Kyr?vJb^DdkRqLGDPr zTf2KqlKEh7NAGJIVx|OjNSe51S#jSI9YrQ~!$;3qcb0tAL9 zc2F8B?|pu-+!0L1`k$Bb`%j;?=M?#`ad74h%YD_Meke!cwA^a;{rXP;=ijV|?$<2I z4>Y|GdqSSyt=SfKECAo|ZM|hTws?1awx^vzEO*?_=yg56_6fhX z?=zM4MKj}?23lYC3>!9|k_MAM3FInSdxn%^%k&5p(of}nPac=0sx_Bl_KcHQZKaN= zUZcG*(r13iH_?B%%`NlH4Rlp!+g^Wj z8(pPphW>sT91tMFzd-y{^r_=a(7^itF8_b`L54sLWIK==IH(;F-2-Lg*j@Qm)x{$x$LK4N3Y*u%$9|Fl*hC8i7Uyn^ZS4>{m-W+-vs6CY9lfB_pr!_=WNVC zyun0zyda+qQLtf2QM^RHO@1VIB=y(M^-?>qPP=1ag>c4YqMxKNXL5OpiRQfHeG$SR zY$+6G8vHVGx{m=h$*Hj{qD@_5+%T%>E%gO4juFza44dIg>hexKtoF%wdaW+ang0WH zOR=NIC?h^4tsbJlTxD5RZ##WwPR_veo@hNMv~f1I-iT@lffKQEyGp(;JD4q2K|^&Z zpeiu%lvM+m*8=*z3-xb_QFmJ#2N}keE`SGv!Wn1 zSds>V676~-S%Q0leNWH=c3>|U_=;K4w1yvzKmSAD2q$>F5!BS(EO}028HcNuD^Hkq zDDX`;goujAbWZ$eVRm`(Mm1LESullzO|M&%Rod5xgsGl&pRCQiF-LD#zsw(o4QnSg z`AJgVLk@>)A7;NlRSylE&O<|roKv{ZEDg+R)5DSullbBd2veR=o9}pgOSVzl{F9T$ z+Y0kf$l`~ait^q~=1)VEn2mW{@8mpJb?$~I7Ngq$`NlyDAF^_X7U z=t1s3iEp1Jlb;o74-{R-eK``K+|RRdHgQr9GdI&$t#9bI74EPS!tPjl_5S#i&7YZNvR9`HSYiw$N zrKjGv!p1q-9n6UTRS=ayf?OZ_r`(K*{-;e-;Ola$aA=yVi$Qn2c75Wh-*Gri=$ZIw zyCnT6qPQW-tjEqvnIa=Y%B5<3cqU$P^zy+(3ACf3nx9?MpxLwe956hepztDvoPzQ7 zoBF3C-UQ6d^9ly47C!%7ql~DJ?AufSQK|nnmQwdWO4WUTxg>qz`rLW#qRCF^+r=>r zJ4=DmXoFY~N$FpS`VV>^wkOQhxN9FxD?M1JPI%GgNR_2RRqhVR^g4REBjQ1KEmod~umB!x`R z>z#@x`cS~_yEyg@G3aSfwN0fE%5tQg`qjRfOUsU2BGgkYwnh+fn(pJu~c+ z{E0P#gMXdN-BgVz@Klq*=C(IM%$J*;_}8UKphe`IXCu(OrN4m9@Vr4e7q>#KN2&!=`Y;w*)rfBP0l z`3c*bS9&Sw^JP8XbXEHBdB8;Z*xkjR!AqfidiOKJ#_{nD>thS%)7+sv3q;H?w<+Gk zg|nzJP!o0G(I)2UH}0lxfqg*}i|29WZu5p*IMAIMH!rAMKvK4cT86MOEwis@`n&R{ zTJo16^>StFwy7Ha3l5AMkmD`tw0C+N`bPRL*1k0wPY72aLps{ZB&^PuSCQ4%P0+)j zx~Wki+^c3Wb0_tUCy45o7ScbKXdnD{Q@uLOrRH7Z{{t82_;PNuUucYbUqEZR6J?LfQz%JEp**W}Q6BDU^+2>4^l^C|?#%Q?qMRQQ1w5hgF zxx;^kEpIMfNw#>O=y~t;fX~-r8khY_GeYgEG#+gVNsetZ+W0HDWQ173+S?+tUFoM3 zE$Qd1-i_&X9b9*~sm$oUr)jG)r&#s*I_dhe z&@mq{E6-mV^MW`wX|5_n_@dURSA}$Cmo+>p>O4BR~S|0mBaI~sGoiAOPlc6oGR5ols!z&f@!$WkDKTzqf zbb@o7WTn>idT7{7SmC16Riv@z+Eb24h|*G{z#g3yVf4%{*FEP?{lWG*KBIbQ$fh`m^U0&qol zJf6l+5d>A<17oh5;PRikh(nZp3>M#%;j~QG(?3p6LpPCoRK=8es>n3p8}!B&HuP+> zE};fBW2k?0yfGmAsr4j169CN=_aY!8W*P<{ zfh}~3`8(`}eLYGqC13S@?^Gpz>`7|0pvtuCO7UuRW*fB3c~-2C>OlD(D#~8>S;?NS z$V|aehIOmkwdGf4qH}F=mI#X~@Ij?Gh(Y>pzNAMY>6CbjJ{jXABI#uAB+z9v7fS21 zF2?7%3$BKj$zwXTmTCYCoxg*~Q-d`XSJh`~97^P^8ayQN;$)x&#IssBf$hDv2F{IU zd_{CsK1qtxk!5Q5ZI7vh9i5j+d=!7!nk6<*?=dxDM-_zGqvM?zupuNOn;GC{^vvW4NvOt@-w6{sS z3><2)R;g5~^$;xrWin-#AS@8pa?*GQEyk{K^P>q@OS*hghl{FfkhBrmf)I$MCbP-Y zkpdLkbDcU-+^%dJq4;L(>H7iWcF`6IAk4F7kY80NV?7!1C*)bjv~+HU<$^cP(B$Bc zmYs}&j?HnoXW{l*4sMA1dz*{E3K^Wyu4?gM9c}?`+ z-n>ofw9HVGLA~Ubv1M~4f{>-|n7dYRzk1*I7nWtzmd11+!t^9c9Xpx!80M!9yqxyL z5PmT4@;RuncRJrANxqs-jHDXovR23~I7!3G8->~^=@VD0xhGbC;l zhrIF%JVO8L3`UXBigV|C1gCQ!+1W#srN;xcp9O?gFc7oo0QO#wefVHG_w#PDB=lL3 zc)U6tl$p|bCNtrjzB9*ZOm8ylR~|#XH_PJnO1{%HYe|PNAS0-2P)vH%@Zc;1W*+V! z5J;f&lQb{d-ZX-3oGs>AU(Rdh-#eXQr=iJPY&tv~0L>ttsAR{)XPRj>X)-?>*zYqx zHUTAzf%{;y4A^Sqq;=|$SgGYR2RamF%VX2trl zxtY^gG)Wgu4Y03N2>)Cf`($kUg90Rf&Ju1Hpw2nXypLWFjDl2B1kuO8o87<})5Qs{ ze#;nkoT4ty;)40c!B~6D9Pk)FC1**)MTGUz#8i#=O~cx=%BiR~APsmHnJ%jtjQHJg1U6%v-rn z^5PIo-L&H%iE$SU1*d2^Yz}kU^PmL-m(EhA1tTT#V#M^aN<&0mz7_p5FtD`EM1zfw zirkjR9(hefCe|50f_k1*R-|r>3NKtvuURkWay3KFesZb2$@w`j&B88wHWh5x6_xJ& zXs_vl)u7S2KwV)AiiQmlvh0`d^NkNp6hQOifsLkdkUq)NON${JE_qIN5c4|+4~OXj z!PTc49jC}3-05qt9qPn)qwo)6dINk_{@*yvxnmnwejwYk?}AboJM3HTl!-g_4tIKUiM20;8f2sck&nuU zGLCtDVQh>F`3*W$5n|>`YkFvh}cGTnk{v4r@M5FQIW-|7whnL`i*! zLOe^j8|`K>bk$CuEO+&usSYc2y}bz>3!&BL6)!The56KR^2oe3+d z%=|hbYW1-3_Q(A^(o>yGEYgjT<#wo5kF4?YkL_eb%@2??#PV zKh;BRy?3jpCHKQ@w`c?~f5zD{7LOfEp<`hie7DMm(pnulHRgE8$;Wt0& zPcA$lHOn7fJ&BSi zGR^X|n~8mlZHH#uEYN~PDPge&=~sRqdk5FW#dQ zFZgLCgB!k3XES@Vy0yNCzcH~b z_Z0M7qM!%ZnBBJGoYdO*D8z8xrypQm@{-|Et=eo5t4&Ro8l4PVPVZ5f$(%r+kVY`1 zTe^yJr3;Zq3Sl6dL&SAW5@shC>24?jgO(?LKZZ6x%4hcag7F-Nb|4tPFPucn8Y0E{ zG$*1??UjF$-P9HD6{4gKv7x)L*?B)`f7m9azCY=-Pc92DPju6iTS^PGE#U-zR2ViM zrSxXBT(zJ&S^%)E}A5@F4td`J7An)+8?Od7{f z#@Sp^SNlSf+!2EK6Kmhp{D3SO!q8&$s@4ssna461KKff%zb4X*+!=BHx0||}D9iE! zkQbV+yMs0<9;=~Ye!fGrb5+D)rd!t>zg}i+Fr73ln4F}U6tLMgTZ*X7ej!D%{Ne9@ zrq{2AcMkJ*7o2h>Rl;%`$f+tePtC^b5uz&SqWdyobBi$3sxYxl2ZkEz9hxbq13Ss- z6*0X*vo2-LmWmpuoG}FfZ;zBQT5{Dao_DV{pdcWJvtLlxTKy&$wDKF=QFa^uD6Zr>zF$>x11%y-yl#w= ze;2}szRDQN2)|wM&6)LeU_8~`b#soeK+0ITg#g+wtqfqycIJ)&77H5wALDp?!rjiH zBn`3s}$)wCE9{}-hO^NIKz}9mwqoAZrFP+g@$fCcg z^WMN&^Ox8Se(HP_q+ly~G3-A!KzA^+fYf`*RV$-jaFV}MEU?JQ_;g$1D$$e|?j5o^4w4V!kJCOx!d4z1$+t4059!?2fOC1rq zwBmf9E3!`V#{=zmm6?KV&5Q#W_dSV$H}fyg=XioK7GMBpXDRaJrR-53h3xf_)s6^) zEJF-FjPL0l{JpNf@V)TMoIEb@SdeDKeot0ZU|$H%jzgN?P?faY2+yBh4Wq+cxFVKJ zt%Fv-^n8t3FN@>O(3W(|DQ3C7MpHN3M8$pT^4Q~v+u$e_Xp6Y@Aa2D^2VU|`9$0oD zcvq`T-8uwsueIi#H6&yXKDUUJ0i8EVe$6%u3OKE2)NWutM#nwj;?v1AzdcddaT~Tw z9UQuKXU3l&vu=IVK>a0`o4;#1GXfG>0<2;B&6c?%F4`+E3Ii>0;o(h0lR4U(a3Z8(>KHl)kmoSaSCnK~9SjC!9Bwtviw z8wsHVtYjt8fEgWEG-6-P^L<^#nvAk6R?)UwCYe?!C`XSz%-m8y29onv+ z-(H+mZwcCLDn*MR@!mVlx69JxRf0^*VP^3MD%6h7%FHTFk&>70;}J*4K$GC1beCvQ zO%-YG5JhXlK_Qe`V+Ns>F*btoiMY7M0DxmP*}yCA*+|GA)n~nX`C5`sCFYL2~6UBKWtZyTkLaepqi6j>7xt$p{Q;n;moWuBPo17m8Zwt>K zx4IQ{)H z7v3mqL2d9S@ol;zTAxqUjmVYsZBr?Xc6 zmhgHp3R!rAn_X zgQA9|SZL^mR92((;iHw-n`gVrUGjfSIEQozeYt>q~F#h<+SCs&w< zz_!Zc$(1Tm`M_i3xh{Wq$tc-an*QAT*F}acO2<_z|4paJ%RXnzpVI;O+sl7Bod9t* z#)*iobru^xTBNC}d6`{QLGSbH^TA>o2PMzI~m2`DzR#g1Q7b8pudG= zn72TLex}#G9PZt`HL8LK>`btPbhVjS*2ks5>uoK%+HPOTy)n`98s2Z1yB)$FFe&+U zho-|7%1;$58a0EhYx>e2YXL`bo4(9Mi|MPRX0AE~FcWGohM>;QkB%F!yjRVA151%- z>|FLHJl1p|JOZb}&BoM8m?~W#EejU$0gdsy5G2ql0HnA z$G#dRWk+3%)Vds5hY+=S8_c~(yR;ubZF^&g7KdAY#=ZO-;}eRj>6Wk5lSt*`m<^>| zZM?GZk(N4|)L4%S)=tv>X$XK3exJT=DX(CXOn~dp@Et1Z%Om1SA@s*!s*J zY?`l}A)DLAqkN(-;BP_@o`0f{-<5(cD>QC`h(}MV=QE_s{>2AQPg(so?_3S9BO6`= zVt4Y3uJ%o?d3W>s(>6%~r3FZ{Ig>w}AzV0l>jO@iIBaW- z7%r~a$!VbAg(%!qMXaX_j#pF7oW{~#NnJ4x@q4Yl)pJ5vNygT^%Xyn3rv9e=h+e&< z>rnP0(!}lO{Zd9T!=$rCczywld_@L$PWVWiF57LcU?XpGhFX1$@0WVH$ZhNGwthoI zc~(|iF8^+O+8vW(Gr(rr?&irPo~PZOeSW|0aNh{2o6q|FCf<3i7d0Z^m8Lz0vbe3C zRB0X*X1*|#$&zqX6H@OPyQ@pYYxiIX?AIBAQ@5PoX&CyNy0K)LQ#E(m1U!i5K)gwJ zO{2x>Ff;jVZHB_lrdO@Ci@gcGd0YEOdQyxlA<2hz)6_fAn49R-Jm~f+p|#y(@mBZ|F|#G~=eKK& z;O)qJgK^!Dr9Nj8A2XbC_egxi7D+0p>b5Wd zRRC@N3O>4QryeFk9s*Q{=Dw^{r{OMFDz)s8n|qJ_WImjDa_3Dj!iYVfPYxT}<(r`6 zIwbr5qhY*-D(^mKB0{Y2-d8eK&v)#lvegxFk4~@YTT1BYR2@IxQuVU3Sj2yOGh04+ zA}@JC*+?KYKp?d{Y+G~G)AJkk##UK|{qVUN>bNG?l%uy#Lzph6EsWQJoPH{xzh|k- z)>t``DNul|W8p4}_e~fL|BKXT{~QbjfK$4I5FcT%g3D$(s3=4KKv{{*?@;QSvpqjR zJ2g0<9BfC2Pj5^4p5b2<8VBq!IAIjic>IBaIZeJ+%L!-O%A@GQ)zdy6=3lB29sg8P z)#=CrP?pXq63&%>pP@fD8sG1KSobh?J>SvlZIRP;^CeGsZQKL_^NG37A$>*}{GNJt zp^YQvOBp3sOS~dlWZD76QN_YU%pz9zJ(v(&;d!mU4s zm^95#5r5jOfgIg}$~m(mj)A3r2`l>6+RisN<;{NT0=zq-AH@ZI!)QN$G*Kjm_;pYR zAIW+7=kkc4Fp`^)NFQNXJ42eyItmEMG85-(ldiT*1_FGbp7&~~S1TgzDENTr9#t8D zi>MoYKuTPAS?1Q@`7M63T8)oR3jhD3>K2oiI^u%DO2vnf@(We!>Wk$As)Vv>lZcn_#PP|J$ zqz{HzUeVupWR{rJ>vTjv&u~8RJ)e(SXNt8a?*-cQrd0}ip4g3QF~=%gO@-)|d0#k> z_hQB=9Wrztw_|Lv@w_OLVjHir;-8FHq&Sbg^4k{|t1q|_>!7Ef-Za-~CU0WHL+&5` z8S*w6t-yh^Jf(sYIgiu7_gd$5*b@va-mcx-MY}RSx4gbkxVbEq05?#ba!f4m-ZmNa z3d5A%xi?>**5_lo43q!H|k5O9HtGX=kEvp6a~;(TV}^6+LCx1JLW>V{fB zwz{nIowD^t&UZCBZ_DKIfn>I;!#9JsAf^1C{IN%Nh8af`&Epr5_Xv+^!b}=#-nutq zHUE?9TkVKscmCxcO-#_VfR5cVo5j_WRK_CzX zC1u(eT|pP=P2%6u!%{2EJx!L9^vl1Kjx-GTBwy>>8Aeo7F;NxJ27Vl9@OZ2~ppKVh zd&aYRY!>Xj#yQ{B2T@DEGwnEL3%95h!#(n?95(hP#r&93QGPwb#%Th^cPF$?I6HAg z@J6}VO6CpJrO!lG`&#I=1^*Vt)2p7RUtWNOEzq53$qbrH(_ z`5whHqRO^~_>PSsYkUELB;kguYz^b6b+gamwffvaN08d0Tl?t)2~!wLc^lk;XPKI=hSjbhZc*DEBR zdtZvkO}_HgV!QWbC6UwMBy#C;dx&RoIL3P5b1gh`mQl0@xK+=I9kB~w(sPAq$BKmbS{fWzw%3SmfMYd;7FQ^377ZjKy^bxC1C23olXmz zmfOdZBqxZIGUe$IJ)W@hG?C&e+N&vX-^Gypz+p-3N3#kbZ`(KPKOB3$lH>b2fgipv z#%!Fc@Ym$#5gAJn!uFU^-m@uB_1++3;N0c)fn4oM+cdAK)yycaJv%=EI`7H5`2=?} zV))OGyq(K7wylpiy(U8b@~A}W)DZyrP!1>9n7M5Zq~+g4$OzIw zb=Pa_RPoWwSDXWtB6PVsrZgDCdkA9Uv-ulX0>epq@cMjRC2KJyxakl(j1yGL2mePez znq=Rqk5dmDU}Zaaud6RXtM^N~5)=Cz3nO7xc9TYTw$JI@{isDGSKqRFBIj~l1k~(W4xP6jlFRdmR&sKFWmRB#9_Q#y8acfC z0YnF~AcUndtrce!#(4jYgvKPGVgZNQt@?uP%uCD?LF-SL4v*kk+e*J%jxbn!HKv5KfD=v=8H4ag`AGmTLqE(A`#d;W%tpK zjNe#3(1yL_rLkv0Hi1-VkQ57DmIl7k!N$_l2hvh;?Bz|a4}-xmOf7QzhynjKT|#1% zS6**arMfi3hwEa{HF=3|B&aY^P)8z2?&{cl6jG3Webf~Ky$b)vvfN$+E{Tpch)b{g z_~vq@;t$Mv>t}i19EjzO&)>LKTU;|GI zjU3+v&JQdiTMH6}%Ro)%q;q1lP2C4s*#NqlT zLE?b}($*dCAfqh^T^z4n4%HTHAU9*T%aR~y`Yxa`sT(Etbx$J+*Tdg&YNJ16D+?Ct z{|m@0xdGM6!x_s@9#TUO954M%*-Xpl95VD*ICpz9(1WjEALHq+iupWhuuK8Dw3md zEN&h;By#LTXm-CYA+d00EYK%`*W0}D)i-J+h+)Bn&mB~@z~>;@wJDlzr0gKGd7XtX zGG`o|csM)4!poKbe*-i626f=T{J>Qas)Ta$7w|r*HETWSr^MKIIIE>J2cGLX8LF#teb^NWI$yO_ML;&tH3$;(gxwohd9gmWAghY3Zi`a61zE% z`C513`U{TvP}+@&tpyi0x+vr65F2!2{rbkso|2szWjlk?nv!NuaI>1nbI$3V+XY7W ze;HJ(9S@Vzoy&$p3W+=K(nn)4S6085j8as(gxvLr{kt9rS?JNh7tMk;%}fLJH@OZ+ z=03;*Yst^#o9<*8JoFOVA5 zdvg>Btmb6eYyC&alJkDw-S@cK*L_x<@@U!Ln-ptdOX(6MIC?*z{44waWJ1Mi2CqJiHm`q%(sJ2cL58jK}=c;qq5!o36@a$aayrJj>~>3bJ;&a z!6^5d8VU1f3P&0%ef+}?iya_YG*?tWEvno*U?RBA-X|0)HZK&Jf%EO}1{UHj+eM=a zWdh?spgh$VLzi><)iCEmKAg4O%^7JW#hJ|smzpS6wu3;QVcTdHUGSbtR{vU0sxd~ zDi3iSuEH0*oyg6%vSH|W`PbQfweijg8OB&cH{ey61EQ5V|rOrk(zan-opL0Ztw ziq57m;Y8X~&wu_UXW8vxilN^mgr(G^Lc12HBWMh(g4_0SZ6Z}Qv7fHe9!60wl&r=_ zakm}%BL?P$&2LV6G2I7an`FS77O8#N<#}uJ2}ah0vYT)TvN=Xmkw`nU$p1H+PZs*= zG${Q@z?;qobH!#v%4bmbs9^X7r=mJ}A@=v&L$uRk&avY$a-mDptu-iZ&*QGd^_2%( z{`$YGnSfw>_1R2@3VRBOJw{`RqdPqSyI;qcgghRVT>o8gKIKd4I1*k?H{KeH{$#hS zw%ogE-X@6jyc;>=b`K=yE$Ds5Yr9%vOVhy1KQ9vVO!BGoaK1sdl0?RNUv9wtlrzJp z*rE6Fia^i2*k;8uxxcLsaIHAm%d zm8WgaQq%%S7kmPI7yKzH^V(F)nVW{r`;!n>okP6QLP9Km69&N-q*8d|n*-o+6)HjU zpeJf&X;n*NC|iXNV|C1zN(HxCf69LIH@*#pd!_x@IBE>B5Ldx5e!+5dAB>>uipiwn08;+-ACqP~`Pici2%*0i{}q^3Pr% z57GSD{Qff^N-k_bcTv=k&#{6JrPyLTx_HW4R1l>(2cNLy4v+sj3#xDLlW%WnPkZDB zY*o22P=Tww* zlR1o6Y<_NX*m@1CO}%t}(oahhQ}lwz!bhqM@jF4=7ds`HDzAPpP|=?Rd$5sKx!=6| zD53)|>rr|WZ*X+IQl6-<(egXuqy0o~+hr3+X)))sQ@Cb8F;QZK;M$6~#RhJbs3p|g z>_Tgx1B*QRTPfC@&syKj)geB#s&$oHGU0qB2n#C5za%@fW++-Tzuxvt_vqIkfiHD-*V?a8+HG*7uW_I2H=2NXa%WldEYQ$2Sy&)(uX(*xMhNrVv zIYp!*;)0&$^mPl>;DGMQyL)`nM;r9mK=3<(%LNI?KPcE(lVL4YOA!{knf?pnxb4;& z4l{R5QU5+oX1Dn=sW7iQ1MjgaprCL*%bKRusEzX4Z_s2FweU!8q4pxByi^b+_uUAI zLLOXLwAd~Un?7!o(WEnjVbr7y022|g!*vpx8Z>rDu7oo|VsmQn$IbXZx8M=^%|}x$ zidj4bf8rKt()kBfz8d(S?o;KZy~h2)q12Z|x4u?VF4qJbhnKuze;1OKZIwAL&k7Yp zP*lz_uNM2{3G)4)0USQtzcJ#r;GuV@NFk`$Cisl;d!d`J@fP%`_gnPbcVbDK^}F$5 zF8S!El(ic2U&1*lC`2?~$HIj)){yzVDma{ZpiI=`D?O=@>3YesgT zzGI8oZoxMZSaRa{KEUnoE@sVC!qh*IXaEjAwRzxDdofLYe`9;VKaR|+|DfR|zd;j8 z@OM-_BZ`TPoyYcP-Rk8u3Z`S5hvz*jbz; z4>EezU^rE5CC+4taKe>&$~^F2x03&yBsmraHrP_~msa;~fKx{s10amri#Pe=OPE;} z#hc%3Ml{Xu+9B?dB~a6zsO1Y~37P4`#6U1cT(j3-u&W-kNVfe^AD7^sT9OMJ&1=+L zY!2HeIL>JW4R?Mtoz>#4gK&VI{|wa#VwFh_D+|4dwf>&Q_Ok63i5mL`*|5x*bN-__ z`r&KRQ)zH+EAM{#2PIXI7r~9W{Vu^~;w(rFT}(3|i)scQs>sY(q!KYo2|Ki2P z`xX)%6cEMYdq_*UNA zJNh;IjHvkD@oac3r`s!1uBis5bo3yot4qyc?WkoKuKQV1Ugq`C2%p@V3w6cUDz(uD zXu{s$2bT~fbl>}rZ&f~UujvJG(05XTOCq_oX-X9gix_OEJ=n56h*<}z?~uL{IcEm| zbm{*7Wcxwx)c?^&<+Q(XZCXLATfM3^lG?n{7rRuiU~>HBp8a%Sy?I>DLYoAION#lEE^Rd>fXpf&0IA zG)FPYio3G8sTztS*%?sji{mwPg;0~+L>Z|V5TpSyy7oA(0!u>QY)e~?t)Y_5siYk*V|2NX+$yViRkJ?2tMyGhFjYiB*94yYD3~gf$9C-$;jvt{NZ}j;&eYBZ!VC zJGp-``fHnY)Z2fmrrsW{qWmm>Qu5y;LA%J}f5j!`_ONycX_i76(!o;MmQ2%32Fy)m zV6b6^IKTl9or%ok{N$Mv3@mN^T^PqADhJRCss(!;KXWe%(E5j3)mVd<=2)$dN6y7n zn{{7&#aX-FOCFwgt+4v+@?GN+l~20Dx#((;<^5Dp<4s%5I%l81u+ok_uc7BJXh$n0 zhUe-)SEEB-d%|+fs@CY|z*tZ%%lN&S!5R;WUztoK-% z0JCoJ#D+87`4>nJy$W6CCqi7E+Jf4XL*ktFY6V9wYof3YBqq(W2fYPRw-3+PT&yLN zax%jIZ{r?P!1qJbow+rdSvW79*&-gw* z3pXHUzk5aOWBVV-0AbZ_@td_X|CP38TP+9DTt6w%-#XpJ0Kld$LbXnUM5*oStVZ6fn%tk>~* zR2*sYRvn#V7{<2sP?0Nd?sIQ~|H9HlW1Ke_`OJVc)a@Tt%aALeov7j17ANpo_bU$I zK|QsHn`zE3C_HxjzmpDI5L=97e+Xm)?Wl-Y)4NXZ1b=dPiDp* zKHB|*l7__RjTdr8y6Kd7K)Kb>yVX)toN zYwl;8{Y!-H625)NO6$bi@fs=g<>D{E`7>kvCm9AZs!d6o#C_xVqM5d6U1 zl$5o}dDhwFFZbr_X)$UnhnPRW=C)}z|1>=r^Msc$Lw(|3p;y;dNpf&Sgi@pd5`^9J z6Uy&=M1g>^+M-k|)tdy&drYa4_RPigP)7Dp4BTF*cE$P4e93U?m#(s57hGv{ORa2) zS%5TcWHD%=u4J6B5XZ5?wH==ClPHm|)>mEsd<6Yf3*>Vx_#2SVn6u_w8&_6N!C2oU zcrq8y5IF=It`t)zlQNAm`N>#sAyJXi6g?u#zWno>(4dLlBf?lT)xBk^*xo9FR+|@V zI-IuI z`Bow?AM!L&+_5GK%-F*jK*_n#X3Mxmaxblzd)%L8U&m#3ZzkwoL@Bb1FVsA?iij~! z;&z~|al7{pabcQbXjqj|$P zHfi>ZnJmx#4-o|oV`3Q|Dml5uznZzcF{>zx-FySa|M-5Jh|zws(J1u~S9*XO_{w1^ z?Tv|pNfrA^o+3EI0on`^aA1tPbChadOLuHk2pg-G5J>lin8|Iw3x)hew`1}V0@|js zmkuN~!DeZJ#r>buajUyO`QI!||7xBuBYBUhRVJHKqA*UnbR90B;!@rF!lYJ~z_oZ7 z3V9^{!HOg4EHE=o=YQ+Om7L{c zY0}>&^y_dw(}HwfZ^Ph{Wa->*mi$epWE?dG*Wnm)m`oXo!G1AKzsMH?k!pMQy-?Q) zeNa))DNz{=P$DH>}zuu-rD+~ zMN{}LPfA}KCq32emB|s-Xz`wS$r6Qm23euj_FntVlV81s1V~lSs7&N=z5=t1wGnw4 zENu*aqLe<+l6$TLx`3%M_v3@ z-cD*aD0cie>heDY_5X;Jkzdq7j53Pu2Z#FQ7T~a_swLqJ6e^#sGRcUyMSm_kDydS0 z6jetLr(1xKrmqoOcc?=YYsJ5VrbuSKm-EOQeoG*!zU{ls1g{_ zabpVX4c~440 zV+{CCQhBF#)03vi;Vwj&rvlv{kC@zczw*KoU#2klf(;~`U~dn_v3Txg0y%E}{8Lm` z4zge=+Y1`swxBGLOJs*8E!|?^4RS}JAIm3~&|z;g&h6c)sGFLib8&IoJ1x%cO{v{y zuy6nal{Ns8<;kno4!fl}788-&U-zG^oBUmuo@O{8Y?O(n!~e^d{eRaOg9o0Rq4(5o zetR$uTboBo49-k1GPSxj`YFWGNuA%8brg$NA8^)kj;;@lVWa_QU=e=*z^-?Kiovwg z`5=L<(mJ|iX81*#gYP&(xtW>*C_*qq12C#OouvQ(xrU?d+_TZ&!Ok64_=s;-l@SGa z@P&BLRgBuY6I%Vcy~5}nS@i2gR}^P^v?@Y+;FZsg#GH0+kH3#=g2USrC5k-;xT?Si z9}UWf@~;P3cg66$aTHzG)3>$7!}SV8p8}oNV%_>0pkt*-8!uZn*BbI;m7BW?L-2wU$h#F_nP8h2Ls2t#7>l%Dhni)&nJe8pv14|@c-Sr` z3I{p^dGmLLBd^gW)(~ftWeJox4cC=w$7!4hvwJ;W@(!atxQn|xab{AR0{XIrx-<>+f5H1-KQ1(42NQY} zknJ)jp%_`p(>EpB=7LQ6B!r+0Kzq2wN^^F&qMUl|d5$qhuqVqB3f z&AHlpF2(T@4F9SSB#9|?RG`e5fI}*?4)ka{;deUn?zMN0r zmu(3dgx@?j_b_nxF2ng^rn{*{ix7Mj-Y%GwX(Bi<1 zyFodGP31f?Hh_WDn+4ZX4KM;2loMX+IH1cuCdCrY7c+`xDk+?ONP{dJ@2C=q&mtQg zX*^Q;#%x+@UnKc!Pm|G3Oy&)Ip8~Vzy_JFQZX0?Ir^6BE6jS}EvWWOUQV?p1cfUle zAFG9C3<64GL?R#|rvWsfdljRew6;~%Y$Fl95kg7BFO_?Mm73gSSrH%>L6ekGc0EzK z4QtOT%#vs}m!46oc#U*Y&ZJIP!UT2XpzTnDBwa{v#F8y@R#mA=Pl1o{(GtxqCxGk^>c)e_|ydWfW2rGN&XXqcfBRo>5CN2^}dY<2g;V#sg)M zu;SYJYKub^b=^+tA|biwPFzBYvcdwxat*6y6OEky(l4zjVK!C`}%Wj=tRl}LmC zzf*Mn4=h*wZz?jhh>TZ5)xjT>9W9V$(TtlJ4#q-3EQp58^eedpo4{}71lxtwDoRiW zqMld~57!~1#>2)Y-GZ3vn~3cRi$*%K1d(UzA)9VkQEOIqt&=$&6FjI^TNDE>vTqaO zG(;>>nbsXo&Wvj2L1&b~?{FGT9Vi=C?oTHzp>Hj^(xkb#`hTk3!5z;ZRaII?%x8@pW{nJ|v{7LyVdStso*z)uFu`Urv zO>(S?kY&xU&i^jQ${-$7nnJf$V7L;bkiA?U{?BUv+vR-;lboUTCb*|2BJQ=vAaz4A zWS5I8@v(}=N9zyLRfs7;F=#m!#k`MFtN*u*=4c))vus0|v>}r6U6N9N&P2a#Ael8T zr;hGIsuJxD^@^&zuVCEIrEn8Pd8u;^@A*e~%&)zJU$44@|9=hewT-%w=s1OcYwk}f zA2pX8m7t-#{e4s?AQiQ#fh!+^gw-d`B=$p#u&}Cq<#Z}hNQwkSj0Su0SZ#e>%kflH zeYfJtuM9t94A`N1132CKr0F3+%vx4PTMh8y32_ zd$6hkfwA&RWslBjq!|2bVHFRVW8|O_MK#5;f^KH!hzZl#^1=epgC^XJv2`|WZKW=ah6c5k#MUyYs67e#Zhm8F3Uc@m^&3uet)v(ao>`fTjHqtG zf=zDDrA`$U>4P9e2qTBi@Z`4FQ^$Cmr&j~QK?svr?v0x(TOPs`B!mEC8e-4l17`JQ z0VX6ZI+G-&2TfWii)Cd}vy1^HD$ydy0js2*#REzGIf7sgAFs#8J3ZgA-JUnyg zzdDXA@0;fCfAD`Vo3lad<%1t{5%hT-9Wsv|ccbL9vs=+=Y1obN6>2If21^y1a|njI zsiY~zRpDimjz~5l1etdf1vFO0mX}2dK?0y68qlfakF z?Q4O{(B79@d%K^-;3XT|DEd(f0@K8wY{@{zghY`mg|eUy0U)V&G6~CE~=)9F{KVz z7H0-~Uw5jH4IV4JPHKW~GNh|sl?U-GN;PQ8Dy(oe(Xc-@XOu(TWBxP8Y8^}vG$l|2 z=kGHRJ5Mtji^M~>;;5+z1*6W{j}ko)C&EN0!esY#E>A>}(t#@#%3Khg(HYVLXj7tj zsmw%3a79Vs|2J+jyi`a2Bf$Z#+R2!De1Zs zlN3scNy;qJ5nU;^p&=`WRCvv!)>rUE-;Hr-t#RE>INRq`5{IqvHI`6R3&=n*g)ucF zhV%=iNLrC*NzNA-x~lh4gR>FswhXFEX2!BBn;{OYR*9Y6mpvR)6}C8f)5}(AffSTH zCb;G*yFqlD5+ag%l4Oz+n)*Cum?&ZaW|m$or)(x8NIFiVq-SEFadS1#iJCVbJBkvr z7~R}GImw6acjs{PI~NZMc%i&sfx9~T0dbiUIAQ-;d~$$~8s2>s#fCX~75qZT0KM57 z5Fbhh6KNDltlpk^XbzgN9_&*L+HAXzD4h|3tLiMt-dE2>)FH$fXP_$R9+ZOc;B$?_Y=d&+U>=*zk~L1cNXL zDH@pQA!@8h8tn)O4;H{iu>fjYW!g5XB@m*^)Xz!vjk1h=0WkNVuB;9QEitj}Ut-?C zlHEU5#@m;sH3=1{93;~;#;PNb4VPz$#a5oUNMCq&m0203U0KKh?WuE6;($ymPBRs^ ziR>~yytlI_PJa!43LUhmv^4D5*%^y1ib&ghQ~{_Bsr&Qawd*?lxbWV~`t}EUvaVa| zTbxPV#^mHAouY27Q4rD%6C4g3+?N(P?MV<4519S&P@Kkh9{mx+|Iu*-q7&_rK5c*wjDtT`zS(UzV$w%ZQ%N=dI*yK4bg$-RpYC zWxwQn+6MgEn%DseEFmG6zKx@^Si)LN<&BGC!-vX_HxR!0xaH}R@~~`nqKnMG0$6n- zOOR?9g{z8Ng1B7Wh*XOYRXzwdEVF|y9xcuoy4q-dWOk}yLL0~ma5UE=*%ZfPfIH4| z%>l|r_+caR-sorChAB_hG4@Mw^yRvg)&IP&8Fnk2Pm0*7MbphpWLiU01IYyp>%fz8 zHX71kMi0xxxOKgR4#SxnmWkdyE@YpHx^o^S9iH2D{Dj2wNdbn1W@{!cHls3Vk;-}TmFFxT-8U2ipZ*`mW*n0Y0`Pj{LSp{;ZA_Jagja=IezF6DK$ zK+o(jK}a`{#67Pa)Sw`uF32qOA<<1kGg=@`?~M4^TtphhLYv#*29s-|Z4d(;%^UU zGM?AObind;;A@cviX`HNstpLGzWQaqqiz;M5!S-T%@-Zgej5=6v)A%!CDWgg^#N zaSj5}ul|WjzBvWCEdmR~ked@LfOhMCNtBC8L^R7F3rIBtWX8b&lF@|7sF55eG%8ST zEl9`m(5eQA4nw7I&yWzL-UV=xN13r{l$mLU0Y`|V1V1y00H}0CyDI!|)|w^S8ZMx^ zxL@Hjkq)qRk-e=Ip?DFz#&rlY=^R(kgT`L|IyP1n&8Xj*DHW_^PCWZ|4h*5o1)wV^ zs9bcgRiQjX*L@{H0J7|SR~c*f_kJgt+)W@mS+k2Y(z0&9HE!jY-r!_^awSr6RUwgO z9j#ZqkjA;$I^lI~M7J$FS`iKk<0%fK=ijf_U6t=7_iGdBVMX=iI#KEKIlm))3jcq5 z9%J+V)TFTkHYD`DqgZ8thku5QQQ`^bfC^MTG9ZSe1b^2N2viybB<{ALOmT!2BPsrF zXE~G5fwD>sM^YgzLkkTFYJr)hK~g5C4e_zsnvf5pyl;5Z@I!Wl4flgWU`!1208+;h zeb9s*I;NaJ|J{IOO{E8Goec!TJXlt0{wFpGci7%sYG zz`nL%QF2r>$O*|6swQS|eKm)PKYD3mK{cqsk4B-Y%E2zFR1MtTFL z=We=ex;)N1Rl@rvd8OAe!jwPBI_9%}LF*6}!x_*0SGUtzWhb(CQM-KUOZV3GGv?t} zuoCvr|H6M2>iv1k`<~hCDiG(Y1O6~EKNi6S3Jc|JXi+6~0JKu5Ou30}-7B~TXJ+=d z6l(zn4F57gg^Sd2KGggV6Y@R+N#1vo$DeIv9UxZZ`w0t`QNkE_#{3ivD9$AX3Xz2~z6f1BW1$-S z>=?MtBJ+c{&`?oA>MKw$_w*>=@4HEm#(kmq`x5o2n6x!FzTdlKLZZ6CWgC2?22rQL z9IPac)hje(YQ7oyOri!S!xqn7PgKLt8fb5UVtnPb@PlTo&XeX!kL5c_G8=Vv_FHGK z92~=qZl3 z|9&Rbs#MR3%e#>{J#Dr8Zvi2=^Wl9xPSEms)$;l@>@b8?Oqf2&AzTYLPEtIzQ>d&- zDtdI;NGIqDVIO@cX2EVhz349wv`pg|nH#}sALKw-w z!W$BPdTI&)fl9YyCrp$Q5}pd z8Ce`1j>gm6oPdX;ICzC0j`PgRk|Tba)rbUx4%O=j9m`$>>jc!sg-btnI#q#H^ zhF~);zz;bN{QGW4^$35|>2r)7s`mIIPIH-TFMgRM-xm-59zED?ymXwaPM+=(w5so(LiI<^Qk8yw`x`C6*Mk2XC0+Um*W>>1yM zXCisg2Njejln_J|PYGKRj8_mP$Kc=l!6l_E5FfBO6) zcri4(9a`F`oX7r5JJ?=q>|)5E{(>5T)~0cio40fHKk&Jb0l#X! z?tbljTEju)eIbO1WX%5b_t_O43#ude zd6fi+xqWW zua{Hgdm+kPT7+Eo(v`5tw-Tg|pxg&B6gmZb_|7;4;4LW(TM)k2ri~9ho72j7irI*h zUd#4A+N4H_;5CJ(_c~X5HyR2|5#I>K6wLIOU$(G)oX?TvVUvmTI)AtkW%%5*TWqZf z`1mGH9)kqD=+LH+dDAnTs|DU*j^mPRt}HNhGr;_xb?Er2D|L-H-crkd_;&1W;rz0T z|L?p;M1r3u%*F8V@EQ+O+$k)cC`_pp`=r7la0a}-W_@@=;ShYBE&*lMyZQhhN-yjl zQe-?1Q&5kGo79eM7+96(E=qjt4T_p%!_fYjy<9W7@-r0wo~4ncN7cjZS6k(Z*8FR! z6mqc%npE>K_I^myP70DTgdM(+Bsx$m-Y;DlD8qIsXYk{d=7(neWLkp6DS5MYd=I!# zk?cTLB15Xn*n%%b#g{GiwKm#&B3Uz3+_BZuWKi5O0;R}49SyrlQ1AtX;e4oR%*mT) zv;sxmc?x_0AI@Zvzki`Mh?_zj>sGq{^2dnOdf4P8*q6L+rT4bqn{Q_7ejFDwaK|&> zuLJ#@btW`g7@^~d=mgrTA|0%n553UxIY}K*m7@2ra~IFu`Ow4O;28FQ+dvF|@2gJw z?q|Ngd%b_J|BG=6xU&1rGz4&xdV?Vj#Tq{#fc#R#{M5x7!8^U^HsT1(lbl-V?1fup zIba+%7v(iz_?^!}ZW5XeWXx_yjx)gof#ix}rN|V~BLLX@I9{BsNOuEaUEm3nokW?t zCPGFnp5Csm4{L@eUtZ`$b9=pt?kqC8=vO<5f_5bI0IWTn7-uXXaKStf+2jW@FgCFb z6s9F{rf{a^90#o5gf>CJ3mq6o4oj5ANtJ(2pLWYm*-fElUaN=WA(01OHW76HB1gf^H< zOkv$3xS;qCy>y39c4oP`x#blW{tHgS5(yuI!m)!SX#=< z%M<#y1;4J!ln51Q?L*AE5l*RCe>L5?#Vwzg0kJc2~h=Q zV7sT|OO~h7tjL#Age46qF@;H(&Xt4@KFYC=_qKYu6Zv~|z(KcKBqgRs2yh7pP?tLH zuyJC}oKZB@25ZMuVm(OTH<#JoMc13vza~GyDWxHvO448t%U8XzZ|Swc9Qr~SNMt*y zfX}ZupMl4Poy7W+lYq(DYW~W+tb`IZQu-wMoWq}!Gqi+!!YIpWq(Z-Tnbrmix?Es^ zT|*!1XeC_{Q$VaX(t9}ST08*=qAO?e{@xoR=F_&dE5!WL2K>nsxQSZU+%nlMD?ys^ zsKFg+lG-eem3t25<<7>>upKkG{fmYUdTL>RtOmpP&LdeXVzf8fAf zaA?@S+X^hOIh`xis5SaoR$h)Ark-0wR1|OV+dbVFZhY#mC|LlY(8e9K)DX$ua1TK+ zj4LgN_2mPHTiv_ODc+Hrn}}yOcqFTgr|+$st%d?cQ^u?ss=&}2Zq71z+cqJDyqo@* z;@>Ie@YxW@OMb?fpjhEfOG~RUo5XHtY&0B+1)R(m$DnXNv9Ckebjy(C1FKtGv8dIn z7WlXvb_5m{7cEn^YG_@hZK6M{m#b9&K_cRJXuefzHA+1aFc|b8EPn<9F@iF-J~n&y^GEMP%l*R9F_2(4R zxwr?c{POVMx6|2;dE=E|7M9U!RT>TxAVFDz28Yxlo6nSjLB14oHT{{!ZqpOMejL#e zRyeLE!P$q&X!Hw#=fnUG6k*9k8Sezp(rY}>I_o<*`k)SG-|_a}dRT$du2SctNu0p> zM$~JAJ&w^86=CNCGoELx$m+p@t!y|DkE4*J6I1%{j^lUr?uz-drG$&Sbf+^271W{` zB@aSHpJm${2tAFkY#eJ(l)bxXJM&`>L#3p$wpVVygt7~ytz^4)EZttpSr$q#AqlV1 zbK3Y#?HIsWx}6dGjr}*EV=4Q6HiDo&xwJHcLzC08KD218#%-~Fgl)_J;;wNdm?{oh zjR-r|S!@gkhO{6PWrWoSKh97Y8TRYW){aNeX5*j% z3!UGuNeVjxLx{JNL~3Y5byVIK?iK|K;83x%hpg4{&kL*^1}cSTo9pPOQe9T%h)X*7 zI=^^%%ryoT`63^xqWIG*7v{A#B?%G~3HRpw`f}kh?Vz(VY~9hFvREmavf*0~ol$(~ z@=HiEFyoe*W2e%;Y=6N2^x-se;Y;}yX!t^1CngwsNswetS#T`*2P~s*9s0)9(3TsA zyt@)vS-%St`dH0LKHIs&*m%}x9jHf=^8#HV4 zztBprWh+Eq-N_ zLazf&C>-Q~3Phr*qX}>Wa-7<6S$KM{tr#P}bGynyUX+m|LnuUsPx#RA!BRI=9*^Z` zh+KB))DxYEX#hU7^wOLdXBTTK8pUH7xatF7wyq77lZHPCOUtWE@88&h@T1xn@=rlU zG1vL1EzVBDR&CfRCAxLMLag>8rRpvdVWP15Z`L2Ck9+jHg>~jwfGaG{2?mcD^XXiKbO>_FyYc^r=mtYQmo5$uGggT_-cKDyF zJUZ`oJm>*N0|B`6^ulea<4Zfaov&#PnV0k=)vZ5KzV-V2{PL0#uG>=#(fvkp{_UO< zU-o_Ubd}(h?#lDMnmZ~-%W18+36afagir}@);9DI?J)HIueo6=gPA1HAx}IbF#b+O zJw0|&juc3OYPN1K=YFV=7f12-cujs>_C8@SN4#bGxDd&E9Suh?h$O`9ex~wwYa^ngLEZnu~s-J10jtQ zDXjSbJ2`Y;9P(4G$}%2zJ2NIr4Id|{g*MJ}bR>>gk-i{Gq_VN`r)(>kOHkSjx=sAN z*l&MelQe^Nv;>erF7$hy+LZ7n!#x~wXU=do$M!L&fB+il!YN=y| zu@dg%9;qgTD!_s%V_$|2GYYaNyzWtFPwg8}?0oq(LEzDlUGWkpF@tBSHIP#&{r&tz zX1DnGkkL|T`rx5l{}tuKX;IaR{~%V_v3cT>y+S`GUY-xyeZvvM%4%Dm-RUWv6^y>~ zC2y_!wbFjSj^I<|l8HK7Jt5=nAQtx5^#&(cbQa6hx1+pf=SG%| zq8v+(;yl!-Kw9!2vl=2~-b|KiMq@wu_~yT&2nny>osk+xYU6Nn{p%J=AI!tXi$X!`aWj{UH{vDMusv4W`I<0OAB(9lC$1uh)RkcbyuY8-!5+0Vs%RLCmlj^V_UR| zhWp69>*t1tW^Z@O*3TFRf!U1 z#{|*^KI=Hzma7E+?)aZ@?^;V~&~|x?69TM825@9PAxz5=gtRk{(YT5jE3 zd_Dr@rZNisC40TR^^xh zGhu#2Ngh~RG1&FvcHD*#FHG)*t_K@^5=Re@+=!5tn9H^ziNkr>H(M%wHgEk#b@e@S z?6)nSr89*-q>6110-8LCm7=i6-m8_Q@Y!)?0gO< zjMV^{!XnWb>=DTG@mT%-92v!Kdgu!Z$5?wjmr>}QMZpk?SZgf(k zn{BS=HC~TaGASH_=f3~EIH#(`lr7M-@~v6nris_hSSW2UtgFXVa=9oE6Su!Uz{bk0 zjL)K{#*cr0t$89YW#u~GBA6_Et|$+ZE1i7cE3VL=Qp|*=Fd_^-dog*O$%LFHHx%EV zgMpE8_i5Wg%5_+ciM|TjdJ$fLT(n*)O6PBeT`!8Uai05aBE(6ol|5%mk4(ujdHSZj z2)M1?Z}##X4}Hupk6%annh61z<5`?)j@mL2R8Bc_*tVWVu;l(QmmLHSTg5Qn{PPeZ z{X6m$*SU?Wc8$UJr7<0YJ|Hy5tMN6xlhkIB-0Dw6z6U6?$u;>+e4m@|ty^*;VD5Df z0so%T{c-F&EaMG*d~S9@^WHoM3rG;=+SLeZPBtHrzS29q)okD8kUVGigCfCfjrSoc zG+KqOA%^o3L&eL17Gx@LG92MLhbls?ByVcNwa4EKX1QUJ6QGqC=A)XI!zwO^jGfi< z+C6E-qEkb+->;}tp2GkGrQGy+O+F3Igv&e}Ipw0e=>3fyF*~#K5qcTAu@YvNO$@0r zmfj&GNhyw-+M7UoeNTEba)=z#dB}gn$OBXmIn-#vWw)wuWj1|5*&GP_CSjJArd{bn+$hm>(T0y3W)Dgvu1S7vZ8UwBMAYnFY)Ib3(Tjbv`FCHT}6T)#k50C6j|ouWurw$5XK5hk9#es4~ZI;*rbG)eTWOc z6p`Tev`s-({jP;iOeN(g*u@%{i4p^#x$esi_wcm~@q^(yj+BC}MJ&?e{-ft9vXa*3 z+TH$D_MsEjkGQo>TAWZOAkyr%1fHLw$_|U6?}xX>zr8!~vSajVon*W*^BYr1-``Z1 zQYBe@wy_Gj*MhSMu2Mke$cc54GgYJT=FxkJSbGW4zlrTYSvQ60gl<9ob49Y$T!zaA zz3qN81t~2UBdZIw`1;NlchMnlzkR>=e5)@AR#9I)#u^xUFKzXz179~6&57J(n_b3q z(Ww117*6iA%+j4GT8FBv{GbC1IlO3KD~zo)kk9qIE;0_QQ^KjTTyvc|Z^T}`&G@eD zG|v)B&me|=WV{@YvWfl_&*X=MmaL-QjVMHzO9c9c?32z#tJB9wAHfy|z2q4;c;p7Gay zaFlR1pR31y6uU{@mO{gi)~^OA;jG(fP)a6?2@7xXeAaV25a;pdb#0?|{6GT>kNx`t z_q)Tw^JN65{X}nUFkoHvGixU6s>j({PsCG`bm$o?*niePdb-_Ma$bt3`@)pPt+H1z zA7NnS_uzno_Dx;vd_?tW%##_nUQJbovqHJ-$El}{PCIw|ZF2U4(bxQ`)6>0a^$%#% z!$Ug8$AE#yUx4D~?wAoubq{&YN0#IiJGv(fr#JcRjE`yI;6{`Y(E&a23(sETeUtZ# z+oFPByg|D;qXdG=>T3skwoft#K?>>P9`eRarUA z>6gW%kPZtbj*rS~Vg>NplhDa4idX}I~*m;Xw;@kjZ*nRE+^j<>NeQ=ADay`B~= z>7kzfzp66g1{_91_h_n5dI8?#3EL159GFw6-2aP0&hNJW=jhU zP4q)`tK9>6tLg@`*6M_{FEAOLH(D7pH{fMKBQTkwvPHO=VNT#4sDe}6u5rkHMf8GWq>DO4Kx#Gy z;2NJmP)hF`A(eIi2%?Rk7?)xRTa*G#w1FsZfRpd!u$4(Lo^XE;tmDE*_E3u?q`_QP zJ;U#%DoocNx)s|`-`Z(Gal?1Pzay;qSiN_IS=U~;f#$M(@b>!A+*@tJ2`5KBa8Nj) z5!$kasDem-dM}y~Fcexl&%^qBnq=4cruf@GVNQF~`!d|sK}VdjY3SDKAcx?YW_ePp zGf0D;9V<9IWUA{qAA{ zi+IM3Nwgj3$#w6WrX(JvXs&iT41XG&jHs!xiI$e3{az?($ZxKzH7}*w0^{n>wE%fu zSpBnxr|Vlay|-@jGn4I6??bcr=Gk;UfAd{*HUs{p?D>r2HCPZ2kI}9xG3Dja5X*2j z*|_O=)5Y%J*%rgVqDh{n@(*z3WxlrGFU-IAPTFUd5N~U&9a2h6zRsUAxc9 zs97r>?}u7<0G>D&V4kK-F0b<2X!CtL`t>w~TxZ0ecL_FpIX;AR zSoDLmW~*>iL);me>h@SE60T|EetUK`I6B(Qx8K6o^rsj+W~d=NJSLM72L!xrPfu^) z%|N{T2_Czh=wdTDDJYg%Q|^IA>0F(7buIj=pyiO6BIbahq5|&pNejF_@huh0#57>g zrxJmLoa>e`o}kT^hM+)S{>`2y<0k}%X1o{N*K|a1$#|kW*qi|Ht~v|J|z^4%BQ4M#$?!7O-dDs zamOIwV>UmZk$aBvUtT}0ydocYaEHB9qmKq<%+#KDqQqh7d!y_>@nibmII*zulj*); zr5bcc+FYp~+||d8(};DoBY%&}ktp-U=Sss*lyo8{yJp1-6uSyg-#+bobe|sV#@F$; z#<%ZRod$P!q&{qMv*We%qKx9s(ujty%(Q@3Ia~Kt-bn0e)V3v;{w5+qtL`~$rNHqa z5bc+gVzszC-B>o@DgNpp=f9`{Xivm%oQ7> zG9w8W;jxbbggImSSgm06ay0^Mm?>`)(Q=vy1F668CKvSOm@6O`f`? z+L7?l=BK3O)Z`9^O4+facd5Qw8msy%BM|Q0q1dU5R7|OIg8h|SkMYwY>n60$Un}A* zi&et-`;@MUv84E04SX=Q3di~x`6|v=G#NxG1a?@m(n=7Gebr#A6}GUZrp|>TOO^Ft zXen`!q{+=|d(7bdIQ}`~l{XPWi_w_5OzWWcVDO;^y0d*V#k;o?SFWoW24hj~5hkcn@?*SxBWGTW1Z9)tI^fpqVWzbSu?YIPr4as&UcM$uz3Z=^wtZS-x+U4Ng6%&*J!AP}_Xh?|P3PDDgJAM4n7@wP%UF0MzN`v)`IQ3)wX%5ihQFy*TO*f<+l?Rw^3 z?Q=cKv@a>btCyT)NBLIqRnO-%TAx4|fU7$JPN5G4D zGKLonHCf=KbGqnaoUk&$Rzqhayf|vy_OBMA@-x+)m9w6cZQ!`-hb% zgaH6Rv44#WCRhoa$t)e}7uIwf`tXJ1)Bz}{PFiaI;bT+_%S#55()gFzZzM!sPqz&9REhVJ3G-{4i9zJt~jJq-%XDO?)mSV z_HlrD)BTZbk3v_5ir48G7Ya1lQwmhk22X9mWWqZfaUC1r0t71OK_fX~Pl79AVgIoa zhbfH~i`=r+zi8X0gnHbBtqm4t^gW_{`5I`mhf4k%dziqL%Wd za5hOuYs50T8C_ywMUH6gZ)qL1lbC|)8d`J+<-n38;%%pEbAHgzHEgG`3n` z_INj`2=;-Q77O{GO$v}Ys3C`OH9Fez68&P(rGA~LGSk$`%5ILfMMkW-SE}7{ZsM}$ z0`$R@D0R;Md%T>XoUUzyK>>yJaSaX=g|EGW-e_rRD74K7*CB0ZT zoHS6z#4FI?WRs3Kv|<(4L>ZBMz7J>0D1|jP{wmZ>1A%}QS^GC?$aLBd&(H5rop*S< zSI9v%ewx6!{Vc7~+J%}vtTee`^;kwa=n_*dq_H}>Dhnv+3t^3OL)IT04KJnTId86O zLA&LpeI(@Snuc*t;x%U}4cs}_e<3qG>;6b3Ux;e+G>oZ~R2o~HlPS2FV3yT3^Om_e zLc6r*drUd%?MNZ-MOv5MveYL#HiJ@ri*(GUq#ev~b&j1#yB@cLS#ZDWxlLKIXUfuf zFo}7!Ew!<*iED~qvauC4m!{^TFhX2p&%dsKKk+lDWx-txI#(NVIFYw=oiDjwm;WoG z?Jcgjre}%C1-Jb%<-X8$Zr6T#e@k0Q>-FAP{TmC-RPpPM5n4K#PSJgDM;Kuc%RIBv z(8BL)3X)YeyFK01C!P8)*){!-vE_sA+WG5^X+O0uJI*iA$XZRpm*`vc^_hhCRK&e6 zcz68bx9i}co!<8Q(DKcab{|@rHpA~ek%^4P>|h*bH=3!}i(^dHe{!6U`&9&ofB8F* zK0B}Z8d0-9`!E)#yfS%A!|gJUZ@>6Ad`NtsP@L&xJo2lGNP7Og2uGK^BRCN+c;s9` zj^$tb2AB9Fri};YdmL==#+7Gsju{tal%$w&dCu8{CIAZ zd7gLXOAwOtb>%F6=O@&@g6m1q9c?--e9e%ZDnes&v=U|xE0dwn;%=W=TMDmh8Z0@{ z3Ot=BBUGU~U?D-p_%OLqbNp3Pq%n~B!NOV|pu5Y_B|lJpZWi%=5fM?xDYx;bV(Dl0 z;Ne)1j2_Sg!el369Qc@U+MZMAOv-eam@z3BjGLJf;=E~5jqQ(`*8$AVbq zQakwEt;p3NhFn|~csp{`hBjX=Bx>1=$ul-|y-%lyR&-`R@8rk#Q<^4NI0Z?tX3RT0 z@eerKhT{_VJ=g*%_|r)qF;JkTbkEfF3v};@ykMj`ETMpXjw1Ps9;dCZEyum;ip&Ny zPrNS{7j4H~C+mLSAP_EM0D*4?%a-lCImFSuA0a+JqVQNfY_HCtq_KVGDVp8tug?=y zFS6#929vr=s!PY!!rz&n`lk2W`$!6f+ok;TMWXFY0pdb(1tknnv6m+-r`FrP(PX*K~U{~+tTtd=-JFI}TDnS-XR|2^lu9>hj)4zMf%G3S*&pLnT z;ksc|9i8uEy&Mu3rKc_$3l>N?!kXD}TjoY2ujl3YD^cM#K`FMRtIVUbv5&F{_3OyIys~4b)ec z=B*XhQg2t(_K#8dyBV+#cNa!CR+yUJE$KMFLr2bKm&b;QiaZ#>LM+g$u&=A%h1(0u zM&p%M#`6xA#VM7Zr58PL`}<+OWTgF*YU|~S!5YKz43v~g{GiyXe6$2Wz_YC93+^y-`s1LzqpXHYtSCsA)sV&n$* zF*4Oi5W~~^;-^@!mI-`cc8Qva0A3s)Z|Yrh{Sr+F@NnBU1ed_|v~1RZs1S zy&v*7K70DpvJ#o6dDlgRmF2wcPk#)nby0ayq}JB|2lLXE#w~pkw(;>SIxuh zN(E8yl6l?yy-V&c8gSiRhppNEfXp$J5RU7n=N8LAjtcaYfOOP*aM3XS_Iixzgq&Ll z?y_FMfo}b)0wN2naSS{}p9sJi1sro&#(N%Dt$_3Eyq*pvNC1bZ6y-tfC4T0i2$Y9E zYiXbxyZfs`nQCxHt(d749bJ_8HO@}bO1c2oX{{(ecB3S)X5ElLxP>O%Af;d-KPG7- zRJGE)wma+Ht?J=otsM&S(63Us3qDl@WFI~0C@KJf1XAu&p^CLZal-By6_TSiVVFoz zB_aqTBC%D&f`#^!BII!4$}<-+``TA~sPdfPoUi%w-|WV^`Zjk)OVrq?bRKRq|y zA~n{B-2OiR*gz-0bKEm*$juS^pKxtr(Y`05cf`4^+LBWa=GizBJQrmG8Oml6mi95^ zG%Ms(G-Dfy@J51?Q{l6G9%c3FW~^GoAV=TxrH}Wi9V4sm2x3#aru=8%2Adv_2!N9LHViP(q3HoqnXSGFg6{=$OKT4 zl<}clx~7oTu4otuxkQkl((K}OA{CTtYz&{67{f(Vvlu3XvpzZmQ~T_VgF;8)(C9HZ zI&>lq%^iya5=USc%s^$gq*InaS)>(5O+EC!JM=TN(iRzo@Yr=Kd_u!dmtX+vO{P!5Vxt^;&@6C@Svc0WczXRIR(xT6pa;1wZk5 zt-Ve4Z=F3`^S1qxBG>h)JNFXp*D^tZo-ZHuKoGZ<0T z;BnpfM^d`7eI>4Y{W^4Ix;#D`|9BnZ**2yBWUOvkWv)xx@H_kL({b9VC!nEWfXoAc z*VnY5VZvm5?Wn1!t%_nrYXD1HfCDc4mup6yvDur>m%j2B;wk63O8y>v=mGb* zG`u~2b@rKLb}@`3L7HkKg_7H?H5rNt5uipZ(Z5>iu`Y z4==KT3U;r0o`@lG~9gCjc(ct7QBtW{`D%g z*Yv4TKW{xaVNqvBGJ9y8vG&W3i4BMXV~0 z>${5lvv!4ZVBDRb*aI@j4#*^g!iAx|Nc zTuitXk$0zMA|i1^G9e5jhR*gZG8KKXwrMe1n^&W|xdmyNwCBFB2Vm4YrCyS|@bHQZd0E31@MY$A5B;1(}^#wZ}B-Y^IwAOr_| z1ELK22TmT2GQKp4OhxK6C6l|3SOi@%K(!9&kB8>2LX8YS5e`C zKmWc6Uz+hZjIEuj6If3A>?)*vhSKV%{lkH^dreO8?J@0qn`ys({nSqKX@vxU&x)qo z(@HkEQW}b<(V6Si?@f}R2E~oxxavw$s>HNQ2y=&wQxY$e2&1hjjkweo{YWO5x6R)R z>%KKo1Rjdeoy5TkL1IkdThk98S&2pSUd9EBnsLmydYrRIA1r9kU_o;PzrN&Oxaj*= z;o=|sMdgwo{uMv@@s;@LPbh!J&whFpe*QDcU+{~c|5ekr5RDw0z*-%h-V-4?Ew505 zsw=25A*M18@f)*|P*k^XvOc1jIHpe74Fh%?fD4}dH12-upFO9yorQ#S@Q}esB~xh1 zHKJL5`dn!b&zE|IE2flSGKhFSj)}FqXnJ`Wr`ZSRHP16`oixI<__piD&JFrPA?C@v zOZC}OQT+!GMz^FHT)Ecmf3`1DSL@c>^QB&t`di&?U8L5o)x3rb8M0mUx3aFQ5q;vd zC=ZqQ=wB+U+E(HE*RDr*x_cu(sd4wm_88xHG=kF4?wNPbMq#%^9)0X7{QVy{;_Zb? z@xn{9v9@kJ&N*Z%Ix=~D9 zJf`yaqmN?d%>7Il!V_L0=J$VaA&xx!P!0dj>#r+brR+sM_qlWNPBe~7$i#K?`JZrxr zDPq=736HWx=*|6u16u-Ka7|;1P1?bhpTfmCvLUG=t>WeFP592Es}Zd1FVYVwnK-6G zGFb6Jys|L*Ja#{B{p3fGl*5j2mu^GlYG0Tu;!?lb${eJWlsa%GR>l-p*Tc2!Am~uz z*jZju_aoWy0!4y4R|{y$j#|ec1mvkzfnGVG&(jsgvy{?lyhmRE3S~37SUB1 zZsX%QLrDv{r9`{%(1R_=R2+sOdrd)Gdpqjt>xF<;p}nOMsayc5ED0^2UE+H#Wzx@= zMXZpC`22@3W54||Xy`CK@A(1`o{yU>skbP-26Ni8CzMu&Cm8$4dw~u4P7Dl2Q1zGo z*nh^}TDO#3RN6#Ll7GJZh@_LB4Iv4wMg%KU@3_QNKPeI@H#Z6d?AsNboXI7L1gJHa z)CnX%u+J5%mP|t3T7~!wiH^n-ue^Xohp*PSI~}ZcX%|j_`ON6SzkUQ?KjTpBIt+T( zex4Ar7hYSBHLYb>wQLc_jT(ko`_v-40rnQaeP|}~_p^nkVYewqBOcxj&(6OL)1zO&-c@@miKJM<#rkwjRZcZ60{tu)R>u!7;94%IOCs>;x~uvjl=e7z{yW9MQuEfzfT{n*I+MLCtf{l8I4{4yT|+n z`Q?{ij$@BG76S(jL?vIwvIWTUS%j^`VKh7sFEe}aAc-bD{% z+JId!s&><#9l7Z7iyWK5;HtqmW9k_)ohiKBj{37aR(Sl#q9?JkV;Md_;|orxEyF{P zJc*ZHcnP~tpN_x$>CYHDZVXo5I5nJ&4C2dlVO6y6I1c?MxhWz${#M!@u-K<(A^AKVOOR z@-m#k?a4mg6PPQ51ux_@^q;yI!*N%uW4Fid!6w8Q_P{teM=HvGD7*yc<$@)S+``B$ zjg)9KfU>@Elvl=)?C3;}+m9uTGi1v|nomed*nnIF#Uq0{l*=S19jwRt&K9g_YQ#IM z*P^34g}2{afceWepuCJ*DS5$>gd{KC{pZx*ExU*@T+KaVZT|yc`K8cyz|j>tUAtx} z%`YdDos85l2a=c&&Z_b%3`#fg1BXI5&BTCaAQwV58A8jzk$7tE5^#58nWQiCAVj5o z!(uAE(mufYv-#09c^Ms4Gl6T_fncuozcJP3=;#<5i4%OYVA3={6R}uW2V6PTuBbJX z7WXchy~V^kEyrfUXjV?8zPJi4=LIqnP9`yWLnbKhnG}-UozgDl5+)~;FKLr(0-bG5 zNF_QEm2~?^zwcKa$AG$ORLaFR#~TK*3Y{=CHMi;ofeYfgda6IG<;G$x@=p(3qu{JU zy&b#pc1>?UxBZ>pdxf&B)RmJRCrERWFX{J7-|U?2%EIIvEbD$7%SF~E-c(}BXH0t{ zrd;V`I_=VK>l5u*+trGut|qMMXu-jb zuD*E?R&?~2em4NIngK%iM`6MIAK}OW-^1xMzNF89ZrC79*U6t^?P~Jp zxR?5QK{q>*=5>q2lLI2%`Og>2@hyGXASyF;n7Z$tn2#6m{bxUkHSNot)V4o5Iy!VaImu~v$h-u} zwh>J$JmyL%i7AgsdUyk?Bin(oeaD)1$(X)0d+lu9?#noq=-M<|gRQ#a$ZhG&ds|`k z=kuTh^PmK(tv@8$E-{^U8wtF}ijXy12@^ zm3Z;lr|_}UK8A@C$Kvu|{{mn7$`^6YK~r$ulM7|64&kS#AB2jC%!xTD3qsC}UFWUu zBV2k3x5Xai9KHWQ^2}}HTSH8_rTACB{5cLh=n%)n$9nfgwHQYoFFIPscv+2%LK1|1JZJ#NXY~t%NI8>j$9}xysH$+b5bZ5 zx)8UK3OTKwj&z_N8-$#8%H%y4D@Xl+!7@ot;ohfS!p%2bi}vI~m z?8PuHZkP|aXdzvKT9~xSuqU1((lDlWLI}zPJQm5Ls-g-5Q%%U%)X1bz{%eIIcTf^gsVp7ap3tor4}l ze+;)7BLAFtCZ5d3t5~2{1$@k!aebK+R0(HD8lS?2Wgf)|v$t&9~UZJ1)AUWmK zj(X{;w(7&9f*6=1^DD7AI`#;rr+zjDe>^IM6UGU@Bc&|oZ1)mywUpNr5>Ap$k_^6q zm)m#wTy>7w>-tmmSc zl2f@31X>WT45PhyJmqzjOGhsaXMmf5LRJ4WavATUR9-ns;#sz+h3F#B@ z_}%N!mCRx7hE`XX9`*B})U7l;C%zgave_Ms;H~Rtm19wf>_OYfF5>vW$<-5?HX?LY>tN}wShq=$1u4!E(*O8^#4=pkE zg1a)<51D7t_d>T)to|9#jUv^3+B8(`w;#%8&P4gFS*Y1>UsTW92eo_8K+RtJqHdpA zs5@{L1|4w-8je03!;U!;!;d`*Bai~`wusM~dt)(^|aawXTS z*>3t%QW<_m5Qqdhj;eKwWTg<)>x7_o$-L9+&Xdd9YvR>1U)}VI_@-pc=+XH14cFuH z%PzweKlw3!e(5E6@`fw%>;revxF<9R=;n5^Xs_gx*K{7w<)>m&ws+G;SKo9)z|2j z^Pa-^vSY-#592xU#L*ZGVBL%}?XH{a`0gVAT`5?K-PA5&VQjvqQz1-3R2wC1 zF588qOd1l>K3&qX32{ryfRU8RLsuwM!t$6C)^^>|K@kAyi{ahw4Dd~?Kh{TD0++kpNs_3IS@tlz3Q~(J%H_B_v zkZx{7v@D3I%*VOn6O{7;I#5eH%5gZ57sAR(92Z`Nkaes@Yik?gWo244P8PVGUsoR- zy}Z3oY-@N}6YO=5 z{hf8eEroC9>M*xnCStXDj3hx9-QydY(KnI7P$BD$Z+7Cj=hh+Ayg}-w3F+>3L{pr! z3CUym#7st7fy!>IS(A{y7C_(H3=SLkRUA3^8yM5DC!+nMx+=rxKe=M#C0||?UyC;u z3wzA^Wm+r?S2jsLS@#sKP}L8p5Yi@Ps~Dg+93pc43blohZILmin=5e{1QPsqvxLtE z^ivlkr%Z<{yd<^V-K)^rxK=0C%u8}E(#L*QhUiJhQn7wsh!6j{@cPs4?MK#&I^Xxw z65Km`4I10J@Wa2~fhp-qeD$C)+P=I~7~@NXM4}NsugPcK3pyCk?i{Nj|Kv}v4LcF6 z=SV0b*Eb=jfv}89{3^E)HyMZ8Gi_*0uf>McIy4J0ZA|E5L^6l^ zUHan6ITzun756!*Za?r@Q|ice;j_!EQ?KxP!SkQjhE~y!H>%9d0n?Uy)a{|^(2dua z`K#yY+k2TNUp!O_ex8Zx(Vuy5E7-qP|5ig332xu@!dnj8{}@NNRy)G;&I)hdSh3em z8;6o@?KJv3H|(|*A?Xhp>8xBm-CEcc)ULF7=994XK{GDrOy1cYu{HSEsVC#R|My+| z`nSI-lIt)18m0{Gg9~qc5@-JD9-Q%~yNl#gSKaHRuyb(8p@*ThL$2kHoN?w^j?eoC zk39CItKTcH%`x95-9mi!bLVROnL@mMyti=4sU3J|@T60d|MgEj-IG$?teC@1iub@{ zHLz}8Q~vQ{7b7|4+(rgc6(y)Lxt0qZKRV78Bo31N97Hf2L|JVGYKHVjMcp7oYh>an zv+q99T9gkOfV#bpMq=9OC?`4XTZ2TO2=aaFao5AoV$mv@Q0c~C^K6lKrOKAQ7{*=o z{eX)XN|waryhX+wsSD{Ixv*}n4yD_X7LwX315{Y5X0L|P;#NXVIY=c^$jPA8$mf=` z?MTW5A|ZoAm(*u6CzC=UNeLM?x}|N>`uPJ7$>EXd0DA0NHziKgZ595rX;LRO1T^i+ zraLI7~C{ z)4T-fFYZf_D3|}@Zz__D$^ZBZ$->oR zTcj#hjYLvNrP#Mt`1a@ZUF-46s#j#Jm3rmmh<}cq!rQz(<-e`+(LKiCmaiUz`_4O| zSLrF9FTVUQNP(OZ*26i}V{3IR*5A6j2b&VF)$1;zh9s&#Yl<5Qf?Tcig2jQB7eaoL zgck$eA>{;;x>S^x3yH0e3wMQ(od7ygb;yPi=#mRc{fLp+_nW`Rq|>fO^N}ws;H;~>$;bp3n%Ed ziAj+{7@dqJYRa+R9C6%THe(}gi4cr0cGsD973;`5l})Zhq`h~U3g4WbQXp9 z{3%~q#y2O|$NON{(fu*^)qf(@+KfIGaea|bJRFd|E`6G6bAlujpln(uK3O5HiB2qA z^ftzg9-%K8%Vf<9EI4^EechD5psWZ{a%{p`G43?g>OJ;^Q_xTA)Ug*yZ|>VqbbD0J zy!66LOi4<)WtS_a`VG@uwGvZv-O1}VJQB~0)FqFTfuz4KQYprO}HzjmK2ec z(v)CY&wOj;`w1+IZcXMEeYxIpBAsl_p=~L!n{cnMjt9OpA&zg&sKLp*4#r^zHQ5KlX2GB4LI?nT1?w3hJNuX{ZtSMYA)432$L=c~WoiaP^nZ-Q|L2n=jL}d0HK}20g{2n-y+BrpXr?BGZkEcnIgs=!2to z8HDGTrE$WDJZ6n9$1ROH{B3an7hd=^{NM*)QThJ&zpUnW&i^dV`_4Hk-#+g%u6*m; zpEmhBDyV%YL(V9)=i1PkYe9RqO|D(Mrb%6712PuLoFOG-Pb969QF~3_YSay`#hSNQ zBC#Zm?@aq0ru3Qaq`3W{H`b+&*zY2l!rPnqY$>lBeIkQ!)`ZXFlnH06%o=d0_7&c& znp{8GnfI72>F+cyL`$GW&ked;)7rDqtP)qQMluiPy{#abRQ;>VT-_CSKrABjd(m<}bH6*oEGS&ndRrRKrBw+BoeX3;L! z>aBr&PJL3}Ntiiwrn*r-d+nffrxG$I6i=gl`0%mqaL+0ZHDj>M`qYpR9* z8fG(oPIwisyZpRRUrpB>bJEH;4{{QoNpmI6TokxXgLmQR&ezE+ISp1SIc;~z={l69 zS7PkgAsARS7U^{%)FeAlSrbAb@7X1|U^lHas56Pi%Skkeuf z3)r|MAIu-?*p$VZGFK-#jfRkvI(Yi^S8#n|2!2+!7k*bc4S%bigzMsC@Ic)pplS$G zNtp);LCq;S70CzDkxJv`fy43rRSo#YJ5%w+x&82&m(w`+)pA_&VivD1Sb}o2iE!fT z5D>!l5i9D}vzUHTD91MaiqaL6R>#!(5j)ALadRfh)Z3cxD*9(cj+u_J7awal$wylv zAmlXBtlt$1V#=>PJ`V6AyZu#JE98@+<80N)~^wA8bn-(DaomD zR1-%g=zLa{FI8In=3Kn~@{5L?*4D`6UC1d{y)|t|F`K77w5ACE@z}z;yCVNe-7GYo zh>36NX=Cx$olgABWXEjNvqXc)2>GD! zB}gQq`gUIV@#Q++71M5hd|xJ@`EI$MNqFI}N|p$>Kfh0e<>N$|&t%5SR-t7V7@v2q;1A4OZWxKBETDBXcd+RZm{a zB^>Kp!!wMSH8nLl3FXT&x;neCaKS>%e|rhup1T|i7A?o}Wy^KDZf#{8`%JFE$4{xj zX&>*8GtV4?Lk}1%<4ZpbO|%2^UqMTAi>~^ToCeCI?nqM8-P+dPeBJU1=;jscR#YD2 z>|&$v{5f`lFJ%fQ+mKGC^u<(X&lro-_a2F}_N>6X^}wGOcVKm5HPV@sjCtKi$^@H2 zyT+Ga5!|GCWh%~#@apqk3DKUHekJ`>SMRvfhvyR?{SgwHmH7ha3~3pQ(p({xYh?dn z^@x^*vE-F^Ff1_+KichT467Wi?@}O9>M5VC6_PbRFUtNGNmi+zT!rVggV%tS$#=9a zN%AP;`j3}u_dxv|)r8uK+GlwkX5ZoGWAZTxEB%I&jmY)cc|M*(a>s8h^Eq$k$-H~g zX-kA#>s9}{I^9N0Aqj4u_coTj{5+Pw{<_Mt*IvVtS6{{AS6;!QmtV#^FTI3?FTRKc zFT8-apMM^2KKpEsGXI%p(6V^3URO!pS&p*)l9%MkynE7VOC`k52}ytGO7i>NTlOP? zrcR@4N8{LW$7=s!d+6Bc*lDilSS91CxwiP?i!a+xLZ_c`=8uLB9i|_d9X)!CT&PL< z3M7!jlnw>Xc;p?HN`|mrQ9P76prcJ(@==JL`DW57G;Uar?(Qy(A2-h2edgBEa2W0F z9ayz`rA{b1yE-v`{5W)UB;_I}bSIcVvyf9x8F!RVJ&{AYs}<{)%)_9815jUEE$T?+P#wAWP@kT#xn+OS#jBq!O0OqaNe zbOf_#jRnzf$#Xb3-;B?max6OYVWe^))5n;vr$V*vUGaDjp2HHK?F8oP(MNQ%6Ch4B z0wNa0dTv@2wtf|~n|$t8~=PaKKXc0|OD@eLI+@wHDfjvg=puF9m4 zku=izAgTvU!GljM#(=(k(XXx^v3R+VupFWla&Cp1H7tqgyxDVc!#^*_M~*rf{Rh{h zZ@<2hg$(E-+%IS9-sEXa@3BCvwtT9RI(opimGW@qijxq+hEuUgxo({NTKjt=HMNzP zvu+;#`sS6`bI&oDSTzwN%En@J`Dip$jlh8DaP%n~gxc6ZR8{svU34(|XNDmjj-x%> ztlM}~QlEU&Yo{G0)s2YVN`4!#+FaSn6e3&P%!}$E5%+j8Ivk^#V%F5 zfR7_CXl$+UbPPY`Td_TsGm%a6N3sM{BYU4?en32yRkWi;*P3OlhB}D37ClU`U_c zZ0<}W*-?hoLYnHLt!U`qjOxmA)Yh8kgZQR!HAOFK$5mZ(MtI=ql7x<0bdz8_S6Cih z>6G)Mv9VDn{OptE<>hD?+TaoaqQ1Ufu3YezuB z@>%5CnlOeAk7NELS7XY4`(fT2uVYYsrJQH{j7(ggxef8A5w9DpQ%ANGS{?!4{Ht{! zHQ=_FobQ3WA-*pPDVQ~DmYi2|4u>PUa!ZWrAIHprS;R(-#iwpxiTLvQxZ<$skV~>u zQK2rqx_QSvhVdR-eYlI@86g>C$BxyPE(N3I1-&*ywgorM|070B86kZqtvAsq_MH@# zn3|Q-G-72@3>@AMiMB2*o4pvv4f-@bG4|_-$vGU7>r&XcHf>LIwzs09qC)GfG1Z9n zV6zaVfSe0m>ek-fjsfu@s4F*bl4T#^4UCF#1;+K2IggMuZh>9dv=T3Lydd)(nTzlf zG9tDg*<)Tq>bm=5T%U3Jwp-pz>C?Brrn|N1Xm4@#Ppn+7`SHBzTD%mgrAv`mz6PDE zm!NCKGITpqWM972Jx(oJiNw<7NG@A}?6M_DFB3OOBht}$@Zp&-W8j=_oJPt-clIe-Y;h(bHvUt05uo)1%o zOm$-W@Zn>7AasV1(}tnLv2eixj2b-}eETX-I$gn$F-Qk24)P2w?%NB+DRHnfcb}L? zHk+17#0LE+^SH5N^rD!S$utK;e!FqiDj}z_sFK%-6DOiWCOMI41)61|*x21ii7B`B zjI6CdIyM+@E?R|1WsQ`U7nHOT)0Bis2uW>Ehfsk|tX;7Lqel)!!$9XE#yX&=X1!qh zRmV;Q8`)bFX$Pr)q!aong7SC_6Uq~qKX*BDRm1qE2c)HMBxKS^V&Bmz6FniOygO|s z1{omHg+QWHh-n&KohigKLDXcTI5_+|zVW%k(432)g_Ad#M3w1a>trpU9#$8xed9Lh zwNELa8%8onpyzWxSox%nm~rWu*kXR;MoyFP%~FTae(9=;u~ zy?h@=$mF_z-(4|yy!8See)D;iN9MkW zhvq+z2i|!Gr;Irci!<}}+Qb!8u9Dhsmkt&}dd*8WV9v@pn74W!=C7HLx7NLdx7WXo zg&P)Pank}UYJD3^+7>D?eQ3WHT`hY*6f9rIFqcN$E4y@}c$2||eE;GF_a%q{|btfft z>06;J!l61LpE5yjPs=1eiSBeQmaSy^jTqLyQ;8|bj(vvGf-kHiyaZ<>qADPXqdUvO z^OiS8T3cK722*2Gqpr+w#gy)A*RIu<8qtmAwx1f{_aYgFx(pgL5JQI!72?_#Rh3nG zW0W`OI7TKrl8AN4M7yjCgX_w%Zs9Aas_lmiKcgYwjz3!luB2MM`Tt$v6piI!96i?^ zvaS$+9ieh&Yxzqry@Z)FXXqG?pb##}m%4`XDVd;$aQXf7aQC_{{NodQVNgJ>@j{%b zo7K--*Mwe^cs{CW;I)^M({MEI`0RL)oDQ2f9EtXnAq&#BB&AABm6V$2OY8dgLH*!5 ztXsSW9g92gm0f;{=>rcH-G!8j{*)botc;Ua`5FvFQh9dWMhxwT;Uc5QRO6ku*P>yM z&tvqc;i#$WhrBbX)$~mfHxr(a&N*WyP64#EwCW^Z2l%4%$<{-0F4lERa^G6ya$%I0 zM}?$r{iI*4P#jas^ZD|_sZm@B6J z`}fy!_U+qO2`b$Z-TY2#+;v~|{4IzIvB)NcTy)5FF=n=F+UJLBL){oKVINe~)NB4P z&7O-1)Am8U-$-;x*_bc4aPzr3UQ>zEafLdQ07M|BQ0r3DUWyLl@1I|DH ze7$Bf{gtg*{OyVP*wC59UJZS5(bYHO)YFg0S7r`IWjKwWUv{0oftp}=N(Q}uWAdBd z`jo3TO>P;!{PN3j)KN!a;J|^1S8n;+Ft-*TyK`6Ub?kI>H6@hD@v#fDVk*~azT8NT zhmLNLYia=Ry!ti-WbCFT8*; z6DI4ffNcTwU-;%6OrJg-^X|SIsa4C6YE9`2m`p!0eaylVX7*#(o-uFa4NDKUZasnS z$-#p$?ZgxD{PWLm7yT`$<3C>hI}RRmD8~2ioj_jn_(j?$cz%wo8i|u9o~&_8NvWL+ z(Ej-Hr?9kTF}||@*PT>+`0%m4;H;bu!-9niF>3S}@OxoADJdKf^@1YTAont)mcm78 z^U?E#DX-4*Px8@=f##b>TWc%UtzCmDQzq+{US1IRY)ETc8&<94w%!Pm$pj`%+C{fD zWz*g0+fRt-+Y7|bxA?{|wr@3-HU-eemAvwh5GNr}&Wb6?X_9Z7OLn6w9>eODt1)6& z5Mvs4p;n>~3vH%DtcM=4HP!HbgOCS>w=Bxax#$r=oG(TwkD+#842|<&Mtiyexta>( zThc;2We`hqI~8BB!@Jc&QWGhZrP@%LYT*)xBooB=STjC*z%UG{t3tVu{&+Zqiija) z>9kC&oO))J)j+j=Y>g6{_~`fNw@h1N>GM=z8nO&@5yB{Q`sA}bwhCL&Hu(R2am#D z6Z4p{`$&;d*mKelOrJailScJLL%%W%tf@n?r4zNg9D=@;GO-q78qk+funkJu!GY1C zXEFZ@&chScWo%^UnDltcFUpqAT}VI; zb?O*LM-ED$^Um)@9a~3IbZjYwg@jXi36oSN^Vys8X-i%iZOtm9f|3f#-<(aodWBNQ zRy8teDLa4Ss$eF88?MV#-!;Q1BW@>*^2oEp=LNYr^68h%%uFGnXisoYwr|&7rn6(@ z5Akl;utEIdWe`S=K)7<3|4!-cd&zFRQJlZ9geDXnpF{~wk}08S3yNvdj62{}R9ad} z#iiwx8W~Mn7ydy}$xVr3nh7z@ui#EPCkrEBZor=zMa2=Fen9fzI{HFtLmd>_Kh#fi zr~gF*ju;^AWF_Z4E{tf*?{nz2iEC;8+EPkOZAnib*Njr*SAJ~-+AJmry9^Qur4D3wf-!K@ohX>*>6(mwMG@PRviEo@qVh zytJg0QktddRO~*G{^9~`5*aS*PO}%xBfdGQhUNyqntku_Irm zf)X=JNpUf)U%!?zw{NE&J-Q25lC^#Tfs~V*OWT;VVk0Dw*6!VV$oj}yCZ36jO(>&z zI&ECDk_xl8QV`ZJL^qX@rQn(}t~fCg7=hN6D^JcJcPtBQB>vbWAcg- zDn!T$@lG_uT^+}ZKXhnpOrQ&+`O9e^$5xsj=Xv^828%}mCs^SKCLjvV+$G_(xgXqI| zpQ5%IL_IpCP)aOzvySAn2T>G1Gx70p6dN1E63rctP};IRmjavhp`_RZ3gFJBjNY2O zK{%sw+90UANO|WDmM+6mbn=Cq!p(%H^KXg))@;T*Asxbg0XC!xRFO6qudIEB`nTvy zt4kJBL2ZTX$ZLoxMnKwzccf+8meCCv2Oc?uC5PP3XkFZKb}& zOF<9_6NWh&vjM_&pp7a`_zrG}BBxC7!=mGMd6!t<%eE`{Zq3`2)GCEa3o4j2fSlsx zXcfgL#8O7bmb7*K7TWaJM!Kl&opey|>z=0HjZP_@>Gw51Q+{a?wTx@-5KiR599QP8 zq;_%b=!CW>IPRw1_Z8@mUpbNcNHug`-wSjsdya(*7SQ%>+Z!w?e61}k{;BY^h61h< zOs&8Vpoo|~Mh7_8_6-rEuTaMVHJk`YDBf7-2PZob)X%nLdtw9s2=op7cCr&!0%^moBDttJl)HjoWB5 zccQkf-^3lFH59sZ0(FQgrGMXiHI)~kyN_urGUTV=PAZGPywxjpz5hMJKM=R2NgoWT zY}FA5CZ*gofs~e32T~yuAGV;FnrbR2$*1FvX-C~FvMDK-J5^P+YDyJ%&Zr9CG|VO9 z#yv5l;B)D#FTSMgtfkbmdl0oukD}lL)*fv&&5X0wOP)! z5nwkdi~R_cy6F(^3h>Do5Yy}mwIeS&otP4esh;S-9LT`4Us4?=9Z`@eTtnO=urCV_ z7kiwS^7D@)?wiVjD!%WssiYuB$Pb9orcIk@)uPojZ{A#*`Nz++WWgL-w`wW1ORb>G z&u&VO-JMRKeAtX$emS0Ada@Ore0-8xBgt_}T>v<@iJ$vIyBVmvN0gOt5V+^jp2&U3 zKqndJrt=9ijv$;M1PKWVGSX!_sQg4wC|+1rm2$4DBz?@ug=peDq@4YhRmrsvD9a-% z&84kdxg%dh)W2;@S~ufc=B`B)&7>C7dK(IpU&#@k3qN9j>*4`6uEF|$P80S42#%!= z)eGpqgG1Z3hcJl_N)P;f);xq}2Th90>ANQ4>gQh8-<+2jW7U z`vLE}08Vx7k^`Wj?onom6yI)GX57*VxM?j?nLDkKqOU2xi9%4iZ!v0)K%9o6P7s$s9Nd6{ubnU0T`m*e^?hYkF5&P`r=|YAU27V+7w#?HJjSR%WlH>s#NheH>Uoy>B3O zvlcuDp?pWdjOQ1Ek-zn8R|~;kvt|vIF4+j6eY zF~W*zwET2YTAOn202a!q2}Vvq5J7^?i-R52$DVsi!An;g#SZ_RH!s1TPky7Zn{bmR zGTIM9Q?zCQC8oAwJ$4UJ*BH}xG37WUNPYGK<$!g1K}_n?l2Rx#C6Sh_+CZs2j-b%w zw(>&Ggby)hFYMrcuaifeb_0w;VJ`-ZoT^N7y&V=R-!5*Nl1{B!Wl(HFqD(1OQ2AD2 zu<$?PFljPc?lgLeN!gi^({}CJ$w)DX`>tRI+1)8Htv9h{G8JVPbDhO)QrEWJMiH(4 zeI>P_o^)g9N4ZXGBI`>rUGwikXhbBf0L4H$zge|Hri{l%#!_i6UTPJ{4&NwST!ZYI zY$`7;N(yL2-f~)0v5?9`^5y=+TGL>R*vmUybrFKgqA5Nzl@4v$pJHNSxPP>a znrF0g^13Hw>ju)lcJ)e0e|Sa)8Oq)sC~+wPvXj2<(Q)-Z2C zIBxjn#grfL?DKDM9T!Z^nyC?McUl%MTuQIK`MzI&21bAUgei{RHts`rx)l{c8aauBO__3BsfdxRE zFTVH!z52?l+<{pp8z6z0&iZpU{qpN?G-c|~w1_Ln1q&BR3t$Pigv$ znM_`b>6Ft?rCV;lm9D=28Y-O8~YL?KPQc}~YY3r8Ms(EW_ozjMqxIwK6EThV* zGAb%6;0g#IvqtA!C9<9zFhJs5s8`XgRexyv1Dw1`RF? z`uY4+^AGND9EsL#$)$)^hf#Dew$BHFz=vosNWs~S4nxKp-# z4MwKS^KG7C1Cvio@5Roe z*o73+dN;0FI6F1ev1?PMTft)d56L{#8Cel;_M=(|Q5(U1of*Tg>bpgm;0^We12m z{|LwA-=xbqM?@MPI~O_Se#7pN(>=krtKX*h=1qjmwCmi4^0V`3^|V!VVzW!>)Ql@B zG&oGshkNYrfGIJoe+}m}u3fX1T4l7NxUe{?&ISppqT+yJxd!Ed<+Pz}11&9HN~=m1 z(faDuR1r`@fuZVN4PkPMqml5UcuLvWQiv%wqFTIYF{P)cQ*_MU+mOngemo0Ef19># zD6Ca0+P-+XJey{%v`JT372jiACxE0HJNE`j!ByC#EQrGR9xCUXG4#Y!si{eS+TKmS zKeUK%$s{n2=5Lxy%d=K-UnYVQ!sDdwlC`MSo}*d+YupxXT}o5e{z65S1vI?lanw1r zvkrC75W>%AEVeObV5)9RhUH48Ixq*$c1`irQv3o#Ff#oY!QxJDf+qG@2Z4`X-vOP14X3v=~c}Yo0rXR*k z5Hrf~i?2pg$M$WhcdzcWapPvG|8BYID)Hw_OaWZOrAt@Rjn`dH#~*jJ=*{_S0sY3r z^3X%->NgaK8)d#P%6o6%*%#iRmMxm^@-++i@yBts{RbS*1n);WdiXIE6cVZ*OeQ6m z?xWv+DX4}?emy@81gbmedm1`pl*W=P0j|NM5}Pt*GIw~^aK|NIq^PKf3R&=QVohvG zNwIt|JvTRpAH3Bno!s~i959du4jf1~-h2~f=4Ml3QX&-;7jiVHNV%)ddBT)ke1HId zsB{8DYN?{4iYmBs8Nwa(U>1OzYJJ=hl&hx{>M0MeK-9^O!rhfpZ4e|tbT_n_BRBB} zVlvNCx@Y7>TAD+&ttOrVBI7AFsEFE?FQrG$ z>rd_4w4tKHVku{^F1b#KN5~eZ2S)=$=sFefxun`<52H#u?iF~Nr)Y8JqPg73O zG77BX&Iyx!l$BZst&V}!QQS$6qD9Lq>Fo3WNBI@C^!&RIQ$Xe->XQ~sVKLlMh~a?I zF$=~TAr%)s`Gar#vXP-P#S5k(MwPxO;L2&ti~lm^AxBa%i&2N>DRv zPV@5fW%OJcd#?b@HLMTyM7B4SV zESj?MM_M>!llF1o08c;QzOT)5VD5YAu<7fF^JkuTl)7~3LQ9q`k)3W41g6L0^D7YO zf}DcXg@=d9^x3kqa=tZ#rEXundKJrRI`q)~)TiG-83{sJn$BT;aHrA0q~9D29D5hw z-{ivpdT8??h#Mm(Tc>?OVWlNZGWprBE*H1Z8Ya(7oM9K8TS$?82T@>2IR#Y~(&E*d zsn6gOsHRC%Dx_#3NHsyKUBM2*CfQEO1WY~ zDRaG$N9+TDBc>wb2!Wdc!o%|qJG8T?vt<+sFSVQm)dkj@w(ihbM%H$9hgH?e>>e(g zIDk4G*^Lqs6KMV7HB_>$oUZEd0A<8>;`FOs)xG;Je=o8!GbwBPR_feYZGN<9 zE6k*A1zV}IrjlADwxE-HoT@|EJJ^y_Lfdjns8`!0TC`vRlbSv><}dGE-cRV=jB@kx zi;mW<@BB$x;4mov`*M`9-E$q$s4B(yzns0oY zx0=hTsx*hHOR?s%EMwF;K0ZOFM#)PkQ8VSC;xlLa8!Bi1@09w`?dNnlz4PhxP4=fkMnONT3ImeG)5$4ZC6{Y)WzWl)Em!MT!deGbm+9`-Wg z-c!mZE+0VBz~KCQQ&^fdsN{WO639XEj1&ss}Os?+I`cK@T;uy`S+=)^ZhTo)5i6( zWCzxKD%^^J@s3StcZ^PZ;fMApM&+ZIDkrC2{(<@^ig$)-0;xK3NDq8)!Nla_SO& z$5REji$f&`WzpSP+2e(n=w3|0M-4O{8V)Q8!ql*e6Z8e={N@ootpWPH#+1tTakRm|n^q0c;8p z5`y(6nrw1KVIpX?gT0^(%Ilh)v)0^%2VtTf2nkr*hh?{l-V6BVV0o<@z5{`KL4+)Hjp~CVSnzUd8O`5-fiZ?B#r!O5u z8BG&uTXhUyCsm%(iDQq>uDk-aKw$V$38@SA2NzMpQS0OWfFJP%zdCr;Z{>sDw|AIRMb*MrBcS4R5^02*sV8! zDydm|OZxnauV~iX1vF^LQPi#tIt_8M%Wq9Z8J9PAJk7K=zIN*Qk&H>YA=m&ZBs_{G zl5p!|-IhVUIddGe0b$}GzX)Dk54>aoIo-N#8#PN!)z33F#ZYLebqpgJnh0eW+d&k7JL$HcG zLw?{+Kf-jwomZIMaXDr_sPBkkc|(wF3S*`!!VToEXy*GA)ucJiTeOUN96FeSliO2O zNDKvWM;G-Z+M_aV#^mLk`vKckxRdWms-zwHKs>nrP}VT}=E;G!0zs{+#n7A%gUiPu z&kY2w5vG2^AI!S~({tDzT>jHQiVBUPBb%O1$G5mpUILgA)5Z)uE8DhgqN>UY?htYZ znMr+7aUpHZ+Cq5+x!h?hrz+emTslGFffODUM)7g+)GRTLVxr>s`6!@u>(+6N>2GYdfRCAqJ6F|{TVrkawxlB&GX$_E# z98G-A@ghD3ZucciR`5Nvp3c!^28098@QC5w1pLE~zMw8$Ita;lo=HZt)D*{$8>@w6 zeyY!iju>>96V~+Uv;D@^r*{u}lSvB5A;LFdoO;S}Oio*P<;9(LEEzH8Y$2k`j|pSk zgvoUMwUj&iinyW5$%G6v#w||)3 z_ldbbaJ^8TZ8KVl9>Si(MA(#}J6_)~c7&h{FTBw6ozpgLr2&@C0h2z}u%X$Kg9B+J z`NzAd*WgaDFMR!bLE9rP2pTx_A85%;JlR~Lm zWF8%Rcy9_x%Ait;pb*wY`KxenZP|>tI7~!?I8C(50H~Oq_{F5ooV4SJ@L-RBglX(? z!1dH__+e*P_zLb*aR*$5BX&Am>9BFf2h+;sQ#joDGxw^>giqjpVIpzE+fH`i#pq}d zrgsHXP#BkCR0KuDaECtzpTgiHBr1|ZBEl#zG@J=hHMQ^5iTd^HONm_B#c@X=GCZ2X zBBIz&JcUKYP-tWng|URoF;d*ZqLf5LMN@b*6Vot!VgYH89Bc6$8Vr<+HlkcG1s`RH znGYZyC`&xEfRtY&0PaVm#Fg@$;-By>Q@o2gAF0U5%n~#HvsZkR8l5uHlt$VD7i_3OzlmG zPo(tb>D<<|k@a#Qrub$k{FgIn1^2GX^i3p+Q$!aYgKAo7J z-i*4mO7N1(Qm#uk=TK=@AypNXQ})Jf6vlnos3!4T7peL&lAm3Sji_`VOJv}S755BUn?^P6tGijEpONXpU| z?tCC$2JnlvR7OE(&6ewkxM$3qEq;3R=qe+b$Vcy9>V-ri_ox2gYl01~Kw|Ux`9hpC z*zVL*j(5U$>lK%j2>C>wr%e5wI(BL&>7PG;G4(&R54CRHN(K*BtzJtf9zR^d$jQ!g zg*}JC7`u5%88F+;HFjxpYG7Z%7N+R%M3zC#7^5QQDLc#92{3I@Pkf4 z5H~;}(&?3{kbE8}i!(rIl|R{iO^)ikj_B|q2wSEaA_6q7{Le08@8t)&>R%ul{Nt4$ zh;f6G9JOCL@~?650^Bg|RjnIx^c>;x({_?}5q%DKs2Fz<6{p({;m8s2I^x>Hz@05F zL)F3H_)MPx{%~N=Ql_kn5d_$xa|U~mHSFk@(XIm}CML<$9+~p0!;vE!aEBocUTK%` zm97-N{F=z&=E;i(2oLv(Dl1by>b`OLSCOmua4KTrQc&UZk$*foun=cBNU~sud_!;d zphETp47lx7I>f9Jq~emYVl$2`QvRZdmosX!4|H;3qGM!pglHz4nCXD)sLIVdJSA$j z0SBg!+8+0TxEn8QMv{C0I}t}uoeSW{Ibp~-ER>}(E7TYMeg`MQNn!(KeCuCm%<3^T zcFkCtw0;at-87CSXO5N8(kVqh($6{LS?6aC7x!qx#a~?eTjUxUv;Gt41D-Frb}VWn zTs;@2KB%fvYejKx1i&XFuz?cpO&l@Oj8Qv`M8eKj+=Ry*8v>*ckaX)j$iGgrW9I_S z-FBiU1|=$uoIn0UK9E1;Gq0#jK7kPw-kl;^52UJyWU2`a6+((pbm&yns(fR#6_EBu zr$yq_aTu8N8+*}m>8tk56$T5g0bbggYhfVzoYn>jW=r7>uSw5-5F~YX<*lK=QAP~b zmvTMGE5=;EY*mP!AQKZ?K%J170D3qSDdFU*5cO3JHg%{I&y@jMr6)-ma4 zsVpg{b@Nuzwk7K+gzJ#Fm{^Joi=g<(Sc(mfq^!kjyuwOsl1K{|E%mZ!nD!+f`SYHCxjw7T8D|6!aE zxs#X>PiL}b>;W9yx^+aUiNS3@ea4^EqzOM0?1XR8oANgzBo4aps{Oz$&<5isfV&ZG z1;e5J`qG9Cn<$gXEN0jA>D|*y$5-Ekhl6p$D78Cn!;cmqoIcZZ^N-ckNb}mMOTdY zQJVTF&gk2#qdu3sYC9;&L5?t~b6>2Q zQSMq-$1m1!mp`qibrG*2qvD5;k}h+u{j2byXLLP~bGWNhWe^YA&gH@69Y+JC$`kg^ zL^wGSOKsIrm6fwodC&AnauA$PB5;c_%*HHzh!*csq&xRAW z+g$`!_;LG}gUd~eM@i1bO5h34xGSSlz(E_upfvtIF+fTh`q!*QYnnfJ!w#ici#8mp zx)&QN?l}IoKU@( zXiMDW6mXjjB)tes!}vE4SGmWKV6jkUw8OQbIl8Y=w(f9?m0ghxhF(`ISZwnHcC(fbhUKkx_| zG~{Rzm|+Ju=s?$B7=Nd@)8E~s|Hxq?FvG4fr~mJk@X#P?l@jBe&zLobwr|@?mD}@Z z)8e%hhx#QsNxsu-bPCH#D6gcD$>b`>4l;1yq4e8t(`oi!OboRhMy<>_fMa4}BF&w* zP)7fZ9t4CjDk_R%;$r0-JK6$no%#eYW~Ae%$-heY^~KeuU29ssb{%cn!sLX{SFKq` zD^{rdU_CbKr4_50eDnFrm20T195Ybr#swI2Qc4n&o@Gv$Mld1>GG@vlGdo8{bOE=X z5x}24$}%-Ig?cloLzr0iIpL?NjyvGi_a}h+{P`E(aKbeCp3e7xTL%K59L)L5nX{=W z=hs{-07rZk;m7fl{OTcm%yPhb<>oEY9UZ`!cXZw)FO%MW>( z;>R5lbioA|JdoDB1+84QTBcgz4WuDJXt(`!3IJ&sab%G<Lt1?}R7*<;eE@gQ&z^h>bEU9dqUlW8-nDm1)5;Jq_uX0Pv3={PG_x zb^OQ-{$%Z?Qc>;#xZ|JQA{2O#qZlL}BMJ!9=qWf( z0*`~Yy@C#&J0uwO;7(+4Fei%@{pdWQXmr?za|cXFCa)9fTCa zoqv!9gpZ>K$btGrILNCiBc+62=tIZz8zAWbIh9=iIX-N*1aj{XZ0PFvBoOUSj&Ra; zI4D~{Tk;V)@}vGG9!zb(rXR?wxVwDr8tVG<*r+t9UsYyuZ^M9pEr2-jiLyfptI;O; z><{e3gDA;S&H*{VLZ54Ub!zMYbxj%$rR?^CYl*VU%U2sBDMG_>XeCcMy5s#jVD1hJ zfpdLu52#rc^74`4ex}^_lw)Q{d!Y5*Fn-M^U3?4OkSC`e@B!{~zZZ(F)k{VN#4ThQ z(dql#oj$qRIvnHfz?_PTQPN`Ic4J6-)f+kD+DMMRfKH7pCBgi8?MDUV1=!VBu7L8T zJ-Pg%+}v>Tt;-DY!EEf!xdUxYURD2wzX0*`0i4yp{d-pE%#aG|a#EDaB>eSyTG&F>c9(JTm4_$~Ur9HaJ zw9W!1i(h>Cz34#VVq>V^A-!nYA2aF4AAb_NRxOxgesiIoFg4;Rx^Yv|SkFqInX zl}|bG7$=Pz=~-F=_H-5qxOc5P_cvK92z*FQMvN8WLty8ZZuk(--K-+lL^d}?m} z`i=C_$6q*UJLjzWcfSr8GiGdUzy1Sg{Dg@#?C9aLhDMPkYyeSDCqr5l-E8uS+LaX} zIM|2?Z_?2k>W0oVf-Ev>$$z-<@X!JJpaDJk*Dxjy35qQEGq!Ssz6l?Hd^ABiL5n}v zkzvB9s4C+JIE+F#KDyyiH z%MPPq5Yb0U^%3QU&XP0Qq5QA`maIF%O9uQ&Tq;_$inHnqhY=>uH{rdH? z6R9CrNQdOfr&Cx55{`KBfy+k6t89>Z4qMFnh-AnSZd#9jBxoG*$0y33f1xJ=BYcQ& zFaIik`ouV^gFrd+kIQ{WQ0nrl;^DGIrG(n=HAEAO=?Y^0i$EA)N=%bIymkO#EH5KY4A-m!t~0& zhQ#FwqRzROzH{(CH!y93$-AT#|0sX{GcOm+CugLb*be6~J3zSZH0)!5tXo)E)J67R z%lTPkVj9lv3pOq4-Mfdju`u{? z+)r{3U>fb7VCIb3d=G7)vvxoV8w*tHpc`J#ugky6CW&_S4dh|9q!1#A8 z;D+eLe+?5j7V(F?OTlnB5{8;~2Ov)9mzH6dW7UyU@pDH8iDX@LU_knmfJh=KDj%w| z6Cmk9xSnZ#oN)GEjqAi|U?=e>e#Ia3OveGVvq9U`+)Dc z+FH}eQk`e$s*w!Obwt?-5IbzbtdEIxS5@E#=9JpM}eeOOA zk#p(!1FkXjaR1_-GtZ*|m%0<4)G-KG3+_V@Q{2x6(5)k`1Q=bhWjCzvMBLa_6fdp( z!T5KFDd+A#9go|cPt}3XkzU82>)eQenDr^j#{3CjuLW_{IS2FsaQu0SNAx5_E(cYg zX)>x`00D<#R@9nes)q?GwL#+ zpY9L%@q3_(fj>7Z3jXYOL8i}~E#GMM=hoOnS}&N*FW_oV88D#q0T~M5j*2?hO(PmlZZt7cr{1nBqJYsigl8I9a}EeOLZ@0f)2z>g4jm8pV{Oqh zqy<};BOz>A*YTc{(3x$SarxAr5KKIZujk)lx7>0EY)_ zn>qoRLZ=_z;l56!91UAawS|P zNu^DRvhx+=$CC$!HXpVL>jlrf z;1YKs;ueznL(Qge{J3;*Zo+hji+coho2jb+Ck`X-xZKdz(7{VmyllhBsT+=e`Bxrb zXO3QiKi9cdckW|JH`}Xc$WvB;u`_#yV#SJ&By?*-k?AQE7#=F;HQXNnl3O;X4*mO}VXfoG%0E{O z{JAwmu#4{l4?RJhJ9nU7y?Xf7X>8)@1!(B@mB9vmBENFV&7lZCEcysR#~F)*@wtej zhaXK-r%vGx0!A7Y!2+=Y@eu-vb3V#B6Ci|*uoUUwHWZC1I@R1sk;aq%K~zi2%B0f) zzv%E{S}8{I(7f^~lhOdn&e|^D_(@MzbI+lp!cd)sv(7q;R<2wjA1RlSN4ER#fA6B- zfBQ|sk!hVQ=&(!LaLx{x@*5QyDGffz4~U!)QsjnpQHUU^a?XuD!r&jt4+4-g1kHcQ zD}1UQhuH_8C&h=;%{SjnW5uwh0ONW?DWaHA#@U{~&NuKEWs-T%!^RFE|8K3~^7XbRt~5 zY(UsBt7{_{N5!R#8f=nFg#4M#r&3TR{MG{r2;q6eTV37rl15H@ITN^z8#hu)QXF;Y z(2+7)wv0@jR)p)I9?Gm8(|L zi6HOnGbx!pkBG}{`+X$xN(%3m8q^H+v7RHeT#btN4dFB zgzS#z3ii?57U2F$O^R1K3_QEg!F^`#HPkC_zWF9i{Ar@pw|D>VZrSCtu&_}4se8u< zY$f+NUSM$?h;QP=iS*=?Ptq%|yh0B=@BqE{(PtD99wD1?APfly$w&QxQAK`sup|IL zJ`J&xdKvC`;e(99oA&EY3(QEvyYIeBbLY;b?c2AjaP%{YG@(9*4(yZ`Bj zIx?8XjUOlN4bq1;Rno=&}JV~-ssYlr>0HAD{W--qtM@6J66V}FZkO&!2e9l5=7 z)bQgpCulgequ8-ok<%E;&(9Omm(eOilTQ#J?u;;5K&M!pbLWCPB3NUI&Wwb@VSwBq zSd0Xz#+J#OH1+|~*n?0CIpr|mj>XK1z`~Cjp^1))q7fs8)9*9pP()<75HxhA6l%G$ z*(_n;J3O+>A4gbGR<87n8bhT=Phn$(vU^k%lT#)Uh`+3~R7R!Hlp}xeD};fMAPA;> zM0B`PR_+mkKt)cWx-Gky%P&^SQFZ((se;K!Wo5aT;TyyY1Qi1ERa(mAi_1}wQ+(sK zLJ>W7LwZ6&F+zsO5vL+SNCVPi@`qzqR<0}-zvb3jxMMh$<7WcIafOA4N%^Df(XndT zvISjo@x`3X46S0ok&}@Y}Vzb;y~~y161zC#UQ7Zd_O31ijR(a$f+7BM*5&D zYe-pCnz-Z1X+@ms9O*?Ip6gt}#2p(HB_<}&?RVTkKTVp**AU;i!|tG18;6$}rF`VL zV2Arj@(tpq;(@3RqY4`bWpw{4pxmUh3|q;sSc;$wy+k|tgSa9>5&q}u~{P zuZ7KcX0o%g7A;yxeVoPjAMWF{^fZ}{+oVYor>^t|_1q|83WbnHm7GPCHYBL@0)+n4g+ zf8RzIUUV64+Fl@1&UK=3JBd4Qn>TLs(r<{o|IS-9>XVQBy6uYK`-f?%sj@q!KlcM! zumQ~Nx7|SZ-+L#8hlbIVDNMYKJK)mYB?0`|H&hJ#+56i0ih(~j2;k4Yp#u1`-wg@o zzEX6{rqsGe7r*XSto##&d$?#IbtCD(_uLyGe9|Ct0}oPw&Tvstk!s}GD>~00bRbx8 zOG-+hN+uK-Sq+Z}<4!{%nM_MsjX9x;NAM%0D7&_+Y zFku8Pg42iiuzOWeQ6YDfVufg-(-adEA)|H8nx#^1PLAXqY0AyXmN=xNAV(Au(k{vL zK%b*CU^;tvV~tJ>@_}?Aj212Mk?LmB0mO%Su>c zADyZfUU;59{^(;GI8b#+WQ3fFRO{BQB_H@U6UZ_IaU(DIuzSmNRff1Wv9U3d52PtR zK9UN!9EI=R>~ju9?Bt` zuLB4iKIjZm+`L(mTzBkl7Z)EbqY5BwcnN@uBiBr>g3m9Pq0_0BbN+XqvjNvov`si# z#7=(w1HP0MX!Bj2~^NS=TG`7&}B9~;NTw zQBF}@E_hBrZgaA;Bn`M`D7XClT=r8&$$SsvIm*q=kr@sc)kZnvnL}D+rh+r_v!m4S zB2Y$%07iB2#$JqSx3QBnOqwu;uDbRnDVufc)@j>+F7Tob_a^EE)JwR}lai9;{%Xqi z5wLCBHpdQtA3X1PVH6n|NiEY-#4q$fauEi|T5>`RVL1kLQNLh@1?pXla;mmNJwtf0 zWS%cy81e=^(*^-}K0&~$D45!J?k*dcVFyKAU!)Vy8OSQks5|kD0Hu}uToiJCT#NL;XS;Xl}?rWY9>X;RAsKaey}*F>-g_dFRrk zpC(c`cV61HPN(_v=hAi8UP~R?wPOO2B2z1}GBfFi@4u%nJ|9KrvVLps*fej^T*5F@ zXYai8-_$fdirTkIqZ3Xzo|03NIT5w=6NmkuyZ%F$UUrH2MdyCSiWPKt|337e|NMvA zwr#5#drmJ#r_d=v<1FNqi5Q5a>@>?Ae~`GRo_dlJqQa?T#}0Jozwh7;QabnSGwDgr?|=aV>FTSlrVro$fNr?qdLf-4 zir8`*X#o+MH+LSjYu{cvYv@3s(`QBs5YL-$y-97Fr%>CLDN=Umh#`G*=P#i%&p3ld zjrxpe>ZM`{uiMcq5LqnmHONk&Gu zY}rERo_nrLoy*D1qYX^lF1q+aA;6bkb_I>(xUahM3huNVA)~UZR;?29+>Y>61@Kajdn}s$~nlw{D`2?fLm*qCa86 z1Y|_wcTY=na6 z>f5u6lt((>kHDjkK1vBO;dE%99x}rG%rno>RhM2wUyb^hI=5?01-aX4()claPlr<5 zR_WBTS&9%O%=R#((wR=n*QBfzvjh}*GtZwF*b4UIN8hv1$5I5Och1adQupI!CG^IR zA5RZI^f0~p>Z@Yjnwdvs%uSzu{$;wG>+hFddP$yz?4oKRsULp$A=iaB$W&pBz+!~= z{rBIe#~*)OrVao4>#st{G5QEnT3%L8OP4O?I{IyXejlQDxZWMb?b-bK^QCRP=l(|| zoR?pInI3%TL7FmkisakWDGu}lO34E_|`Ocm_n{K)B8hYl*N97*w-le^~6wS)c zVskrMvUIW78~yzuXP$j7oq5^`@?z6%f70>8XwK|e)US6JdicS69J}u-Lj4 z57Q}Mdg(=4ylfeb`tmy=jpv?w4%Jqb&o#p?68$-MM3%^i-<&_ENqR6X5~IHu9Y$wJ`cn|~QwQi&sC1$82{Y*FB zaHHh&v(G-2&eNt%8>ytKmfn5uT{`vD(}WD=F|nTg=L{Nrj~iWdB(a{!bRtcM5u?-JeEki*_`(ace9cBGuBfHAM~mx$q&kj^AA#d`4yMb8*jW$Q>ILod+++|uah-?=tvKhFX!5Br(nHWRz*lga2Mbn3=IpV zAAa~=-b&*I#HW1yl9H08yz!C(B&o2tkluOk1A5{4=cr}+-soEZ0RQw!L_t)G=5*o- z$Idh3L}{-=%r;<~eS7VRE3reV;=x5*ZX0CHA*6 zSpo4XEUl84MWaWLk^A+BAAX><8@JKcty}5ZYp<0TAgFIHz2s8Kdur2EI_e5qqW7BM?Q@+XfS7lLzB`hhsBKR4hXWs1)=_3YJ?f@{_68#ejcC!f}>TTidN@Qhqr;BzL}-Fh7&_wc2cUP|A7 z`I(HEFIcjYI(P0O_QxD^jOgwUTyptU^w^WnQRj9o=-e|;(Y8cC{5XmF9MX?w&0S3Q zKJbWRw<)tgWaf-NXfwBiz?LoC4mEEf_K!UFH2vQb&(O0kzDm<(&7)Xu<8}wLX8lEJ zX{loF+N~q4Sg~5n25=ubWU#FHI;3xJ8aHl|b|G4|daX=nhuf*AoFLygG=LlY-E#9a zT%RnW@e?M|4cA{Gy4PNNsgOMM3wrhJt_U%su&{`>Zp)-r&QJ zMp2I*-RP<-F4i`C4|q-&FquTW=bd|o5LE-bRNA_2o4Eb^j+^NB-)GRK%}gR)SiXD} z*Zbeml~-Qu=>72hIMKuR9Nlhr-Fb`lr7&&UOxnWr&E0q3#(f`ke^^*pGz>c+r~X<= z)loo$h!Hb9_-JI&2!=;s4IvW=KF6pMI;D`8UVKqD6Kax}KtqNdO9Ku&j5ch^l8znh zF`B8!>3^wd)21@z@QyofX9D&CZQ7bCjmgco+(g(_7NfCOU3H~QGexHcYg{j3@|cm) zN;cuh;|{pfD02gynwqLe1Op9rWjWp?vm5&bImL8dthGT02V|^gpWbxJ$tQ6~Ws?vh zqC3A=I{2OZh1ApR;Cg2WN|HyfkR=Fd4nd%F2`}svvWS$8;gs=)hf?C_gi; z3y@K0tc~QfqXU65d4UN9J~)igi9;lv17lom*M*bDwrw@GZ8vFy#J;;^EOw zg7|B<#IAl8{kz@BYVNO?5M#Imch zM@VrSiAFrU_>2Zkd8$#<^1`^%UyP+OiFUe~SJ>Nk1d@E2RazJs8~fp8XgV9y*xP&n zyaDkFaIc=j6?i8jDQH5vDhwR+<#(_?tP)!@oX*?Lr-~Yzt20pv{%eX!NTeO{ngz!fiZk!GAfqWcVy$qz(kYe}0 z55rPHcR{#;Nrw8usA2J}6DC+K=r;BXsyx3q=G8Z&XinMJTO6M)W)Yt=00LiSl9eVb*SS<|?nciN zOB=_ofDUubf9bbKh%Hn3qs{hN$QM{7ln1%OZ9dQ8S=VVfIeqr0Vi{kd$Vr=PjP!Xa z23Hn=#W{xbLKxi?q%hnotvKMIMPaMr*d-2+Z^7Sj{{Xi#0QEV8f4_M5o?s>j^1Zyc zJPc@I7Xp(5jgJ7vL}0TVyDaAyMFRlLvpl|dRvL+-4q@r)EW@!B`RNIPFV-gp-Q@C9 z2J2QZDeAmVIjExTU6L&8KCXu>`IGu9uQa)_xU40BCi?=b*WTEfjeOeCQ?t>Z^hhPd zvB)|OUmS*=$@C^fg~y|qnSr^8@^{_#C`B02{#BIROv=4|t*J|7F1i55QEh&bEFBaH zni2!d$bg($fI;wY4MY@#qPux)2eUdsC;U^>dIY~-YRz#k)2NCz^fOIHswBHX3>3~Y zSSQPXky-OU7woBm+<%@iJ)P!N%DK5L?(lt1D$2_Bf8pMBzoR)x=faUH0xa5ml&q%d zRum#@6fB@X1mXqPeysJBm)f8bW$}iGZEKLdXt3SHHi1p1_XoQ^pjB>g-x5uE-jP>pF zBOMFe1zrp9v^-XN8@^HfX>j*_-@RC7tq7`Ydn)^)d)bzYQzYsZ@jg?IEeo6;9&~!& zA|neAEXL?ql4Y*9uE5lh9&i@ime9TS@Y@c7!9=}T`=|x~zKv}MFtB}z<=-DkT@tCw zxb_qFFh@-#YK_+|SYl0Va({{&`rmWI87fyb-;U!+8ce49YLtve!8LaZrug(cCntD9 z1sQo@&v%AM9n(dpql(zCT)Hh$2v_L1w8KvZet2W{g@5 z#vd7g2k_q_ZGWv{-)|U&4sf9@9dxWR`%aJh(&>T(6!Osg%-=Hl4RP~Bt;-o@y^tSsLsn1i-q^z zqRNqd`r#D%O5g;~@fM{|hL-4GOkc>pl(u-cV3U!sIMC`xkrm_10^%}lR1VVvWbbW+ zKQS|E=x>9lafOBUY*d8~LFt_jqev1a6nKVzFBeK3c75${5A5%*=?wX((GM-CT?4z7 zqbw(1<|szHqcCI#UeOs|ezSN)vOyh5wvHTt zVSf_P&{Ch&w+>ltk;hNTrNhxMQQ<%bjTcOjlX5(%li>hR6b(19=*tz9z{ApR zanE3s!6J*k_1FWk&t=CWy$FlJ23YiMno6QFY}z?Hi^rUUziMX^XW^F%BVQu9;V|Bf zSw9K`iyN(&SVj=NOC>zxnfgq~=b|$Z8Tzmh?UySca#z4xVpLp(pM<$mNM#0lz|O zC|tFKxG%%aBr0cOUQ6$l>Y7*jypzZD^-p>f8iXNAb&Tf;i)9^p>*)!rQb zlt@5g>b4aU%KndV5h`!S=sRu`TK6L{n}>k|F~bd6adbsHn^D`@*=L`JWy>YKv7C4_ z@4BGIV)8O=(>PxYDmMHMNb8{vtii>DKVvodKo2*%x_L)o`I?}JyFhQybSQ3@V_U^a zjQ$6Xmikv|h;_eR=DQ0)N6wbf123DSoFu9weEGcMq`>~OzqatHbmlx;Lh{dqUO8Um z&fI*39cWVLWtiBQFF=b+K*N=S(_$*kdZ!tjE)Zkg1v@4B-prHqd&uuKUh9rvM$oad zQaPS%m`JLcjLi81%F96QF~4&FiKbntcSQ}fFdQYPGnZhF2i(y!(Rt=c(idV*W0UyO zO-)S0##KICSr(xbWDS&l;Ap7DzYKER)u|`8Liu-pGnumP8^;oYB5$shY`yw|Qi6a zkc>*gm(J35B(w|#(S2lVWrT8nx~M8MX5OEkXFVTl+rq-ca>&D|jbT5pO0Oz(8P#V8 zOXJ-OWt0#=?j4bWAttJN73w0@;c-oaH^;rGCrQL>m)dSW#XxSC42|h9%rJ@^;JhxT zn*^)G2^-BiNZ2F%3A2&uk8Sf|m#0-qC2N!YK$*yi$$942`9>lU`GPxIWn#Jm|6pmP zv=OWFEC`d)^WJd9>>2e(F2gvp9hzbS$n|#fUqz7>Z8S9IlU5Z(UhJ=@HFL!JAQPq6 zfjj-J>43=Tyg)F`ROxl%gMq zlHd7xyWL$>AKg#gxBQ;75Ru)^XQTgP~^3Sn804 za>{YYEo(l%>*2^CCwZxIN-}*k5u{z|^-Lt0b1qa1=Le~$1FgEQuIoimV}VMJfChG1 zED1wGG+_d{PfRvruNK@F2R$2lK`pGank_4&8@X8V%(G;(GXJJk z14oOof}C8cAC(&VbpnaNhzuXVzbQ#k6$uC0_IjfSn3Jc*k@scAVO}T8MR59V+tLzd z;(uymoi)uG;(|=VxI+ZfhDdxVb6g*y-9{NKrx&VhCX!l58{N*Fhi0af9O`aOIj{`f z2B(+f5~2&nYMMjFZrNh?Wj*%@xaQPUf&j(=ldZVrC7m#NvC0l2M-usj1=b z!&pm|VdiKqw?~a}aWe!*pzK!`VT zh?dma?twK7zqS4GHDY31fp8nm7&3`Y(be1cF0&bv0NO8Mpv{0+`#g+^fPC_3=%}Hx4mUB#JSgYph-R`oam}bA^&h|S$fxcuG?rw zLuHH4(02dOb`*|h;3V@^wa>@l-4iUG_G^agJVHQu;NR1SjZKUE)+-}DwGz)YJW^uu zQy3p3Q%&JjIX>VCE@(XERo9lnmLBL=cL;ziaeDuejIX-xdsnR5`4(}5gm{#0npl){ z*)D0%clm4acS+l2OXSPrIR$Ig0*Cjna@5oum)Oxt`p*Ihqqd){p%#NNlGGc7nIajV zm&+?r@@*UnQ`w^T8>0Eiqimd5Fy%02>aa(Tmvd8OxgmSFoUYVX+L>czKKPPO8|s&s zGr_)7?`~86Xfyt3LK4PF?DMZ6uo8Wmi=eZp^1%z@7_v*c-eewcVs+;Qt%a(q-2A#b$#T@tsK(N5a8Q+mLrZN|=WLnV5m8mLQDD|JAMOwic!QROvtGqv zS2dJ0e~Q}8sc01zXe_`pB$2m1X6`>9ub(Um=xCkpLt9g%%XJZWzgp)lj8q-JJ6c}F zLES>QjiO2{Ty^Nog?%`!@bL5ibU(n2u}GFt*u$!(t{6tc0kYkWtEf`@!)rVI&`KZF z3jMOxrw%klO7OA+f9@Wj)>}?F{4u!yp|y#-4zwXuON&iV*w$7XM$ija|LPMBO{vSG z9CWH@V)05T6Fh{iqC3~{=ZNg83S6#nHWKB#sqh7awGZ=LH{biMcY=Ky9^jyzHuv;s z%S+ZQI%K2=PF9amaDG#*H#^5-JpfnF|9W7~$N2NYvVt)cEmx28bF4G+bYx@qVw}#L zN7Ds4O8lh!H=zPPoenWkK5wYRONQ`_YuE@p)>o`ZADQB!sxL`@?R8mMzv6z@mP-`9 z37S^~-&JWp(Ksc=9s+yka)8G^+bS2P<1 zZ4T`^?9thCXhtRN{&0@xURAqjQAD zK^!&T7U7&Tg?dRB;h(#?Y{HCZ!>#?E9!Ncg`pe;Ng09HfitLhT_ei|E-9yq}#V;UH zWvh`^+s5#&Gi&2WgIvo;tWZAA;hkrUxjf#?1isu} zQvK@#U*;fAkZ5-{74nk!S}R-Vc#u&)Z6}ZDd%Cg^EUhr@#9$W% zLllySoamY|F(2HFbP;M!?KImAoQ{+w6iSzT=nSth(Gg1;uM%Alq`zCC5*S3AqO#Q2 zMX-%kI1a%dMtTSNECdlrmBaO5dxIvJo#jTUM6AqjQiKUXLfG9O?`3odj%t^$cZ1<4 zE=DMxE>;%Ms*WpY7n3OQ(*rNJrP8@!t&uNblUMHDfBKc_^ASM`}Ig+E9q$nYt$#gNaDp6GT<8ByXpMu}JRH^_cNf-$uk zf;{e_@3ZEL`&er3J>DRAj09At}OBucRiF^%mF8+P8uk zE(>i%I>WZm^iSjhR^v0#kV=x4&|;C|+^v<)KPTakdZD%!*To3`d=flrk;k3fc7Ts` zY}USo?%oKqyi+3F-VBRJg`7=vb?aob`IPe}CI){!Nbo#pMcW%32>({35zf1f`In_y zKrE>xHse0bE%-NuADN5I&F*ATwksT><0{HXDhdl9aWTpvdbhsAAgb){RB9+lJR$|} zA+o(lB6Y^~FP8JW_##NMd&U@24cypc+)DLp6y<}S&O5pr^u)J$6*{AW5L<6GOG6^f ze9*cL@4q(^m!A1Y0w|=j?WtnfNq7EFrJs{%fpXGn3_nagrH;E8sXl!h4|+>Y{h>iK zY^@fh#9fu#s+go96lg`a$KUTd+Oy>i<&5bP)0(;-7Pd1yMV2d$MK>AWRtHmn8O4%t zf{l)+f|uY`s{CGPH;)0nhU+q!o$9)Qnw_{;B0p5$G4q}0{-Ro*q`!ysQklE!1B(Dr zu@8aH(|=^Yl+KXX==0EGxyNbwBy$hUj40cN74@mCwcML4e9`md6CoDV%snYCdpVOF zKy&2JgC6u+Nj*wx?7=)iHSse8a#k?I6{#IQ2+{kLHp*=ZHD_O@9Ga_}JFOnYRjzj+ z)U#gx0eK`JQ14=AEq|QP6;}TG6Pe?DRWB>nJ;~LSXI^!i))gF5=3Q6%&Uq^>^4fdr zUH{@VKV3vD3>qcD_o%e&;b-P*?e}nSVVYZ8Jfk?0&0HH=sfTkK@7I&N|!K@C`i>MvxR!z z-yMdr-bRNRKMH1sbeDDtO%!4hzgh1Y6;M^R&#hiTuEpWkvW(6n4XzWPA|R8|Na^jQNp#I?1F+l_Wg zz-!$)%s2=8YV@LW1N`3^8vcMJY{%$RNA$m>;8)PaDk_GBMTCW4yT+%fC|t!MAkY0U4xHc3jn>t0an-iJAVBJP3i zPfEO|7&1zKl--dKd=IxZuJ67@R0X;_3tMTX=2rt1bLnSn%`xbP_OR7Fcohwr?bV%| z8w~TY0OcjQqPSGboHdsGTIDZJ&~+$Va-aCnyuL-C6pH}mZW{M*13LiWZ z5_I3{xAWfFl_V32;*8`?%Lu3U!te=s&gi{4iLr>3tG;s;6(tf=Z+=gSNE(5K2cct% z@ESv2CD!_lFo}$V*XnKPl$MA-_&j4p@p;kl;05q+52wnG*!)-qc45hxmz-epP`Y_H zYLV0m(s&}>*xKUOXyd4<1H7}y7 zf>y=Rc#W<5$UreJH4$A^e(xKrvmdY@6v8((XA|zrf6S3cxV`e*_hktoiT^)kEFlrp3U1UOna~O zAK1-hSn(vMfs3-d`H3XmK>xgJ&ri46szBs+>sL)z;i7?$N*=e1moUd$(AM*gWv#p) zay&jqRI4W-)6b-v`86dxY1Wt-@V;-^`W7>mu@*M_gs}Uc9l_$ysFbF`*)yVrj?qs9 z(I$!ZC;p$>=nSG&zp2`qi9X6h`$?=p9|GukH@|)9NIYi$USa5nsquOC{@!+D`A)C z+$GKB@VXr~G(UEUW^M}At6qO-Kb0H6R{q85Un!m=!J{PN@Ir42w%t!Lytt{WtzGI8 z>*C-lz_H(K&jla^D&gVbsTyh$Wx2i??Vq!Ft%<*yo2$>i>^Gd$CpOeX>^5Ua=J2@9 z=}tB2O<)_wWs(MHlVu9H#~eMWM6Y8g;YUGH)m&g`??zbvgx!ZWXjBW$Tfrsc!(5DWV zv-WS{mYi>kraF^VrHT2^@Cn~{RW-j=4ATa^Q7J!3!4WzYBak@^sdTXwNxCiuUM7#i zK##lex@qr2p|?C&&Hvi|W@C9oVIM_gY<%*0Ho_4hMwmeYwchR1^OT+} zI@mJrO*E6s8dFO`+ibtZ+3;_(O0-N2#YG?8N`#i3Kz zYi`^A99)o2J=3DPXDT@?Ceh764kH#X7+7N;y;qz3(hrh}z=9@-_SgT#3e7w*R)Hjkt?j=6n=^!ApnT}C)Rxz-6g8)HnB{oMoG8%>i`Eq2FUnAD`lOtS{Wa>ap>-!0>k)5--4-C&T-uM! zexLs%EV}EJt5Z{181mO)S)wn2kg-kk=S~W(*EbsJN>VW)HYP!uPgQXEzJ}^oLQh{* zzb#B_8T!jY!J!s2RX2xRbiO)7!?|0xJ)9ri08Qxy0(-tEi2sIz`!M9C-J@5mk%$ub z_(2%P_XMBEi+kwusQEGD1@&p)KM#^$9l^)k-QYqUE%<0Kl zVAO53W3JM#5B_Vn!Dx<18l&n2Q*=hK1c8ue)pjz<)Qt5vWG?LG@6YPi69wH)KZeDE z?A$G<%(qjnlZD3EC-)OsB&66bmHl-hBL;I zBnL|C((P26@57gxCe6ll&S9}ALYJMV9_&<|X?cMw6cM5-={v<3KIFl$r@ZCI{g(kx z49a;T>({rd^La;u-!GT;8TuVNz?lB;?}?bD86n6fgqQ@o#gMG<$nvtfU$QKtgkig` zD%grV!QO|l2?HC_Brb?M5W`uP5g_6`8Ki!!FqAx~ZVaj8QKp(=x;(EK5wAn#Ybfzm zCKS$(5&AsbY@$M=we_H^F0XfSLSN``41VxX3_Ym-+0|n9eodr$t9A zmQL&>PN`cA6Kx$Gi}uI51Pi-utFHOaZO3eO&jeLtydT2k$Ux0ZwNgu<|R@ahS#w$lV8Is>&C=gPD?j>rathmDskPw+jAA z*m=qJEv!iNF=xck^>B7OG?MS|(9k13txdFN|Iu<2eOVs}_3Gk)tCaJ{g#JTky_yzM z26;S$;Vyb||Mo`dbJ1dHy%tt6-==CfI(~pEu0|iv_W&L9)A1xCcB=R7lMY_=eH{Mt zUSwwFavYV%t#q|`p;S73uw-z*i4Q|*j*PTP(;eH&FbTR}GNY13P&tN-r$1DA5yv80 zQBnUYTody@FL7N(ejOOVg`)x_+nHI6g9;?gV{9?7l;?lULYh#f$vTGZ`<^F;POIXTIo3FKz2$PrpcP4R{8he9^PgB`DUXe)J@Ttes;M5Xvzl(oK)hk;-Thi>6-q-;3xjG$3#b zmV$G9*KJiUJ1>pv`kFEw+Xrsrw*o&FId7VoAjD6Xs!Pxfk-_O#ko~dT6<`QnNe|zL zGkM-kkFxaLo!z~xH&}dg?tVg6>BTC;GW{r)jvZZoT5kEmYW=p^!hw_5nmj0*B@%{P8a_soBuqRcl$ zTr!~)Sm*Tel90o*km8dBl#0TaQI5Jv`ySAt47(r_22n5WA$=_K-2cYKeS#+wd-~|S zMa6g;lI@U9@Qa-kKE-D5%X^+~VwY6PhLyql)CCW9A+y0n= zf1Zpql{6s`K|Eu)K@6!X@&GFGoKMPaGOxFoC=9#~MHHW&-C%vY`T#DZO_ zn{`18H6NEaxoT4Ncjs}mgq)gpS5;A!P`JB-U#xA@b(}tfsKaZW>j*>vz&ZW)2VS1* z+1d-N*Q?DM1t25L^;mA=y9|jvj!Q}Wq0-0-C~A@Dgn11EfBd~4T;s1N$uUhJ+{2lq z5EkTjh{ao8$kvh49xtwvzgo_*K0`#mNzXf&m65!g-FNCWqE~rPgXWFh5T6kN-M4AocHH* zS%`m{V)Cr#0v6}g`M)WrBiG&Li%{-Q8AMWaHDcq3bwJrv=)dCLjnL(dzOal#+hmUK zrQFtA+!N|pe9C>k@V%U={QB#7f>(AH(Bd+11^_NQiKb1Dw)Qyx?Pt6vUCl4>X_4Lq zv0iItXk88xjE4uBOBIFfK>{WVNHT)gE%=2O!mVm^cNT6v1BdKdgM*qSn%@kh5D=XI zC;~rggLMW3Dn~@J3==bu6GeQks~=oBCOfzsrS`D zp)AJ>c~S9}FITt1x9je{psA?pds9pY(Z#VN`gj-+ z6fL;ZP`iX>^mlWw#I}6I7*Acyin^qP`pZ-&Nx5v|&+%d(^?#X{6}u0j73)Fb0JFBn z|C~5Ixi#nYlP}Z-N)q9p<=JY8{<{e+L$|1VU?VHlKiR3Ybu47S3QVnN!N+)zjS&a@ zzju*})y*qlF)YZ}V_-}FNf~e-X%mk}EH;rnNHF(8927dd>hm@iH z!JiGh_rFSTK}Zs!L~}v(K(%lML?RPV1_Tg_uGEFLWsSF9kEbLes>9|-76fh;j#U?y z<@)LFMb=@Nx027^F5_)RFXNHt$db7h_QMHpK7m-C!in6_Vc+n{4f-3qj0D8IrfCyi z#b>!*hUD*_iqN9oU&-PNO%wQkmVyN&Nw3OCeYHz}WpH#nmu8V9M<@I%dz*fL%!RYQ znVO?M1BANj1`FS2gfEtM_X@x_Su;1x)ywskbF(Fi1D81;9a9KcKIHk9Io`N{be`zX zUt4hD{!M{Pih*1EHOaW|MPUDRq%}!I^Cz_R57D~3E-RRhyIDows^0a*qm@R%_eLXr zeYXn&3Dlc(WXi?W3~B@aXKAk6nt=xXdQd>7Ks?y>bz;Zk4S_D2Wbgb@q~LMGTjPvE zRrH$PU-W>^=X5>M3IVIKEYBKzxT;PsDY2W83{??PQ-uPABiV8vAXLT*Cr>IdT(qgaH!aBtW;Tr z-`uRB^x9N5mMDk{eov6f(9;cla@Db&)`8r5IK{coJyY0`0hr#E?c4sHM&Vu8t@&Wi z;+bu+%%$FkdmXE3|2cTv>`C3Zefb&9FaTV!)b%nbC}E|J%jdXJ2%~Jw0pB4@+OE|b z`mR{hxsO9uT(CG12QMKuTFZ~#`LR~BNx?CJTy%~8%tDwlmyg~Ujao0DAg}T>X||YF zncmeGcirjz-mTAlQQbmCgxNIYwI3^ShKDwv{EG(v`g)st5%cPwqXQzx{F=_UibJIVK$B`Lbf|v-8&WxLfB^QvEbI{II9fcsVfHL@isEwk5SX@_ePd5aOHO4s8m-i`c?4xgD>nplRK+EifS)|PoLo6JMh}vA(9`?8@A@>B##&TGG_Tp1MA&kxXw3!e+# zK-JiwuAkL@SN11s%#u;ogERit=TCK9+mSjABD)ra`S9mO#%xsaOR57~09R|KG@@_5 z=u6-^MRu*8v4eI;NUP^1%i;3!^6cX;Ruv_20DZyTlvi|AzCC37-Lb)H&Y%=|cYq3l z@-?sR;y34LOhtbv9NIzWxd}xBtH^7y$8~Luae0#Qsr zTnw^!)zGigDaEnhR_+E2eJ~ZO`6)-hy|BETzRL{t_9>p!>8_4$cJv1m$@=Z2py3;l z+wtsIIp*n3f8W;Q(yTqITkXq}fF6jC0|DXNv$+O``-HKo;^MHEhjS(p>Ch~Pciwlt z7b1U|S#daY!^@2hv~u?>WsR(vUUS>^pH zq~%F)adkcVNmRYidHTr~ebeVvlF;i33fW*^aKufUgv z3}l(>qr?;KY`VVk@9rO79>2h%p(}q%taL-hi1{}QS`v4+_j=Z#mp8}Nzwr*wi#hY* z2+TnYHAAF``DjEdlc4|P5BZ-^9(6ix4&Pml^_iaNlm9RXjmWo*7+0q$B$Mf1VU$l=*!3#Y=!S&ik(Tg~RDe9f&j)VrMn1%f4v+-mwNfekYJG`HJfHOmjF>C~XsyBRc&4 zI2q|T0e9ZyvwIme*K49$OZzKM;ikTVjWy+GoWCZ#w#)~Y?(3Z0i^ZKABJo`y_K$^l zkynrGhi$S8?lOEKG5`C^wu=(r-x{wIO*}OU6w98DoFof;E3kh=QxUpX0=$7W)DFmY z1&K{m$RZ|e6WJrgrri+syC~>Gw$+^x0uA;Q#wPV;j-6zOaerDZwfg(}<@oTGCx(Ze z&L}Pb@z%veD*6TIR9B%sFmZcejIeMdQ!)Cr9 z!GL1hF8!kd-oJLV^KJKQgt-x9yp17Kq>`6*6U9RBZXKbPB^(c(>nVYJPWl*?kV|a;5L!UvUjk_>Ino`!87zIKI3WEtkfuB&kfp z=1jD$1#8=z1aHr9*6ZJ`FP2XTvZ)z8F9N4?2)xS;Ns#ApQQj7f<*B9rQp8T%W>K1WkCqUCq{NgoEO#6F=mI_ zPK8WjwZ9iA@EFx$Q^iR8ev5$@g@EDj+k)+n)YRF2hAzd9Hg2Z8)ttuvxSBD-o&Jmz z@chymH8KMj(RP3PE%XG>^3=%0gq(%nAxRYGuhSpCZ#Ec^^YHxaeDR1o19f#>dG=cy z*R>5#eEuQ8TO4=Ve6sxvx!@^ij=WVz^3~=G~Qysi?##lyg?@RqK-;Ff^Tm>Zna!U zBm6M@{t|ao=3G<(FuFMeTH3U`0)%O3X!wndNaiLXT*9n-F09*Gg+H)KJa?>L&bnb1 zTr%BrAmC}Hi{&xj+0UBKnX({?hYF4?k!k%I$zcDZa!fs$SLK+k$MFsh+06~PmLFkD#ZPf z9xW&F;DD}EzmrcQJ!_6%cSuRmI0D?qm^X<@EycxV&b&-a7$P!FY=v-?-^L#ahppY* z;?De#IGBl0>)H-dSjc5?ei03R3kyu8|6+CaPcluF z^HUG`?>hX|aId?Qlya0jxC)B4v{O<5h{3$l#lWCikJk+!Bh7bjF}VLQxL7``Bfn!< z{Kl>nrXJ;^NX7rTB#nR4kM^pu!TXelpo+PseDAKIBvAycJ&Nu?p=46u0v1~?nhWD= zsulTUv+$eX19tdu?&|$pKTKhQ`sIt$N=4bsX-)b4Ot-INSG6)}K9%?Le%f3%|3~(e zmX7wBDm5I=%mec&!yhw}dmCNJB3af#8Xa$Jo;Mnb((*{kqN{iF`yUaZ1nCd2y@0b3 z87)>gRHu3l-#l@+;<7=%U7sz8z-+d;jhC%gQ!6fafp`DkB5Uc0Nf-|G+!BE=uV2|6 zVfxbp%(xuetm)2>fELJXQ+<07_G~5MxUN*l(C=8<=VD;7;q+n~B#D}Yfrmvq4qL7? z9wB#OJ(!Lg*Z2$1(COzc8q)guoFAHIw)aEJB(^?0{K!aIHp`s7=*J73KtMnG5Q-Gc z!{WMAtkOsL`T_HOpum1JmP#S#q|jnUsqYV4N$S9IRu%Le2NKS`cF#xDyXhj;VWiN( zpn&%mL2Kb+Ez6gK$ZMA_qsmM6AyQR>WBCL@9&Q&XYV5fl!3KweBYe!~zNI|iEKyUv z`}l^$g6nUmt(g}H>Y>XG=&2iOosUpCb&uQx37sMP`+B&%nfNn|T0CwYU*X?qt7%Kg zq7o=*1ia?>c%DmCWt>qE6W_v*->YzX5H|9)K?zovYlhQZiZo#HRKb}?E#qrHZB|u z9WwttYoD9z!zX^P-~{0VFIr!FKEv(bwxzsU8k>Nh>OWKgz$C+XoXioNyPXnMRTa7} z_WNlESlec;`-dYH>gm>12=%W1%z398njREUy+y8v)rC4;ZumEg*vlVgyR!JdoE&Q1`fS)T&MA5M1 ziT(%LL32!WiBInHzhP4k57b7hXd@&>;KSmH!}SA@l%Z=MLUihfK-(J z{!KYLGFiHmj?c)-S~MI59}|<1%+S8X24`%y))1YXoU->?4ii3*nwBO@Kych(J?DXl zfKm_^20c2(YUFb8(vCo<79Z>*nfyBr3@J+zhEI$(%E3n;H=>7wwZOQn-u$~gb!XR< zPdR)(72#vS{#jz9)&h$fWzIHSZ;Vg{c9xEcK#qiLV2w=aV z8$PfhVS170lQOscGy4Lin08=>tp0%1?Ns@rA}ZD;Y0gAZ#S=#2426GP+QhN$W2;p2 z>48m-!3%349r6Ct<*ck<8FoK{ExU0rAh&}GK~&$X)J@@=dUxFErl*3|h@7}Hz(L!Q z25H~MJpDT=c)ES_%3mTuI(vqnLV*~j?G0}N2p|-tAc#r)8(d6G%1>V+x$BZqJs@;= zY#rS91bhlg*p9gHNxIEFzS}<4B`2x+DZuSVHuUOE>_;o7No2HVx%6m?!VAX{@cS zc-dp|oAdmz%vNu2qJtC|!s#Sq?tss&k zIaG@y4kDS9ESP2I>!O%){UDc>S8uA>Ss`+7bQ;98EdP!Mj~Z?-BP(330dDIsooyY_ z_h?aQ?BRV?iE(EGQMNBJJQMIg?X^v8jDb%btMSOO0W<)(8R{SGT$u0e?JZ>C5;ma> z&9M_tF#0xUi-K_vqUE=tBplvD2vZ<7n)3KPUU1EiWPudB6?e`a0~a`*rX8Lt@dPcf zgEnoA390F&Amp^_gAmYfmcOIkkG+Sw_ZwE;oVz)A{_BVpr7b%HG`m!1l2%wGhCEI} z7)%JF31aiCmq|FwZ#w8<;3B5gy`pdf>L3U}q5^#O{W>M%JjveP9mfcoGT?haqa2azYID)1ul`H(JJtZ<^Im?LMwC&-VyAF2D12|t zKwpi9AIJX{_~fYpc~qyB_%v9x9Y(P?hqk0E!?ZsI0d8!LlM(V^tMmHY5c8OqW+}@R zH&f?wj88=_Ylwu)pI(F;p^|~=iK(-gqXDRzfcf1ZL}a#!@oyZaZ*TCW{myhMBt(qj zlt2+fb0s-%fdnR8h&`n#aZ*cWufQ6pSC&GI%)!t`lll*YP7gRRO$Pd+x%qM8u^=`W z%e{GRIl}F{k1g8X2XrlT%(zok9mXg_enL+0R*%+v4_<=d8@|}oQ7oCM+KxJotp8T( zaZ#NoT=W%9$w}VV2E+e-BN=Exm;bN2o+}VxH^IAE`HZ}>&0hI^Tmsp)A+Gtu(`^_< zP&JZ`LRDatA^7?i>wAQnh<;79B<_UaQe@p)8Cs-PXz)#n(A1`a&it64T zWg~c)9fFjyerj~cB6xzHPoyL%EI1SR z`Fo3Cm1HytnuVe>q|@TRFJ2dI^DrIVY&A=1F_niVNJgF#qxelR13Td7&tMDf|NUkP zh>mMY(F?3?_P3(vIF}tm{Dxfiml!D4F29}qBc!VFr2@jOFG1=EA1%WL-H~zf4*$AB zn(BuPvaY`8RfjQqkir#RKCxf@ae~>?(&-tKN8X^;AD2+0(Lxoncy|#`3wE6Ouhao= zKCD-gM#EPCn{tiI`_}Tk!f@^C(4oY6IAJTp;)EaHD}2|z*Cc;pQq#!Oi?CBeN4V8} zeNDijBd70t6D3EC*1mVuPc!@MX)Iq+iv$@mH6_PnarP2z1MFVum+$Vx)~^}+*R1}% zKJZ}*yxbLfIyHyO#ZyNG6gp5{{M~JDF&yA^l~y$O@-$gaYC^h9-yvU0nMR zA_GrwX6_&kN0qs!NuLfTc2BO0q*lAP_NDC_RXPgqAxs}I!OI0!!eZlt8(OJ|eL1XJ zCjWbugan^t5=r$1t)|IeE`~<9OrD(V?dzHV9c0bjE$bZMtfkm(~8SJ+EXkiDl*GasoC-7%LW+rhz|l z269a-%?2c02@{~AA-K5$tA(B|96e*Kx(Yh`E0mU+=5gZ*{+mey^r~-p7z6$N)9zaO zgXdbQf0w!6IP7Ve^;=V`JKs#~O^uzeAPozwe%IR1iu40$DpevLhf=u9k3=eszjn5lGORnqtDN*rt}%ZmgqsvNr}nwp_=q9)IV!l@t7rY<;qljFog10dtNgz$D;^)% z#i@d{!@?uyXz+51?6DIBEz)^(w7oz-enS2;62XQNQsLGUPGHS|ava_5aM;g- zxO{t3c@@6e&Jjh5g+e1w>x)1sV(0=F*#B44^6&xx8;1-)>(elQZ;AMiFjmFvd>wnUCbn(n^ecmS>t9yTE%rBCf^z@1m-%k5H8fbH&Qq() zD36UX0nwP8<>lq+BT9l95^o!DdC?m$C|TuNQw{<=vBKioR%}&UheiHvJemgTRrZf8 z$yrY_Wx1!j`4MUQMYiD#%a{p zwrw@GZQFL6#&*)!YHVALZ8Wy6lXv(3JooJp2eabhY5e~aQ#RVkU2}K*Hbk76ivV?+^1jbj1JV)WQN;3Y6Jl> zrl~v*3Crai%ubY$UG5Lcx7J%yXpqx~*ZOag~5T%F-l0H4BUKn-C=# z)%TPtU733G4>3I+H^;LL|25Nwy$2`m&Zmv{Q0`9O$zFjgL9@DtEMUgZrHivAAL*%$vL5nH$ zSy*SVgzL*S``ju$URY*&28KK!0Ve9IadSUDG4?wZPlpZf^`~KQP|$R4|LYu<92&w5 z1T!FG_IUiIi&0+SSd-^$y6di2qG0c3ca!B2N?-d;z^*NB?CeZ8ox_d-fAGN~+o?|W z-QQ*})O9}@QyS|E{(B~f+lN5UvG_F|nwO4mx%XzhW zsj8__KiKc>?ZG;+gD~lI>D)1(5vPSV0Wp_4D~u|3@rmCwzn=s~4}AW9Zmo(HyeCm} zk!iKM#kjr&g%%7DJj$!9$1H;#AD2xw7_yE0Q^j_rsOjQ*yAl~BaB8+nB!0{b4jx4O zK2`gD>|F6lBA{syVCrst!X-6QA*O1)qySa()2^z= zO_z3LY2-PKiMav9M|r;<8MyUW42=7}xH7#I{%aqiu$;GZINx^;^;!TuGua*B5tl## z)%3=CqpyWJ&Gz$oBG5EcRLD0xE(fwF3zdnB>OGb;#U~-5p*FZkK;`5DJ$pmw4?s}v zO_=k8@Xa;>{HJbO5kF^|Amj=fMjR+42FzFx7?ROaQ%j9&a%!ra2UwGh4Ce$)-t(4Q z&piE@8fo!3WG~q4CGJH7WWDE_HhNqQqVhAWcCqj)k??sM3bq1rj-#5iHJ`xmOdlZv zKxZG+HwsfZUxD=vHZ39&WokDBDfyN{E`7e8`>Xo{{^OkL=*S2%KPQtM7R2LlxJpCx zH)~}+dd(WcW{=NJ0ELkCse*gZKF_)Ug4TyYbM5hVs(bEHH{O^O&^ub3^E%9y|M5e( z?tqQ7fIJaiH3e)Q(0qP5IlVkCk?Ia(2pc7~)zH(EDHtx5OJKUM>&Op$!JpOXTW+FP z;h5zc8e;`HUOWV$9lqX!}2B>AZJ*cJ^aTGCjy-lv%Q4ukH zXK1^^gM))hh{h5C-N_ubRcW@SBc3m%UPfE5jKjDS_YxEjX(HJ#8$#k+%ka72`#%Xr1ta}>e^9#3)`jXx9UIq94 zeI!Es%l)~WFtO3y%HjIO3D<-d=!u(%= z3SMp1`5$70CVW#k*}$eNdoJmz;{GovY?)3gx#!t)1%17zr~3E)$e-|PYHF*dPD~_Z zEg*%Yf6||tZ?}r=8P!FP(0I;m)>-f4K>)FIur~}Rrz{K1f0d5+^)@GxC;)T)zvzH4 za%jDfchA+v{YO(B5O~&brG1|Y_v|Ossy(|SgnvEg{TD;z_JIk@!^@mEF#PwWC=2bi zMzl@R*2pI+CZOM4HLW=rk{+(^J&MS9mhk`1+n4XuLtG+;?!K%4Kc5i(!CU>&No9&J z(8>#;vTXIa^Fsa!13^rv@_n-GzY7dH`Mk|r(wjL>^m_9z2;9m2`J69lXZIb$P5*P5 z5{W?^^Ue|O^~0fptmcXC=?lVG&KcjEUScQq;t$6E#n_MxtK-p)0Jiw|2>3oZxuQ1V za4gMVaf`08%buLTQwM9IDiOD@+AT?u+<7d->Tns5(8Pk=5Cs4}E^t`VIgU`TQm#q< zI|E+OCn=}*V+`T3$?b>J>tnxzu<_|1D}Hx91+4|$A^oV?aC5KYpzW#ux#8L#R%e{t zO%kAK2KcNg%oT;5N{EaAXcBhxXV;U$sn_VlTloy(=6v*Vl&?Cb*0I`j%o+KWXUj5qr5 z@26s}|G7fG(qbYzYu~H5xf>k&T&}zyU~D!+w$@9QBrf`q!4R_k4h#(3Yhi@MPf9D5q@kuy=DVN`VwwR~zZ$MMWGpnHAF_(z zLdrp7KPt;Pz#f1sh^_*39rv`C5v*P<>W_f^s-TT07+6E$v>FLLq{~L#50mxzqcBG< z3PjS;2})bklC>%U*q-=z8^K;W3V{}0C&E4Be~AgB8O^_`nd%xEG8XwE=MRmBm5C9U zUz`I*y2KuBxbcqEQ`l27P9`*U& zRi7wEp#3Pkw@IyDy_|-kgs7^GAo-v#PRtJt{OGI7 zFezV@Iyg~xBT?`-G_7GdE@3QUXGH#~)&Surw{x|1={R>vUkuQ-bTvBp|5-e$;#Dr} zbBB8s9mYKbDmgj3TWYDj^T z8GS!_8SNUH6qkp0X`ZQAxyAp*Z$Ug^(2}HHp{?+H$u|EUw`ul(UMuO>ud&s}2Ddq$ z{Tbk=YfK2HVkb;;o$}SRsJuL)u8xJ8hvr-How~ZZvaK!E{{EqouWL=5OsR=AJ&ii? z57`&fMTCz(v&f6R^9Hb~N{Wg^_a?Ho5W&GA(!8WWsaZdN-n;6~gleei?BZ>Yg#E@? zroPej;GvmUvrk$<-kqLC4kaSx3u07B%Ci6<9&qH(^w{jFvM+>WI)@4Ygg45fqW!zR zF~YgUO06B}9-h281^(6QE`xYPm`H)#xoKppH5RQM7OLSA2aL+Rn;Yrw7lIjr2V$JI zgS!M7yn#=81X)M(2znh}A_K&2hxCz#*;FN#&KzcK@(%mXvUhZU6*DU!0Y#fia)?>3sZ zl=Y3sm*iySpONe!Y1HGyRW-lKKU0wwzUaarf3Qi(<^qMf^e)he4;;Kn9gOp6A;yJy zR#}|V1`$=j+t@Y?vzZ>U#d2^^X=6gZ34|cvRk(~1KvYCbY<)`}1PK3Lp`20Hjg7uYOKv%CHs0WNy^i}K2uXA z8tS2#)pf$3=IjR4$7c4VQ17*N`vzclkM>j)N~#4uWY^B{4P6h?3ZOZ0X4~CPF^I)d z_59KI(bU6qegB~IlGVM!6?DDD#PEYe{T`;E!>GkiWLrf*m+{a?KOZ+2abBV9R+|c1 z;Zs#e65BpQe%oyk2sYG`U=qg_`Bth@5~HfFE~?XPn>U{6`*JeI2#|H`P3ttt3*xPD zYH*$hwADl;H|9Krsf=>65=9dI(tZM zHWuZv2iwZkSo}}NfkX)C`|J&VuN)B(U-B~7@uYG{mLoFo&;IYS9H-*(nVhub2+MKz zoHkh&wCQ~)18AUkE~<0gMwwV1#ew|a=V`;tICX}KrJUwFP2i7Vu+dVJX4VH!A1oW3 z6i~kEdhEHL7T>dZEIN=JY3BW0XoGZ_`wpI82cBNv@*M+Eot0Y)SGOnAo~Se8t@^}c zbg=u>9%ED0?o=I>wBa$Ox7y(G3B1*E2E6Tj%VWkO$G_0-$Vtw08k*;k-jB#yxE&C0Ie>e|9!W|*)uz%bhS0^Gg(i{4(+=?4+TJvsRx z8Uca0SmC7n2|4VXcXkgTJduIoZ zII0x>Ivl41b}(I?6&1g+6tTtPtG}x?Uy9pXWQFn_{20cwETMjkC1P zVp3H%2*Y}z?pM?-i9ewMbnX9cK8Rd%<&55 z=5G!EcRTm2nnH&>1AkHhgFoZc`77}1OSH>a)DT&?m^W|{R-oB?8s9CZMtQ$9HYYrO z(9yfw-deTb5)N-@_hqL2Mo0FaHyrQnK@Dz%^8Tbnx-^o0nJ{SElkl_`23``3HNXPYLy{hObbi>Hc zhszrzPPgHNNZ=XPq_%Ccx6<g&&ran6~Vu zk^A9bGv4}f1tWi#itqdJCDoKU8rDvB!ue(TIpV{CUz7Pg4bN%j?cFbExpcBWx6S_V zJSQ_n_?0^C;_apJ>a6FFz`Epmu0*{5{(vSM4+@ght~KV4#`14C`{X+whQj7{f>v%=*Wx@V9T6E* zg!ZsT#-P5~qOO`WM~Wo)4Hi#5v4slf{+Mb$t-?SUkZRfSRBplRZxPTFYi(`)mKGdT zj^}ye^$a$TvuaIIpTS{Q+}vtA#eE1qIyHvsb3PUUp!(ooG14Ca&NzjOnSofX`;pZ{ zbC+`mVKKP->rR@r#v6!cXDtRNL6p4g(l8g|v!u8j7NaG`?qul6L{6I{qx6N4W1KaA z3|j6@j%rZm+vIp@sHvUExLc{SJa4SDO%7om>JQMix&HEnhJ+|%dra;a*IbkZjl$nr z9Y^r3wzMX3*wUEH>WR}Xp=l{{}ue`)DVw{j-CHsAW8ae+!boz z3&JKgl{~ENk1e!fJ&eFDK9SH8^hja!YVkYMX_5dDKvvh5czrt5nibDl`A#$ouI8+BxF5(Gj|KV8rC$ z;oKEapB@{lPT28%xjC)=Cn#M6xL^ft23+bbl2iO32k5=BI0C+0cAFhq;zBwun?nB3 z_yS?(Q@`XgezDn4j29mqPaFq)yfflEOB#$C=j&@KOXc`IU{7Rl#%}uV%C$YD+myDn z#N9;Dl!@J9pkZQCGAawpo886!_OR-o?_QRQu;EgWl}}8_V7jgnTU$@$HZ5h~){i};S^WzC3Kh1`1iTiHlRCGBQ&1O&c@)F^SYLdrju zR`&86ljh>$Hf?}T|3zFys{}-j*9kNB9~RHsbELg6rOoWlS4q6nrK%zc(4`b5Qd%+Z zTiWix8Pp9b3bxke%TlAw()2B3=RustfYS_l>YPFSN7AkRh7U|H)T+mkBz z&80ZXb0-@Rw<2uZd7X%U0hY`6+oV6P8~2=%{4hYfkCj{BirSeqc6qviS^^fan4YGV z)}UK*`4rPWhUnCp_-3aLCt%^h@Xr0t3G9R9!Awq_e*F*lnOT8*2W}U%ss9PIS68-{twXA%I{RUra*m51V1fh*p;^c9svI(vp-W$s8~I z&%B~6Fx)ou0spA?6(oW>^dZWuM1uf?m6;6eFIKAze}0smnoYngPD7mlO(BNA%aX$H z&VB_*S+^*DLHLyQ*as`E0M5B6X_1r;P3)Zo|Ubn%JF8A*UrH_|X>PpWcvw!3dED8#lAh4=En; zFf=4dBstan)+VsV{{}cwM8Tv_dZ#{A?%`#5##J5HAC5_qt&gKAMcw#;?vacw!fbTE zb+GPO4y1B{5yd!WydTnCU-Fhi8}sa4iDcF22b}VsD+>zI;DU=(AgtKZePZt1ZOX`W zZhznUSYWvS>~%3)lp$~%f-T2hSCYYS9{pP3meGU=bRI^<4Gj#84v8hJC9^a>UVr$E z*v#Lq&FpsGxLy}&SYjeEiM41{3$W}w57{uzF%M_u>UC^0(xE;AMhc3}1pG%~q@mME ze*|Hr2)vUlq^~ZFm&W2?vnkvxp#gfr%v>%})l}Nv57m6P9+n7R`}Sbt`~vD9IlYms zfbhg>W(SFOt#2!zg(dGK*SYJ<&h3=h%jMr*2}K}9V`jHCxveVA1&_&4DEt%Z507$3 zizsg3K5^P&yW_R-C@ocPeuDKsX)=a4-B>Ks?AkMIkJMdN+WDI%F5NioX2A zMAZ&EW<&;NX>7b1Jq@P$bUIw$cN@~~ztqHk$%%=xFWmd;>rt!EqrWWhB<$9j(D*+i zSD`BKM1UT~s2w97+Qn+47Y50#sjcO*=AP5h9y}KNTG)}Ie=Rn z5gsqbNj=1)oN1zpSzt|phrExp6<`r+qk8(2*C36L~9O-E7VbVpm{KGYY=@x2qkUk&(%`w+gFyet7>^gk;AV6dc>W|F(v z*5rike!7{Z?|BUgB*Dy`(-ndTpOezi#=^_;T;*0ERqE-CoshozRd)Y4KhROSNE?8HhB?&(f=YO?Yz zruc&K>2;ENl%0<+6VSCUZ7EE+fv?eTimR);X;sOPz~wZXD__X?5E6Nla{CHpKLWD&l8sWo31=%n1L+R%CY1vVSWo=stQ&N`c>*}2aS2gthZ`s3}g zpLngHYpA4FZQunUKMqOR8$!5_rA*w%xL;7w#ZANR1|+#v^*B*x4!B`${q$if@|YS` zWN!aXL{S3db}q&&XZl*vFbHHPW>ty^aPJ3GT_?Q`m6%FcgD>Z%#Ql07LCk1`1z|fG z4$*~diNnge3GcW#SV2hRmSFrBN;jQFpy`0@VmdKYTJzoP%?sD+%0&&Y9KDh zXEhg7Gz#@JG2S^|Hc=?#+{BYQ&J_1$8U9~<7M z14d~p0)~gj$ML-Hlab2i8)?aS2$%GHeqcInp!D?znrZwgEp?2Dj!BxC5BZcqG@;cZ z-eqU~>DxwRxRtJLVN+S8Aw^~Pc$x(MTJs!-4`Gh~GlJfB{i4mzvP0TkL%u=4yIOIb z(a+d=M#a;t^4~N^OVlPnQL-^9DM?lWkvC=s^#SyV!d!{To2Kuy(6~ATl&|Z#le(=Y zFfiJomd3t0stJtnib4qte~P`Dvi)v=+a#>(c5um` z7pb2KJ6~Te+F||g-(mBA4;G^z5uOEBXtqy8rh((Hu@$snQ55^%bq+uujd+4oEyh3Z z!}<}19n<}xL?@D#x-tIiAVQW~QxoTXe?p!?ijB5suJq6pJa~^K``f6~=hEve0=-+fmK!e!0BLrriJi^i!PTi5$c+D=gG=+T z>}h31Y5wRcQ8_G3zSk|L@<$gxHSgBF-z2`_PLRRzqg6eS@p6|{4^=T$4RT*$Cg~R` zt*cAOFX*F6d2f**@_;}dF#F9p_mKHbS~@I`!Jk9?CiL%Lp%=G9fB7Y)ebGLqBPnM2`D5q9LNHmf_%749h#mw@1kn*OF4d4&h!46O@NI^i6 zCvvmRke9eS70vpU_A+-(`TDv2Mo#troaw*+kO0+geqL5#u$jkfls@N0zJDVlAEtn$ z?*q+{75V>tYoy*!)=JC_&3T9rWi`7`m0LCO3F%~twytbY)Q{8=($dsPuzJ$QUvkdZ zMn-9AEI|qENi*faO)IZY_p!fR$CZBG|N1Ys|KC4iB7eo?e}Dc~T1TPSMIY`kv(3u5 zd|_~&UFuQlR;y+qU4^%-pYu)Z_%|t(__ivkMALjbM_nQuYSoqg*aQ2**H7*ys!GRY zLpNjJ!G2gpT0i`pLWh8as55x7P?85<`Jy?Di;643%v_6xfl=&{y@yvykBd#yS(Qc> zecwA{{JEHtG^d9!U^2eo|GBI|K?L?>>(F<6;^`@hT7(}W@-m~fasi(bJBcWqiR=iR zdfwpCzFfQ*OwRY_*?=SS$I0Ub$Bq7Sj$`UoZG`tnV}@|`936DK6MCKP2^k?uu`Q9R z?tvJA*6fXi<%ZeX>W5y|d$FIbkTfwHTKj zDAP9B0L3;q#fneBJj(;v(J3@=2ng{G^MAr9To~OTjDj`tN+T*@gQ~1zLI}?%yCa?; z;mT0snU>XJWEq4X@RYi;E*E+$wmC=zGJy*8ADFZ2pPr7>66a)uMo6XrY*jw0r=JBw z2ZL!k!o_uQJxqo?Hbo5#1uN)apM>4=@EfIuKM4+6@!E4cS7TG<$Gr{PpfpU>Egc!K z&~36v5$nLrW$~qw>}uI({_gf~PzeVIs?M{9gaQ-AAeFcx*Zw?i{^65y z>97O7M-QdpeV7g8xxx3JYdM*oe9*_oZ_u>mHogX<3)D5;k{FK?uRpa?bv)XAsqkb?@(&pyTv2xJtu>+SWb(3{k&dF9o=ch!aqz!G`q%b_Y-pD0O3 zEcnBzaZ3i?(A(6VQ%&&wno0Xz;1VennV)YfK%IZD_kWy`?%Sglk6<$oKF!*DS>xgruZx-=;Go07f*gK9}WO5?8WANkAM zanBy3{P;)EAMxST=D*NO33CB`a8*?>@LNHH)zaU%xtbcs+EQ4=T|`d8Uzy&kkN7~F z>E1#MEv?8meidx=6LP9ErB)({sXRpAjxmPL)h}4}!;>YSX>C-U?ph?{^rhk4RJ50d z2t^|UWGRPHn__hO<)%Bw{+Osg_f(71 zL9)Rma!{tX)^&JfA?(w-#^C2ASlrL|t&|XEH?T8|Z;32DOPhjfw{lH4B|Plk@f`Ef zJLgv>GkLv@7qjtOCOb159AI^LpS;~f=38~&k3Gr1luWNF8McRv!m+boAUvMs6iQ2dxn4R<%gwaq%ATpE2}sxqx22D0wcLQCAvz5 zq}-8NqNp#3I_Tg8ZRP8TCt17 zvL206Xr}r?`DL&%Q1WQezm5#%ti0txEhw2Q{cNI#C3bJ~zYfClR>XJSCKCJv|^}D#x z-3YkI;>|jjZASTnZ(alTR?$+5aU8zWa307+Z!4c{N6+(E*<8%JzoppL`-D3th_CLU z{qaIY;7Spy3*$SUTVDQk7ii={D)W)QMP6s$A+HIyINf=fS@vdsg@w|tQ*XFz+pXj7 zuCA1`=q9Ca--^3o#aHnE{J@VJVuU5G!^0Yeo=MzB-GEXe7v>q>n3|g;qBl783{{k( zAv?5y-+TT<8Fz6N|2^Xr>q+N69!W4Lbf_pG^7kQ$y*?WuV^qkEp!VPuiIWam0OWY0)6NL z`zNOhVLs0HBv;bo8nD&KMg5jfbTX%`Cu!LoM6*LDWvF0HU|Fx(s}?5vTbip;IVcpY z5$4+lpGDo*Q3Sm{f8R;!OPWegsi5tvQlThlEtA^H8?^a0;~BH~tA+HX*rua6&u!(-k z@EVEZ)@63!)%N-UJ|FVyt~mcQamr>1X6zsveaQVToa-WDIc5WWm&U1uiH@X){rjkl zhabD3`M#SdpZ3i@YZ?8q*9E=VwX#u1gOFQzgQzuTst6I~iicCbw){J#PHG{oi4177 z>+*Qeq4+O+VL9kxnHQ6P_DX21dF@*p9vF{{L}9(-zD1o$_#C}PfKE))mdmhf(;I#f zHZT&!om4pM?Oh%GA1a_*90%(iaJy_SdOZ!g9oGa#AVg;GwUHo&ykfD=(#sIC`>Te^ zHv9FroAqRXL{UlD+?`enl*Zq~7|=ToFa|?S#nIY|c_aa`&yT-eePc~nAv5sm6Gtr0 z(i5as91=ctF{z^L%Q?)eu|ZN+JW1r}#9~0ByMY?`+#R`S@&hH;+2sf?pkvYHM1DpX z5Q(mCWI##ENNZ&*hbQ|{l8Maz*;k!&R1c|{8(FVIJxi643~zBR;MBH#mK-+5LRi9f z$wA!83YSVBXQa(6auaUZ_j&LvygxOoI=FdMwk(5Wzjht^tN*gozuO}iI+WVcq3Sz( z-Sqw5QhUL-r;X%1xt{ct?tHKa@(-Uq^m|srn`Q_9^PYoVzyP0f;LL4_9hVvGZ;ypQ zj5pVAuPHN;hP@S@5Bw}cJy#1AR|$XkE|Jv@rZ4?WQFh{Md2}C)ERc9ed^5+eB?ku- zC_W_e83`}CG`ulYI>U%$?C2$qvlHRHuEVoi-Y6}M6jtqbYMDF^_8W?o5j5AggUL8X zY|NOO=T^v079g}Dsag!9KYZkjD84lEI-NpW#qp5Hcaz0h1Y{qVyaZjS2z-pVB&`@_I? zjH1Q_>%V7S_#Uq!3>kmd%jLY9l;0y$?n9PP6iCfqSNhHtPRcKJ!PA?Hq10B58(iQO zaf>-qdcD_=J`{Y-lK=+3Q%>$Dm_!)rNfNt1u8cBj7e?B~M|oYMSTu65*dICW@(6k! zL45obZK0o?&d48TK8a-EkH@~4cX`odOpkB6#a2^DyOV0XfjVnkCwEyAZS)!A`{B8A zNltSzzF-9b^wml1#m=tJNf)7iq!tpz?^df&j?2dd?8H%LjNAza7Q0Qs=fTrUo<0r< z@Y`Qj_MM)a6C|BhWGS+vZdrytU&YKZDsn?)#c=(mqNlx$BK_-ymVh`J@MS!+`}sS z6yY|=h*L;uX#*|E%JCWGx8-sYGiCbZe?>d|vaFFk{jP3?vYfo3{PD#^CQoqp?lPxa zhq+12xzgfVJJ$TSWmLGLopnkIHJ-4`h(SU6_4+Q1tIoum@AFuEI8x z(~di8;4;|Hvggyn!7neFFKycB4PWN4Zf6a-oyEd1??y4fvha~p_1m`z;HO z$^AT4u{fO44E*WzwJp&gyR#qk9eN_qTHaeFHi~)RpDb33{Tw~ z%{U?a*7U@BZu)JM*vl#Bx|6zEKYNp^a%pAmZa?RA9&#*|+#bc9!>n72r=;^0L+GXI zXrsNEQgKDt#J4)`XszUv+#ibLPaM|J(WI!sey`StvH0Jhc443+ds*sPM{mOF-3i#~ z={0guOG%lWH)nr5h`V%_AGZ3CvbL@gS5!L)RqJ;uYH5}2M-F$QM2F3ztC)Fa71QCX z9u&>RLWUS=1r|_7p+<{iBS@7YVaoFk(be}{erIBk7*Ru$Nvi}?Iky@T%XT+iJE)oU z^VGW*5hGi}(Po3EZl&146Wf zNgy@iCYE>9h~7a!Ex&@HDA}a@sE?a?C;p9`u&w@mn}}fz;UKr!))Rk}Jrix0^}XXu z>pr`rASIfL^M<;r>TVUU{jg5G{*tTag}4mJ^O(r{3yJp zx{i5Gw@#k-yy3S*EJ1Y8$D?{1&8(5hAq{a>B21lF*rwak2EZV&a2!wVjv5+DlYh=f zHnSLV3*l4hpHxkZnAJtmK6{(qIBj^&k9I1g#6XE33Ose?3-6yq;}tlwG?(#}A2Y$; zAwj18)>u$#CFze7tMXTLT{>Gf(P;&?U`An#(#mRBZHJ{I=2PVB`ZN4>39fx#P4CYc zg&?ZAFTW*kziR5J1_kgvA-%mm2kcI0IT-Ippr>&;<)?(!yrKD>EthAA&LLJNB|b}m zHAd0j@8U~vCD0n@T)audODUz%=W{YLVm3CqJpsORPD@!H#qxkXil)G2FV+k?5yyI1%z{B3)Dl&9_!D^g66ZmbO z_YSq`xg#%&`N4R&Lztbv!k_m%E@2t;5#?^KyO%(Ko|**n=|uAtz*#eTj!4F$THUjN1P7hM=T$3hFs;=&Fnc`>kIkc5Tzl^` zyGDdK(u>>G60fC_$I~Sy+y1obr)zDqsAltkAYA)r+M#IdXt2*OKF8MS6TlA#(|ya1 zGYU^Yw`vJS;LVf)^gN(~#cc}%IQ~=~lBCv0SO)Re{;|n8|8g3()b629m#V>m-t9fP z8QL_b>^@}jWSU^_?^6>TU;p^nhWOULgsr>6i@W)6!*^HZ(2!|(#au*n&HRenYmws@ zvc8VDcX(*BSfRDrYZNLo80%iqfg&3tdm@?DQqL+8KRSuaD{;nM=9s*zs`4#J5sw)q z>vXAlc3^)hajx~f0b5RQ zx=wXLbi<;gVB^NZLeZ%N+Glf#IyJ?*Dk>W8!C3#y2uaSE9%n(~dkNvuc-3>yIsq~T zcY&;0KJNly-eP@;Urnuo6#dIz>Cyy|_V>*|N>H2o7rXEBUi{ZXvSMoNF>kY}P8ZLI zyL~bYVtyuH9zo~+<5|20RRJiWUt^a9C6HDGm^rFHgEqYoEbGz>DHpL00O`^GHn-Eb zEc_Xc(A3h=HgkuF>NSl#npYlW8as@B@4#iupSGU|auBMPI2z0s&mQ0T31O!UZFRmn z6J)ln(F!W8u`~%s*Fr!c;)TWStqs`dt*SIt=EXfpd>i?5z?Zz;y91Wl;#xorbEkKS>g5s^j2m{6bQfI^FRRH z*1-lV6}6t}tFn;$f zy^%`kbY4C1x$V-RC6t25(_il7-xCaa%og8K<>8V76y+d1e;guPNDvGs+ zd8SBwSaGK%EK%P>a6_`iYRR}JDqNf3*IADLQt`mW!BNe{#6&l`-WgoBYu;dTyX<6g zJ7J58zYLx8u+kpZ9T$6WJ7KvseR-2#CdT+N%17%nPc7gEAX%JH35WUR|6?sc5U` zeZA4co@@{cltt}hbYFwt;T%VdBn;2euAS+fUTih1RKf=Ly~9TvF~lURK2%*KXRXEc zvOGr{2UaM;O%V%sFw%f?Qj?@FRZt@EXL~(#AI-I6E@C7bp6ItrWy~q~ zbt+D1wt6Gjx4t9Zoh~6cO!>n<@?XW3F4~TNoSBfBxMA_Ra;aA^3{_XRf-wqwfPro= zF&%q;yh>-cdhSMRdA?l_*Bb9j^W9zbd)_ZB)c|Jq+r7|)eLs=-qm~8(EUdP?WpJl> z-hPKYuQ{~qiFwgs3>QizHe@+U&IodHI9vaNeH(c0FdVbgxn0Y6049;=ye)1Et}&m$ z8Bf25df2pKM2|z0L$lu@+eN({Q(X7(QH12AzY~oI=Oaf=_UB`M0z|Pjpo#b=X2f#|MEDwB#&KL*zg7L+-7l4=fmC|j$Mi&hP0Ho zM+AibBFoEZIsmmmPpLk>>w!c~@~olNHlFikwWax;fRD$3c-pL03Bq?u(Ce(sNX&uZ z=G*fstS{i0#%w;$b*|8Tm4kUbQV<*7BEOUEb2*eR7U`<(lG7DjT2Xp4czgl)GO}NE z+%j;#B8$gjM_Oe6`Y}x41CAtk6Be=}(}f8)X#l#>pkl10}=ai)wS z;MXnTnDlijPI)dX$?p9wEHcx)^{GN%Cu;4Y1^%*wQ{vGjUki)HG)x}M-Pl>iXlH&I zt79?8^Nbk9z@Z%Lr4L2IXkcWf%K`q4zNqBh847%`Ot*a^kFJC3mi$X1mx_COP+$jL zn1HAVU3l}BH|j9qBl$ch#r1jsC^A3*1Oa+p?yj-dgB6d#`B{?fuf3YpEZQKqfHDhB z=#Tc{ePe~vw(GPj$0?Fd5QWE#AtsjWc}4g!z{;B44>0c{h($sTm&1BVA`JRBJhmcJ z2ko|Z$Vr@Eb8{LT6y8py);&J9iY7cUi;5DKMwEEyHQ3qL@QjXcl0EMmSDrxFC4aja zr=%lQVDq}^Bl5t0LK`ifale!fEX4>S0;G_kIyD<7(29l8Vfe1nbjhbBy#V;G_YKtR zpY`&h_Wl?I-bYHZYZii8>2EU(y#zjI;V7iy`9M(=V#QijjZ<3U41IoKVYfuE9nRwY$TkyD z3D#_JL=gbIBi?Q_G1+uNZzJ+tJ$uUNy! zW>z|jOzt-36ovyK;qT->ru-jVbOB>$uA{#{Q6?rAS;$0#lsjtYJO<(o20lOs+IU3A z-ESwqv6u{z>s(xFZCBv@C?4`<7<%P-6?zLk(7>qt!WV27cOX$hw?2B2oHknz%Z>_Q zc44Z19-h%3psB}K%sCawlcG4xrxe7Er7$kZA1~MLI^MG{8NLOofF8*K0TYecgfA+-P#8~xj8$K|<2@fY z9&5UM`DGHC07X%m_q|aMVtj2_Ui&wQOs@m2meUI#MXLN)LBJ?vun zj1Y%_S2p0-NsK*|wrIoqK+BU=3K-?=3U}FGf6j7Fzxs^CM`Y9;EyLKU8vN+O*b%h4 zs?9(3S2Enl7M{TOZ}pSm^S{V_}3O;YI&2fe@6)%ch3U$ndul5lkwvSJ28Xq-n6?x&AOoLDlHFmX!q z?wfPhYZ2pa0s}g z9*J+V$JA@>km^IgW5Y6YmamX#A|?%aSgKMCR0X+?C{LS{cP-AYhU2(23FeoGW-MozY@q)SOf2fBN&yB_A2~+3d?DTr> zVF(Hg#$s~J4f!}KKoXm0NR(d{^Sn8hK$)~oh*3eO`Au{8tUwvYb#M1KSGeW8Y0Y)7 zKA;=)az>^Q2M?>1$-y?HhGp;=y0smx@;htH(&bk9js1J36pr1y3OArUTs9pnVUQoobPG8)Pj0`Y02a+jd|H*ivRx2 zBfBn=L3=>nE+)(*;tw;4E_~7Y?oe#%E-W0@3R&soRC(rqLPf%CEUb9+1bl} z&Tg-WLZvE_gsGPs8!0J=_?I;BCWkHmw#v$~{{C3L2%GBnXt@2+6YJwIp=v!y*gW8g z6!Iy)!+E*6%}MMG-x|clo&X8?qR#@~PE6T`B%dQABkz33biQU1yA|WUBF;jf^To??Qm#?M?*SksZ5ver{o1~bi4k5Mtw(>)6 z=HP?W)h@-a7nw-4UBzG;20r-y?-{3xI$L22Hjy=BRqdy@<&mij{eWR)jq3_rr~OLt zz@642&3O7dhw}|7*THhZbcq2N0FI5Yn61fD=nR6{2a8%jAsK3!RoW_a=Mv0A3ae6m zkA3_Btw@A^H@_y?$|`Twg&wu>{yGGFP{zF8pe$S6cy1Lz`laah-SF&>cI0wRpgYmn zcSs$M`i5TD5A)oO6xz z3rmW&=0-uX-Nz!I3JQXX*BBWYXYV#l_R5+M!=;%Ul^6Z12Hb`-^2-PG46wV?0{<6?i_!+W`8&g`q9(EKlP}9>#b&Xn zZ1qur)L?44PUZ@%;ZDLyUM zeIlIIdQ?K$oy8SwJwpm5=6Ffsbs_+~?ACX5OiUU*#UYcff+@`(g{2N66U^E|*K zTGG9Jw5cNE?Wi2bKlg0iR`8$KmDE?nwhQgi79n$8?x%(2gx|e9YPcM|>-!VNxm0k7 zxR~X_SGaY4viR1V3J4icx=aE_Cq+%j!SgTHVSK-I-aM`>;CG^Ur`PzkqdcxjHamIvHimsdxeSXxSYDuRfu4H9!qWGK!^XItHg zUJ}JeYcapRL9aZQloz>4m*jy<|5k9GmH^Nwkeb2X0LY6I&haB|j~qnm4NPZbN z=C(%HNn5s1IElT1J%-D8h7`;`ZTn`P^A;T$dMNi<#* ztuVYChiiT6)${^#IsDZR@9>^lpOZ?Z$U5M);G6+Rg}POyk}wZNhj_N->vpmzR2 zXrfm8v)2=MiI&oD$`IU*jR=A6lPsSKeYk!L_rBv4D7V6*U!U)?9KxDu{n`IL-5>a> z06I``{SFP@x(miz`9cQtPwndeB zVNrGdClA+2JlNHg-b@e5+Nz9)-?jG0ktq$Q?T9A?3h-pf0!Evqc%hbb{c&SmYejHw zI^`sKsz2AJtBiu-hP$*E|>72 z{C4f{hDcPHbs6nHZB3yxRb7gK4@wr?hTio;HHCmUN2K0Ja-t_+Ba+JxeBNFk8m3c$?G zip+~dWIVHxfzfUPQjh{-+wS$I%n9I>D}kgoyWHVTaS>gm%PARL8Qf9UeDvF_e}}x^ zr&vDxBd-ds`+|AI@_2bgM4%8|Uqv|66?_plM?4G)$r!>$Z$PqNxmOdHyk2p)J^%#8 z>7z-snKQ$cy~F{uiYiX}swHZ_Jg?KJE;S+$kar9cv?05}9fb3) z_lNT|bUGowCdTvLWpL^J4&1rDOOs6np}M+qlko^nhHu^=##CHSwVnWO3|3md(oI%~ zHnWrU_9#Tcsf_9AV#3^79}e@wqj#)2@2M1_v9n4XQ?5ju!Z^+w}O z&1x0|u%qSLPNeI?}6M&;JuQ zBZK^KjG8QcNALO7mAIj(--^h6=lbNO7>@P3s#5;13o0uN#ehOe0EtH+TsJX%C&QDd ze&r;x2K#tzBVx5H!|S;{(Ec0kudhj*xQp)ZNAmTN$^J&ZBp9 zHRa_qkBM{pHqX=EUtTt?7H1}ag|{x$gJ&+cu<7Kvn|RFBNaIV?AVecik9Tkhnn{}r z^l^0sg*@l`^D}!&LR@$sMm-XC?jsU%g~zR#=d-T1CF2_uyr18SRV91va>HHhL=v~Q zt1HcCa18p^giK1x<21ep(3g})uMa+O?+xroSLe)=1?Jr0Cjn_hmiH=+N||;!c>|#K z)U@_ab(N6Mr2zE*A6l?eLqpL!8!wl)*&HU&{5uiQOt=A0sfp#$F`Bc_a zSr{9ys-Ivh{FqZJt+w!+%Jlcm0#%*#L))ciFZw5R^RIjz&>)e9AQvTF#I7CDd857k zl8Z+9#-48N3~gNW(qq;56D??}C72FdT*;m=s)UfklbPN4r-WV03#hROx4SRr7#Dq4 z2Z8@kKm_}Vkut@=&ZwwBp2$Of3p85GB%EWP?x5|@4>pVa8p|COwl!Ww(s-#;NA(t! z*7Gcu%ax=7yNXZI$xn?ZPevAW=%%Jk_>$U8W*ZGv&YxTUhNCHB1hxYNTUxIr1#)vJ z(kd9*bgB*L|O*)UkLGoMiqoIbzqLjI+Ow599<#A7B zI+WJL&8n{|$?@ZB>T#*SVZ(l^kxy+<7k0CWf>L_0W_LgWq)w@YX>ztbkpFbUac@D0 z`bmqhiJcE>0mAso*8lMnq9q!w39Zbn*OYu8`|+Le{l>7e-hG$(5@xf<>tBbNHO&kG zH|~~58+Wty50m36I>r;>ftb>rUr=b@u0+i;*^G14#ehYmJ%R>rJRs)P-PdAL{DR4| zs7-Z4(>{Msp(j2kOe3-^9Er)3(#JujMc^GThmN>kc5E8UsJ6hSATOA3-u|T|6swE1 z?TtY|&+(i@Z*UsDQ!uFhr;C2_g@G3jMn^dC4jp;Dl@-U|{p8~O_>Fb1(&^}i_S69+ zJVao6B14&xo8=;e;KbtTATE&0KxYQ04oGfyBAc&_LCsDj$RNu3Zp3ymYj;bIM|U(W zE)$dU^KvB0MkKa8jz&i{_lfT<61Y?_K4JWat}HkrZPJA-OY<_;p`|9bi{7eiMVoKC z7bsOOlQ&r7iS4W%e9%!^$${(G13Tyu`|D6XzUEa+eK&Lr!|hz6Ora6ywuQUi0=L0X zxhJ7m309ewleu*%s~~-v%qZZ|iUrNu=`Bv9f5Xm)>vEoqT`p^P_-S%uxN}JhX|`bV zm@&VHt$wqMaq*)m1RB$02NcJtf{Nau`nhyPalV+3WTB5=to8A7rx0HW_`AbmZzV|d z?M>P3l0UHGMWIUK@KPS3wyvV2 z`s7L*I?85VsjX$DZWKhFzjd}Tk;-L+!DPvdI@op7y}yRg70{)n4$|bwunmfl*Bj;0 z(>{sgE+Jt0XKP}t=J7$@$v^MI_U&iR%8j9@Z?`%R6)V@DF3DXhF$cLo0)Y07F7x=| z&#+Ydln|{KD;!L9jN;&C7}ivoudFo(5cz}>eF#RKC?Y=~dVM*#J*L7Kcw(UFcC8~y zes0W^zI*;Ueh2*aGK!1th6aD~nGj1QUE<6)H346gc)ZZCjm9uKIpTl?jsJ`{H~mvy zZKyvFx|lcB0LTF(G`MrPUztyFW9sUqNW40qMG9qZJ(a~Y=9@QYq)Fx%g71BOWxAjN zju#(|?g6PKtZ=*aVw5L!PGQzzO_d135UrfLlfsQlREZGc87GxFOReP`&gKXV^<<8h zmimG>x2M~4&HpCKz`30^o=|}Q*;#{=L0mrvIQdt#nEsHZ%jB!fDZ|ooz!lnNoA!Wy zjSl4uo53`~S3yX2Gw0!1*m<3N!^)5qI5Do?#9r}dxuyVXJr2i|POQ~)=9m3OmN2wB zep#B@vTTCFI)7h;@|wSe-z)$6CPQh7g6Wx+DE~O@!7V3&$8R=d%}-zb(OW}8Hm8WSf%8&~7y5bZ)x+ zuk8U@f6q?WEG^u-$gS=jkogZ}#J{hGm9f)G4tlvQp23%}Y4hkUD*l*q-pZ5idrT6$ zZEh%HpJQ61SEci!X_6zpo-~VF@i#@Jb6@d}xWN5VA1~jbjaJUmAt%n_2l9&i4EZt@ zMWX-IV~>0=(0>p9SkvGCZ>jg+pAGv;R?jHn$VC*O6;ig1kCAhsSJfmgv=E;6JD-)$ zJcyCYkAkXWYQidf$N+a%j`dM)ATKA3AtSlL5GBgZ)g~3x&;!;mL2W~hny@amx&1N5g9*{TA@D>UqebkF~( z(gEk{A+SIb52EuEcnfp}t;~5`-=y)6kE)Ye&P~Ao_aO(R7I7Nr4OgD^in;i5=Grz| zu;UBc1!4k0QnMaZ$BlT5SfbpGvlYd8JpW2PhfQ53t~A>J?zIKyM7DA_&Fo+n%hsZ% z15V+eTKmrljLcx}v{-^CX*uR^#;bgsWmSW}>#g}{kGm&KZNBNyme$9yw7FU(>(M_u zw2T@sm7>_Yy5H7+{?8r)7b;!K$w`^9Xwkwtqr5v*1U*RP&o#uF$#TVh;llN@D3GUq ztHNsVCVNp)^vwH9A4hYJ(UB8M%*i81?VsH3p9!$771%0{|4QU@k4bx`w&#!D75gT` z`LWUIIUZ$|Z*^{?@Pqm4$5ux1nCGVv2KQ0;8{5kt|6YV1RNpp3Uqu-QIs1W0tu`k6 zqVQLqDP1b)5L4G4*IrU$ZUfuAObwOxwL4n*I5Rc=lX@#=q5&8N@R>{a!HU_#RKY75r-C7Hw1 zb4ga%VRhXh1zAZEPsTbjvwjZi>NwsBHK%A8D7z-isb6-keselozA%D03{G^Ecg+Pm zP=E&q2R#!;<&^A2>eaJyt-`MUZ}H*6Gza@ZHGO9nnp~-Q@iHgdPurLG^$lEG^hN;w zXl!h(0AXfFzj1mqk6uops4L2=US~;@=SJsavQH5QQMj$6I2s~-$NjOTrhi0IfJG|F zdXFn|I-V6NkrjFFM&s_sakBA|yy{jK+a^QPM|!q81Og05mpIC~_J3N~p@%{Y>0iND zfB&n-yC9@6&d+4hZinjYAIQ)vP4Ezd-Y+* z(9;NLHf;2wDu?vPy{Y>)OagBw{_ue>M|bSE7eSQ+p=$USe9-^T%IxW;7jBjc)!62J zUHE7hEY2y7MhOPk{(G5$jylrO{KUng>_bxJdWHS3H}PF3&*J4i-s03=mb`AoL5?H zLDZTL3`(>>Z>4uyLzMy3Vx@pGWe)>kTDB z(2e&3J2q{t+Bdy0GcRJbUV+@~`k*POG@-^&g?0!>p!D9K`+xFNm^-e>y6H%2#1r6q z-9`*46YvuVLSwbH@W#5R91mpt)hcB)*!l6Qr_NAGhq5bb()E0MJ=whMR9oX6_>>=> z8^hvx=dg^{1Ylw0Hrjv@R5!pVnkh@5dC!A1ShMPJF6)>AK!bX6c%dgi_r*6jIJlD#ue$y94gzg*V<#=x5wbC(K}br} zeDD#2CS9N>3#V-&M9-tiJ8|fY&7RF$pD<4BCGjRSPPO&#fqeh`*9vw`<e&~UF*O1+f|t!w@cvY^ZFFYqZdEq~5LuZLWJAfJ-*^qd zj3h*$cbd zEkhNhgzPGQvBQe}%5Fau^U`6iBHpwEEAuFkJQGk=$vDCU&kti|0$+2|g@`Ym%`o`C zcVL{|#ML#lI+9xcwr%ocTMkZ{LILJfO^jBi39V8@PY>BKfbP|r1W)TJKNEtcHghT! zz>r4NLN&^GX8JB_``L}^+iy26ULWa-2qFjYxMlMc8y>d>H_kG&{KgG>Zp$WK@IOdk zhkY(G#e3ri@yQ0!(9rTN`gF$GV8yL3OPIRrPld(uu;B{B0xjeZ{)LMB>s=_*$loqZ zj@~9uj)Y8(lFLX^)c?~j&oqM_7ldrbP({-3>>S#oNHU%#i^l;h&{j+Sa~ z*1E9O8oo1{iKH5V_hs{v<+W;X?ul$Fjwd?D^tvhm4JN*`wa13T{C!VV>)dJCds!+> zc;O$2$01&cR;A1`xAt|VIEnK0ATv+%G)S+6;CulQ-h3+zUKr zQ#AkeCOOpOPDaH9l8<~2X0|E>Ff%;Q&_`NN*xozuUUacK zW;`y)(kF64cjcIx{{gT{$yO|Bhrdc^nhkGTa5F3676WFje~$;RC!UH%CXaKdi*btf zC{`nrCJp3jOnAAqp)sG2K}#6EJuaRt@KID-lvS}+{JYTOhgeD^)*qW9SXU%J)%g6q zUIpmYx1x0l>2kf9jNoaDW1-yWk^2M8C4R`M3nk>hkCMQeyaKdyxM)E;E!W}TTkSdr zM0^5*$(%GmoWZNOrp+n(n!%Kdu&3>w#20PFTQ%b2Gcb*5%2Qn26yZGm@~)U`HBJ z9f`E=26I`fU2DQ4-GR%f&@&go78Y~VU_g^O%qYiX*p4Cfnsv|2>|w4HF`(Mvt}I1^ zz?aOfTf&--NOaBpc&KN;yv>)@Kr>x-S$(9JFGugQ8?E9wYRTA&wMIW@ZbSE_M{vi$HcGt9T z(vB;xcK*xj5l!nqKxMOTF;+)^(ygB1bE)%Ub(U$XW^n#?pjGu($z}Y*jsHbWCUvtA zIcDU|<8Dku3K-(%)>a7WB41q7a5r4o+AC1mghgzVg2it4ONm9GRPUQUtMIJs{1=pl zaed{Q;pA7V@4Euft_>{lkOaVajy72A=iJIjGZ6wV?Q!l#E#wgb`P0?8LRpgNG729F zwcq>i(=c}0U{cG@z`L;qw0^*+tTV>N`mCh?jqre9cODFgW^}F=Ed?24_Bd-<`rk)n z&ekS^J|DMqT9%zGDiHs^7g2C1zY6$_s3=~#B;}UQ$cT_}8&dl|hUi*+kD9u%F#sBlsp3iyQ^AkZs zi3=%IQ?lvY9Cgf8U`=3|_d>S#;3@qCZKqT1CTjbgk!ee3L9`rmcJC(-6hbcfVU{{7 zUX2tZ%bU86J=ewRdB=2|!l#k=^ciXNYHpR)55h4Q*W}}bKSZn0QO~tGqr=+WFgZQq zP;gyg?qH>1($&sio}(WIzN)BTWwB&DBlQ=$9fc;u-X!&Sq$ploclEd3ahz)N4(l_O z?DX2m4yg`^=deHs9w$xB5`UT!6KSf7kJ{4X`OWr}&`+#1T7=g+wj7hPVU(lhqpS@{a$4@ibqUDR7uI3}fd12)Rx?&n6WSmc6r^v7uwqj}0Ey zR7^y8AD@yG@b%)HL5A~0=_PoiP+8L4@% zN=sj{Pgv}4H#YNFo6ng38yD3HKHrXdpL8NKe~Oa$gcGuU?ETCu@OYuLI{UBpYoeNR z)r<{%2B*j?$sm~7ONrzQ>hF2iyi>l#jrV@o6!7FON=`|kCu5<|SDe7?z_qsc0dlm) zxsId(M4Y5wo2qq6SRe`K9}-+A2_TrqyBPJOGBP0Yj7xe`(*OVV3h-nQ5LZ;~fA zYY-Bm1dB)A{+wj-a@B96^;*o=P{OyMVSh$7=t43`u&W2d7Ql9rV+<>f&!$R|p<92c zBfK6MjbBTD2Z%{e^s@-+-UZO=R8yqY1UkAlSF8xWPtjwDq5g(Yzd`7;O%9BI{r6(d z>Db&I0Yj#NkodwW%o~7ogglP@YnkJJk&n9g}d@GFcpGoPKE0}=70zPw-g({&wID>zUwaUug&uRbwT z0WW#1fk%9ZkbcP#_qB{cE?IRx}MCnvEHD@xdEB`(E-UZ%|c#d$3$z)|NH7 z``HI=8$flm;*t!x>UNuBR^=#oqH@Hgvn?$slbdA=B$Ezbk6|a7kbUv&C|XZzC;s4g z;WXJ$vC`JX%Zr)+zdH=1)wmFFdr+=nwXe;;Ttj5h{4Z*aWZ6oj>ZR{ z<<`7YomDnZ1oT_clVy{|LIUHzz%t3|g?Fj9-;SRu1)Cp_{ogy?H78Qn#Pv;KPdW7q zBE+X)%6>&mDhk6K!!}XgRzp)a%%O%+c60vif3H>$9B=-0MDm0&R>>F`iC0R$E(Ipo$(^ed7?@DPW&%0@V^ z)vRfULU@5xgA19z^GbS{II$O=G!FC3OPeAavX0pm5INcJn873V5^6VE@a>ASZemeT z{THEBqG1*9?P9P0omdZ5H56KiBnnvx#I$JpkQZs*n&*x;ob}Ew2Z3gYfy1uK9Nw$ICDVvev{fg-1RSQ1-0wSSV}MiPi4^l%VB zDu+T_;8Vlvu39!72u}*g4x9jGCcMJZ3NG$<0t;a-0`ig7GO@X%#>XR+QAU@ta7IV3 zB)Ij+YU}q_XXB=U`}A%o`&3U~i#T5e7SP1SslA>xOhW$Om(^(7(O!0OTMn-iV=twZ}R&<#?#2w9fp z$7>&(4j$7t^?j}c{*@bF^;k?Navcan&CAKX&WAZSQtd}hBR&(=B^@r$Eyka;gbUp5 zUbr%8)X*>{{@$r?G&D>FylK-n?WPN7P}9V5u-=H^v&RwuDsLO~*K_MQ4l~REa(r(9 z5E{;dRBbdo;hDZs_o3)vv7O(dIB4?InfgZTssHVd8FJ(?az3q@X`IS2fch^OZ(pkC(qStRBLQ($9+ zFFChVDo~S8a>G4|*FdqS!8lA&AfD2bU3Q?uW4Gr_>C;(5rn9w{)BIKgcp(?&xL<=} zvG2mffZ4UjerCtCFC{hAUQ;3yQCk9&qoXT!kOmQPD~zy=Kfr8dh0SSG^Vk*C&=Btm zgKXl?4T&6|w1z+bkh~ok9&*bzjD~w3HSU-#esthH7dPIYX-1skdDzBZbh%wETaB-g z`Rx?~utOSm(lP{ydA(kuKEt9)JI6jlO3rbaI`8eb*QRGzO}38q?365|XYOaJWY`{? zCyw`y(fEEoH=j~1*$pxt-Wex9%sMQd?}t`8E!aP|;N-Tp8!UF#wQ*hg)4rl2(RT~z zdhRVF)%}PWAvUHK8Riw^Ec(>I{{gcSznDRcMkSQQ%FzU*9)mLCJO)1t1t-1UY zjkO+g;H&cFVU>x@B`NZnsu95GaGA8v@0Icoev1>kDvKJW)o}Q388+7~9yJ5;M^A-b z*Qwy@y#Nvtl6+g+%U+KydKcSm@4Pg+FV9|nH@h2hCq5+UL3+Xgd)(}DOc>&}O{-6D zGp$#@qUWo-90Ym87t=PPomvAg@ccmM6Hc+Pq@5w2?c1A~qg$)rx0h8y=FB>rwQp{p z{#pyhh5J?G&S_5dsO1(8=-5at<|uv1dHa5$r>;kSw(FFAI+*4372`2C~L5y;t#C~i6plTi(AB>nli{WQ!veW8cnqyvXwf~o;D*bt9}h6F$()y1Z#b)u`a z*a$pbCAdctA^L2fPF%9HFX~yi3%}?mki|-CxyIgpm#K9f7RE~Gb%XA*8|7W(J>H~9 zSh3nh#&`Tjb|P{%aI83P|CtosD}b0s8^OTv8@2%EFCLq*PbE67Z#b7+Fs&Na#gu2K z3f@iajM37#dWTu!EwcBQd&cB*m`q$%9Bv4R({_<1CJ_(HIEV%179P7@J>oLz{9b*y zs&BYUHdm$qBHkFA74GWCyK4Zz3MjV|!5`PU&?-HkQa>c`MYG%=FTHyPfb#W5qqjjh z|Mef%Ucww#`P>!H*=09kU7kG}zMD0lo6Q(Gg}OEjNXC<3w2ogqJ3YoU&_dm6PiKx0 zR%A*i8SLALKOe67(^y=KD<-pVNIs*(R}0=A_X}P9m835BuZxn-dt5NxNz(+#;RIi; zTn_4kmyTmHd;p|tEtFdd|r%(xXi8xwXzWzbw06>Ps6aGOHcmB_$6G}q;?`<7gDd%msraD!;Ml*S4e z>|Ln?J}lV%s0q+a-yyJ)y01i4C%n`4f7k6{l_2=5H3#}W&KL`9Q=2e&J_6KY(@WD=GQ z1?=Og_3NvuUUCCz@i>O==>`^0IL^NmL4fhUJ6(+1cHK&{Hm#})O?N-^<2`B+<^?8U zKJFe=pSCzWrF%cE0(lkjpCD>)Z35qlP1V)0PigabZr4X)090CV4#-7Mq0C2PR!V6t1C*mj-P=Y;j`stUsUq(>XQ=*@cQW}tISp*#Ib0J^8KE#UKP_@ z73dor?&(z=iK7=ym1?9NDt|uD$Xj}3`OzmYBlr+N{vF-QGENUv&n%_p|8q&&E3KG8-DMh$)& zJd~h&SAM*}$|sl(;WdtS)!{wnGtAk!^I;!7yZ&iE!cP*x_YmnlwGiRBdn57WUy;gW z9d8JLK-;WmbLk(;j+!>EYJP6U_o5!X-S;$LX}ce}0W=-uh)&}SB9w$=@B$2vM=Yw_ z!K>1q>i#Kk?ftSguJIeqaGErGX!zljk8&Or2yTO;0Pq7>n3gdIg921hk#vG)v zF<)%^fyqrB?lcUN;W%g>h*m+#D?!QUguGa#6q z_A)m&2SAeUYfY=#5VY1~6B{EJ=ekj8cT*?ojm@B|C0_GI0-cQ(|Jzh5D6uFVR6R^9 zVWTHZ^%+n;-Up#K85{5HvL|C1y9LO@e(Y@S_R(AO1o_la1GM&U7Zcy0e(ylUG)wah zw&8(dXXI|qRE`PUaKYt-3tBhYMA~=Uo{8B>Tgi2!0&1TQXF`oLrm@V;%ubiiM>n3W z8eUw6*-lMyticAE#2p>ObgiseIlS3A7`StDyVDj6p!7= zqIks3*p^&aXg}P>VF)oGEXuVFOvCL$h?SC-$4(ZKW82Y^Hn&#Rb50em*e5HkOzCDSDwfoiH=~=BXpdjR)_}MbqX^E+ElP&c!r`q z0su1CqQ;x9U9g2!LL|S=R;@N47sd zyD*v_^}4giwzlxmalQPOhBLUI-Wg{q;q%)jP>DrT><707-1i5)8lq0lOr_}uxuIL} zmH7UkwQ24Cm?x~@p-Fz;(K?GiKVLMQk2Kp1me!l8Aq~0O@8})ORnn2smRYym;#iI< ziy&KQ()KteTN~ueNQ0e3_Jb^QC?X2)4?+S+Twfb*ZP73s6U8SH9{T`3xZ;;zp3@It8`Q z;`FQssu+tAHsdqcS1hFwdFBK*ULQ3-s-P-}OYCpsw61D$LtyU(@+%~rA zGeZ1h?np%SR{InfZ2RRklqrIiLA%xZz%A z8VU1y<6B4#o|oRJmf@avrRk#=u{UT8oW$EJf(3G1i-DMZD*`7q&`Yo&p7*FwR50~ZMUBRLmdVP^XJXL2)_AB-}>QNusJcbfZM!lbu zHh_fAyB9z>4`KqzF#*h%@K{ALl~Jok0%0kD#51(q`_R1U``Dk(6<|sw>C;Z=@%lgT ze^6)`x_^2-+Ai7Ze*48!;Y}(fB|VRoC09;pDXvnYMQbVay48+cg6f8@=ns1x_`yUX zfcI*sS&u4zy+My)w^o68;^-C@OTRmj_O-dqjqusw$koEG3ecln0?N0O83c;PPJ86|ReOVk zscIGeHb>S(2+yO^U#n%w-Kf5Evm5P z3dQF34tcpMagq7H{5REz7Lix@(!mwaUhdx^{RR};?Ohb6AWrvVxB(5)u*Wgl1h z!@XXEo3&OqJ>(E*KJJ5I zCqj$ZI^GlMC)*eqraNZKZq<^ni^FNy5|iHvHR^P!r+eg*s6NgxE|NEn+_r51Vnr{* z?vulFCC{tQpH98a`2xPTj)|VfF}@`}x2uYxf8X2b7ZMf7seirfB!gNcpZ84%_(UewYinS4wi2zP2* zL@wSL5hnGxQWun2ZJE>h?I>Vpu_I<#57KNk9&U#|_>}Z`uY@0OTyiK*ypWxpp7<*ISznoqraod@xo>tX0D_=Zg^0>7;I%Oo7 zDKIhY4f`EyTG2Ha&Vc(}Pat&XItC?Yv9eHbx$I172QwbM@hV#j7y_KlN&5bGa2p_4 z^5|;1mux}`7MBfvXTbX*icy!He3nU(>;h&Ie{z=f7cZj3ZR-5qj)o^^*wEJc9(dRp*&ow*{>{XA#V@|5U;je!dS?E}t{)*< zoC+q;eR=h)5$TC;?>4*QY#smp*kj*BNG04MSA>SD>H{`9o?JJJ-jKY<3p3#B%o z(f&lDb>cH=a|E#9GfkVbRIPCAvL|S>zWnHgO6w?rA)|0FGOBsB%?qx(laEZ{5;kst zq%jwzysjWASuFV*tUN-$wOz!FNm%@oM_I^M6=-dD4$0tA{ykiMe3Ye$wgsG8EAIXz zR4>zR`Ae%bu+K1oF_=m!i!3`Y2?oMZih@=uV25Wr;MH+M(Z3>Q5PehVa`sV3<&bpG z;cTGk+a=jLPibk}*puT7=E#?=EXs~Bz5iMm7MU$c*drZ+DOiFeuAAtuoT|9%1_KTF zQat9y_F_WhIk6#je_GVR!A3|jl3$?aWdL}lPA21JBHU~N#vq##?|1pfuGwBzLI6e1 zcJ$m5Q}C&Z@c z#jQHxMbPIgT`TsxJ};dj;@c>SGy5(waF>p;*ig_^{3fkHEAF-u!g&(C(|Z~fM^>zP z)l)h#+tjpS)e#X8vF9yH3bi~fn6f-o3;x;;vp^aRRuLF~`|71lbLau;FfKeaoA7;

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. + +**Properties/ProxyServers** +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). + +

The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. From 722f7ee58d424e1ab7068d71d9d1bca4b93a9a8a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 5 May 2021 16:27:20 -0700 Subject: [PATCH 026/415] Update TOC2.yml Made a small update. --- .../windows-defender-application-control/TOC2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml index cbd308449b..e8a04d9f6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -27,7 +27,7 @@ landingContent: url: applocker\applocker-overview.md - text: WDAC and AppLocker feature availability url: feature-availability.md - # Card + # Card - title: Learn about the Design Guide linkLists: - linkListType: overview @@ -37,7 +37,7 @@ landingContent: - text: Merging Policies url: wdac-wizard-merging-policies.md - text: Recommended blocks - url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? + url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually. - text: Example policies url: example-wdac-base-policies.md - text: LOB Win32 apps on S Mode From ea054485c9ab036d8c4a4ed50059df86470afe3e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 6 May 2021 23:10:54 +0530 Subject: [PATCH 027/415] Delete configmgr-assets.png --- windows/deployment/images/configmgr-assets.png | Bin 139547 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/deployment/images/configmgr-assets.png diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png deleted file mode 100644 index ac315148c5f7fa276cb84521b26d1332adcb144c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 139547 zcmZs?byQnH*Ed=(6f5pfG^Mx{hqOS82MV;fmqH3jfDjzgqQ%`MMGB?3I}|Avthl=- zI0Pr$KF@pKb=UpY_s3at=B%^U?3ww^o-Mx}q770edBX7I&Ye3Xswzr4ckbNJzjNnq z0KubwU-}w9wEb)D!gZ7t?vxBNZU5^$uzjuh`p%v5D57i2hyVJ7jw*)mJ9j8t{`1^j z_{8dd=g#d9Ri)Q@?q)lt55F*vkK;32aRX3UMmP2cB%Ey-><>e$3<7J$5=QVrr`nAdW-DNp6zjM(fJkIsKP4>C`;O2nv?c;O!2;sLts7Kyr?vJb^DdkRqLGDPr zTf2KqlKEh7NAGJIVx|OjNSe51S#jSI9YrQ~!$;3qcb0tAL9 zc2F8B?|pu-+!0L1`k$Bb`%j;?=M?#`ad74h%YD_Meke!cwA^a;{rXP;=ijV|?$<2I z4>Y|GdqSSyt=SfKECAo|ZM|hTws?1awx^vzEO*?_=yg56_6fhX z?=zM4MKj}?23lYC3>!9|k_MAM3FInSdxn%^%k&5p(of}nPac=0sx_Bl_KcHQZKaN= zUZcG*(r13iH_?B%%`NlH4Rlp!+g^Wj z8(pPphW>sT91tMFzd-y{^r_=a(7^itF8_b`L54sLWIK==IH(;F-2-Lg*j@Qm)x{$x$LK4N3Y*u%$9|Fl*hC8i7Uyn^ZS4>{m-W+-vs6CY9lfB_pr!_=WNVC zyun0zyda+qQLtf2QM^RHO@1VIB=y(M^-?>qPP=1ag>c4YqMxKNXL5OpiRQfHeG$SR zY$+6G8vHVGx{m=h$*Hj{qD@_5+%T%>E%gO4juFza44dIg>hexKtoF%wdaW+ang0WH zOR=NIC?h^4tsbJlTxD5RZ##WwPR_veo@hNMv~f1I-iT@lffKQEyGp(;JD4q2K|^&Z zpeiu%lvM+m*8=*z3-xb_QFmJ#2N}keE`SGv!Wn1 zSds>V676~-S%Q0leNWH=c3>|U_=;K4w1yvzKmSAD2q$>F5!BS(EO}028HcNuD^Hkq zDDX`;goujAbWZ$eVRm`(Mm1LESullzO|M&%Rod5xgsGl&pRCQiF-LD#zsw(o4QnSg z`AJgVLk@>)A7;NlRSylE&O<|roKv{ZEDg+R)5DSullbBd2veR=o9}pgOSVzl{F9T$ z+Y0kf$l`~ait^q~=1)VEn2mW{@8mpJb?$~I7Ngq$`NlyDAF^_X7U z=t1s3iEp1Jlb;o74-{R-eK``K+|RRdHgQr9GdI&$t#9bI74EPS!tPjl_5S#i&7YZNvR9`HSYiw$N zrKjGv!p1q-9n6UTRS=ayf?OZ_r`(K*{-;e-;Ola$aA=yVi$Qn2c75Wh-*Gri=$ZIw zyCnT6qPQW-tjEqvnIa=Y%B5<3cqU$P^zy+(3ACf3nx9?MpxLwe956hepztDvoPzQ7 zoBF3C-UQ6d^9ly47C!%7ql~DJ?AufSQK|nnmQwdWO4WUTxg>qz`rLW#qRCF^+r=>r zJ4=DmXoFY~N$FpS`VV>^wkOQhxN9FxD?M1JPI%GgNR_2RRqhVR^g4REBjQ1KEmod~umB!x`R z>z#@x`cS~_yEyg@G3aSfwN0fE%5tQg`qjRfOUsU2BGgkYwnh+fn(pJu~c+ z{E0P#gMXdN-BgVz@Klq*=C(IM%$J*;_}8UKphe`IXCu(OrN4m9@Vr4e7q>#KN2&!=`Y;w*)rfBP0l z`3c*bS9&Sw^JP8XbXEHBdB8;Z*xkjR!AqfidiOKJ#_{nD>thS%)7+sv3q;H?w<+Gk zg|nzJP!o0G(I)2UH}0lxfqg*}i|29WZu5p*IMAIMH!rAMKvK4cT86MOEwis@`n&R{ zTJo16^>StFwy7Ha3l5AMkmD`tw0C+N`bPRL*1k0wPY72aLps{ZB&^PuSCQ4%P0+)j zx~Wki+^c3Wb0_tUCy45o7ScbKXdnD{Q@uLOrRH7Z{{t82_;PNuUucYbUqEZR6J?LfQz%JEp**W}Q6BDU^+2>4^l^C|?#%Q?qMRQQ1w5hgF zxx;^kEpIMfNw#>O=y~t;fX~-r8khY_GeYgEG#+gVNsetZ+W0HDWQ173+S?+tUFoM3 zE$Qd1-i_&X9b9*~sm$oUr)jG)r&#s*I_dhe z&@mq{E6-mV^MW`wX|5_n_@dURSA}$Cmo+>p>O4BR~S|0mBaI~sGoiAOPlc6oGR5ols!z&f@!$WkDKTzqf zbb@o7WTn>idT7{7SmC16Riv@z+Eb24h|*G{z#g3yVf4%{*FEP?{lWG*KBIbQ$fh`m^U0&qol zJf6l+5d>A<17oh5;PRikh(nZp3>M#%;j~QG(?3p6LpPCoRK=8es>n3p8}!B&HuP+> zE};fBW2k?0yfGmAsr4j169CN=_aY!8W*P<{ zfh}~3`8(`}eLYGqC13S@?^Gpz>`7|0pvtuCO7UuRW*fB3c~-2C>OlD(D#~8>S;?NS z$V|aehIOmkwdGf4qH}F=mI#X~@Ij?Gh(Y>pzNAMY>6CbjJ{jXABI#uAB+z9v7fS21 zF2?7%3$BKj$zwXTmTCYCoxg*~Q-d`XSJh`~97^P^8ayQN;$)x&#IssBf$hDv2F{IU zd_{CsK1qtxk!5Q5ZI7vh9i5j+d=!7!nk6<*?=dxDM-_zGqvM?zupuNOn;GC{^vvW4NvOt@-w6{sS z3><2)R;g5~^$;xrWin-#AS@8pa?*GQEyk{K^P>q@OS*hghl{FfkhBrmf)I$MCbP-Y zkpdLkbDcU-+^%dJq4;L(>H7iWcF`6IAk4F7kY80NV?7!1C*)bjv~+HU<$^cP(B$Bc zmYs}&j?HnoXW{l*4sMA1dz*{E3K^Wyu4?gM9c}?`+ z-n>ofw9HVGLA~Ubv1M~4f{>-|n7dYRzk1*I7nWtzmd11+!t^9c9Xpx!80M!9yqxyL z5PmT4@;RuncRJrANxqs-jHDXovR23~I7!3G8->~^=@VD0xhGbC;l zhrIF%JVO8L3`UXBigV|C1gCQ!+1W#srN;xcp9O?gFc7oo0QO#wefVHG_w#PDB=lL3 zc)U6tl$p|bCNtrjzB9*ZOm8ylR~|#XH_PJnO1{%HYe|PNAS0-2P)vH%@Zc;1W*+V! z5J;f&lQb{d-ZX-3oGs>AU(Rdh-#eXQr=iJPY&tv~0L>ttsAR{)XPRj>X)-?>*zYqx zHUTAzf%{;y4A^Sqq;=|$SgGYR2RamF%VX2trl zxtY^gG)Wgu4Y03N2>)Cf`($kUg90Rf&Ju1Hpw2nXypLWFjDl2B1kuO8o87<})5Qs{ ze#;nkoT4ty;)40c!B~6D9Pk)FC1**)MTGUz#8i#=O~cx=%BiR~APsmHnJ%jtjQHJg1U6%v-rn z^5PIo-L&H%iE$SU1*d2^Yz}kU^PmL-m(EhA1tTT#V#M^aN<&0mz7_p5FtD`EM1zfw zirkjR9(hefCe|50f_k1*R-|r>3NKtvuURkWay3KFesZb2$@w`j&B88wHWh5x6_xJ& zXs_vl)u7S2KwV)AiiQmlvh0`d^NkNp6hQOifsLkdkUq)NON${JE_qIN5c4|+4~OXj z!PTc49jC}3-05qt9qPn)qwo)6dINk_{@*yvxnmnwejwYk?}AboJM3HTl!-g_4tIKUiM20;8f2sck&nuU zGLCtDVQh>F`3*W$5n|>`YkFvh}cGTnk{v4r@M5FQIW-|7whnL`i*! zLOe^j8|`K>bk$CuEO+&usSYc2y}bz>3!&BL6)!The56KR^2oe3+d z%=|hbYW1-3_Q(A^(o>yGEYgjT<#wo5kF4?YkL_eb%@2??#PV zKh;BRy?3jpCHKQ@w`c?~f5zD{7LOfEp<`hie7DMm(pnulHRgE8$;Wt0& zPcA$lHOn7fJ&BSi zGR^X|n~8mlZHH#uEYN~PDPge&=~sRqdk5FW#dQ zFZgLCgB!k3XES@Vy0yNCzcH~b z_Z0M7qM!%ZnBBJGoYdO*D8z8xrypQm@{-|Et=eo5t4&Ro8l4PVPVZ5f$(%r+kVY`1 zTe^yJr3;Zq3Sl6dL&SAW5@shC>24?jgO(?LKZZ6x%4hcag7F-Nb|4tPFPucn8Y0E{ zG$*1??UjF$-P9HD6{4gKv7x)L*?B)`f7m9azCY=-Pc92DPju6iTS^PGE#U-zR2ViM zrSxXBT(zJ&S^%)E}A5@F4td`J7An)+8?Od7{f z#@Sp^SNlSf+!2EK6Kmhp{D3SO!q8&$s@4ssna461KKff%zb4X*+!=BHx0||}D9iE! zkQbV+yMs0<9;=~Ye!fGrb5+D)rd!t>zg}i+Fr73ln4F}U6tLMgTZ*X7ej!D%{Ne9@ zrq{2AcMkJ*7o2h>Rl;%`$f+tePtC^b5uz&SqWdyobBi$3sxYxl2ZkEz9hxbq13Ss- z6*0X*vo2-LmWmpuoG}FfZ;zBQT5{Dao_DV{pdcWJvtLlxTKy&$wDKF=QFa^uD6Zr>zF$>x11%y-yl#w= ze;2}szRDQN2)|wM&6)LeU_8~`b#soeK+0ITg#g+wtqfqycIJ)&77H5wALDp?!rjiH zBn`3s}$)wCE9{}-hO^NIKz}9mwqoAZrFP+g@$fCcg z^WMN&^Ox8Se(HP_q+ly~G3-A!KzA^+fYf`*RV$-jaFV}MEU?JQ_;g$1D$$e|?j5o^4w4V!kJCOx!d4z1$+t4059!?2fOC1rq zwBmf9E3!`V#{=zmm6?KV&5Q#W_dSV$H}fyg=XioK7GMBpXDRaJrR-53h3xf_)s6^) zEJF-FjPL0l{JpNf@V)TMoIEb@SdeDKeot0ZU|$H%jzgN?P?faY2+yBh4Wq+cxFVKJ zt%Fv-^n8t3FN@>O(3W(|DQ3C7MpHN3M8$pT^4Q~v+u$e_Xp6Y@Aa2D^2VU|`9$0oD zcvq`T-8uwsueIi#H6&yXKDUUJ0i8EVe$6%u3OKE2)NWutM#nwj;?v1AzdcddaT~Tw z9UQuKXU3l&vu=IVK>a0`o4;#1GXfG>0<2;B&6c?%F4`+E3Ii>0;o(h0lR4U(a3Z8(>KHl)kmoSaSCnK~9SjC!9Bwtviw z8wsHVtYjt8fEgWEG-6-P^L<^#nvAk6R?)UwCYe?!C`XSz%-m8y29onv+ z-(H+mZwcCLDn*MR@!mVlx69JxRf0^*VP^3MD%6h7%FHTFk&>70;}J*4K$GC1beCvQ zO%-YG5JhXlK_Qe`V+Ns>F*btoiMY7M0DxmP*}yCA*+|GA)n~nX`C5`sCFYL2~6UBKWtZyTkLaepqi6j>7xt$p{Q;n;moWuBPo17m8Zwt>K zx4IQ{)H z7v3mqL2d9S@ol;zTAxqUjmVYsZBr?Xc6 zmhgHp3R!rAn_X zgQA9|SZL^mR92((;iHw-n`gVrUGjfSIEQozeYt>q~F#h<+SCs&w< zz_!Zc$(1Tm`M_i3xh{Wq$tc-an*QAT*F}acO2<_z|4paJ%RXnzpVI;O+sl7Bod9t* z#)*iobru^xTBNC}d6`{QLGSbH^TA>o2PMzI~m2`DzR#g1Q7b8pudG= zn72TLex}#G9PZt`HL8LK>`btPbhVjS*2ks5>uoK%+HPOTy)n`98s2Z1yB)$FFe&+U zho-|7%1;$58a0EhYx>e2YXL`bo4(9Mi|MPRX0AE~FcWGohM>;QkB%F!yjRVA151%- z>|FLHJl1p|JOZb}&BoM8m?~W#EejU$0gdsy5G2ql0HnA z$G#dRWk+3%)Vds5hY+=S8_c~(yR;ubZF^&g7KdAY#=ZO-;}eRj>6Wk5lSt*`m<^>| zZM?GZk(N4|)L4%S)=tv>X$XK3exJT=DX(CXOn~dp@Et1Z%Om1SA@s*!s*J zY?`l}A)DLAqkN(-;BP_@o`0f{-<5(cD>QC`h(}MV=QE_s{>2AQPg(so?_3S9BO6`= zVt4Y3uJ%o?d3W>s(>6%~r3FZ{Ig>w}AzV0l>jO@iIBaW- z7%r~a$!VbAg(%!qMXaX_j#pF7oW{~#NnJ4x@q4Yl)pJ5vNygT^%Xyn3rv9e=h+e&< z>rnP0(!}lO{Zd9T!=$rCczywld_@L$PWVWiF57LcU?XpGhFX1$@0WVH$ZhNGwthoI zc~(|iF8^+O+8vW(Gr(rr?&irPo~PZOeSW|0aNh{2o6q|FCf<3i7d0Z^m8Lz0vbe3C zRB0X*X1*|#$&zqX6H@OPyQ@pYYxiIX?AIBAQ@5PoX&CyNy0K)LQ#E(m1U!i5K)gwJ zO{2x>Ff;jVZHB_lrdO@Ci@gcGd0YEOdQyxlA<2hz)6_fAn49R-Jm~f+p|#y(@mBZ|F|#G~=eKK& z;O)qJgK^!Dr9Nj8A2XbC_egxi7D+0p>b5Wd zRRC@N3O>4QryeFk9s*Q{=Dw^{r{OMFDz)s8n|qJ_WImjDa_3Dj!iYVfPYxT}<(r`6 zIwbr5qhY*-D(^mKB0{Y2-d8eK&v)#lvegxFk4~@YTT1BYR2@IxQuVU3Sj2yOGh04+ zA}@JC*+?KYKp?d{Y+G~G)AJkk##UK|{qVUN>bNG?l%uy#Lzph6EsWQJoPH{xzh|k- z)>t``DNul|W8p4}_e~fL|BKXT{~QbjfK$4I5FcT%g3D$(s3=4KKv{{*?@;QSvpqjR zJ2g0<9BfC2Pj5^4p5b2<8VBq!IAIjic>IBaIZeJ+%L!-O%A@GQ)zdy6=3lB29sg8P z)#=CrP?pXq63&%>pP@fD8sG1KSobh?J>SvlZIRP;^CeGsZQKL_^NG37A$>*}{GNJt zp^YQvOBp3sOS~dlWZD76QN_YU%pz9zJ(v(&;d!mU4s zm^95#5r5jOfgIg}$~m(mj)A3r2`l>6+RisN<;{NT0=zq-AH@ZI!)QN$G*Kjm_;pYR zAIW+7=kkc4Fp`^)NFQNXJ42eyItmEMG85-(ldiT*1_FGbp7&~~S1TgzDENTr9#t8D zi>MoYKuTPAS?1Q@`7M63T8)oR3jhD3>K2oiI^u%DO2vnf@(We!>Wk$As)Vv>lZcn_#PP|J$ zqz{HzUeVupWR{rJ>vTjv&u~8RJ)e(SXNt8a?*-cQrd0}ip4g3QF~=%gO@-)|d0#k> z_hQB=9Wrztw_|Lv@w_OLVjHir;-8FHq&Sbg^4k{|t1q|_>!7Ef-Za-~CU0WHL+&5` z8S*w6t-yh^Jf(sYIgiu7_gd$5*b@va-mcx-MY}RSx4gbkxVbEq05?#ba!f4m-ZmNa z3d5A%xi?>**5_lo43q!H|k5O9HtGX=kEvp6a~;(TV}^6+LCx1JLW>V{fB zwz{nIowD^t&UZCBZ_DKIfn>I;!#9JsAf^1C{IN%Nh8af`&Epr5_Xv+^!b}=#-nutq zHUE?9TkVKscmCxcO-#_VfR5cVo5j_WRK_CzX zC1u(eT|pP=P2%6u!%{2EJx!L9^vl1Kjx-GTBwy>>8Aeo7F;NxJ27Vl9@OZ2~ppKVh zd&aYRY!>Xj#yQ{B2T@DEGwnEL3%95h!#(n?95(hP#r&93QGPwb#%Th^cPF$?I6HAg z@J6}VO6CpJrO!lG`&#I=1^*Vt)2p7RUtWNOEzq53$qbrH(_ z`5whHqRO^~_>PSsYkUELB;kguYz^b6b+gamwffvaN08d0Tl?t)2~!wLc^lk;XPKI=hSjbhZc*DEBR zdtZvkO}_HgV!QWbC6UwMBy#C;dx&RoIL3P5b1gh`mQl0@xK+=I9kB~w(sPAq$BKmbS{fWzw%3SmfMYd;7FQ^377ZjKy^bxC1C23olXmz zmfOdZBqxZIGUe$IJ)W@hG?C&e+N&vX-^Gypz+p-3N3#kbZ`(KPKOB3$lH>b2fgipv z#%!Fc@Ym$#5gAJn!uFU^-m@uB_1++3;N0c)fn4oM+cdAK)yycaJv%=EI`7H5`2=?} zV))OGyq(K7wylpiy(U8b@~A}W)DZyrP!1>9n7M5Zq~+g4$OzIw zb=Pa_RPoWwSDXWtB6PVsrZgDCdkA9Uv-ulX0>epq@cMjRC2KJyxakl(j1yGL2mePez znq=Rqk5dmDU}Zaaud6RXtM^N~5)=Cz3nO7xc9TYTw$JI@{isDGSKqRFBIj~l1k~(W4xP6jlFRdmR&sKFWmRB#9_Q#y8acfC z0YnF~AcUndtrce!#(4jYgvKPGVgZNQt@?uP%uCD?LF-SL4v*kk+e*J%jxbn!HKv5KfD=v=8H4ag`AGmTLqE(A`#d;W%tpK zjNe#3(1yL_rLkv0Hi1-VkQ57DmIl7k!N$_l2hvh;?Bz|a4}-xmOf7QzhynjKT|#1% zS6**arMfi3hwEa{HF=3|B&aY^P)8z2?&{cl6jG3Webf~Ky$b)vvfN$+E{Tpch)b{g z_~vq@;t$Mv>t}i19EjzO&)>LKTU;|GI zjU3+v&JQdiTMH6}%Ro)%q;q1lP2C4s*#NqlT zLE?b}($*dCAfqh^T^z4n4%HTHAU9*T%aR~y`Yxa`sT(Etbx$J+*Tdg&YNJ16D+?Ct z{|m@0xdGM6!x_s@9#TUO954M%*-Xpl95VD*ICpz9(1WjEALHq+iupWhuuK8Dw3md zEN&h;By#LTXm-CYA+d00EYK%`*W0}D)i-J+h+)Bn&mB~@z~>;@wJDlzr0gKGd7XtX zGG`o|csM)4!poKbe*-i626f=T{J>Qas)Ta$7w|r*HETWSr^MKIIIE>J2cGLX8LF#teb^NWI$yO_ML;&tH3$;(gxwohd9gmWAghY3Zi`a61zE% z`C513`U{TvP}+@&tpyi0x+vr65F2!2{rbkso|2szWjlk?nv!NuaI>1nbI$3V+XY7W ze;HJ(9S@Vzoy&$p3W+=K(nn)4S6085j8as(gxvLr{kt9rS?JNh7tMk;%}fLJH@OZ+ z=03;*Yst^#o9<*8JoFOVA5 zdvg>Btmb6eYyC&alJkDw-S@cK*L_x<@@U!Ln-ptdOX(6MIC?*z{44waWJ1Mi2CqJiHm`q%(sJ2cL58jK}=c;qq5!o36@a$aayrJj>~>3bJ;&a z!6^5d8VU1f3P&0%ef+}?iya_YG*?tWEvno*U?RBA-X|0)HZK&Jf%EO}1{UHj+eM=a zWdh?spgh$VLzi><)iCEmKAg4O%^7JW#hJ|smzpS6wu3;QVcTdHUGSbtR{vU0sxd~ zDi3iSuEH0*oyg6%vSH|W`PbQfweijg8OB&cH{ey61EQ5V|rOrk(zan-opL0Ztw ziq57m;Y8X~&wu_UXW8vxilN^mgr(G^Lc12HBWMh(g4_0SZ6Z}Qv7fHe9!60wl&r=_ zakm}%BL?P$&2LV6G2I7an`FS77O8#N<#}uJ2}ah0vYT)TvN=Xmkw`nU$p1H+PZs*= zG${Q@z?;qobH!#v%4bmbs9^X7r=mJ}A@=v&L$uRk&avY$a-mDptu-iZ&*QGd^_2%( z{`$YGnSfw>_1R2@3VRBOJw{`RqdPqSyI;qcgghRVT>o8gKIKd4I1*k?H{KeH{$#hS zw%ogE-X@6jyc;>=b`K=yE$Ds5Yr9%vOVhy1KQ9vVO!BGoaK1sdl0?RNUv9wtlrzJp z*rE6Fia^i2*k;8uxxcLsaIHAm%d zm8WgaQq%%S7kmPI7yKzH^V(F)nVW{r`;!n>okP6QLP9Km69&N-q*8d|n*-o+6)HjU zpeJf&X;n*NC|iXNV|C1zN(HxCf69LIH@*#pd!_x@IBE>B5Ldx5e!+5dAB>>uipiwn08;+-ACqP~`Pici2%*0i{}q^3Pr% z57GSD{Qff^N-k_bcTv=k&#{6JrPyLTx_HW4R1l>(2cNLy4v+sj3#xDLlW%WnPkZDB zY*o22P=Tww* zlR1o6Y<_NX*m@1CO}%t}(oahhQ}lwz!bhqM@jF4=7ds`HDzAPpP|=?Rd$5sKx!=6| zD53)|>rr|WZ*X+IQl6-<(egXuqy0o~+hr3+X)))sQ@Cb8F;QZK;M$6~#RhJbs3p|g z>_Tgx1B*QRTPfC@&syKj)geB#s&$oHGU0qB2n#C5za%@fW++-Tzuxvt_vqIkfiHD-*V?a8+HG*7uW_I2H=2NXa%WldEYQ$2Sy&)(uX(*xMhNrVv zIYp!*;)0&$^mPl>;DGMQyL)`nM;r9mK=3<(%LNI?KPcE(lVL4YOA!{knf?pnxb4;& z4l{R5QU5+oX1Dn=sW7iQ1MjgaprCL*%bKRusEzX4Z_s2FweU!8q4pxByi^b+_uUAI zLLOXLwAd~Un?7!o(WEnjVbr7y022|g!*vpx8Z>rDu7oo|VsmQn$IbXZx8M=^%|}x$ zidj4bf8rKt()kBfz8d(S?o;KZy~h2)q12Z|x4u?VF4qJbhnKuze;1OKZIwAL&k7Yp zP*lz_uNM2{3G)4)0USQtzcJ#r;GuV@NFk`$Cisl;d!d`J@fP%`_gnPbcVbDK^}F$5 zF8S!El(ic2U&1*lC`2?~$HIj)){yzVDma{ZpiI=`D?O=@>3YesgT zzGI8oZoxMZSaRa{KEUnoE@sVC!qh*IXaEjAwRzxDdofLYe`9;VKaR|+|DfR|zd;j8 z@OM-_BZ`TPoyYcP-Rk8u3Z`S5hvz*jbz; z4>EezU^rE5CC+4taKe>&$~^F2x03&yBsmraHrP_~msa;~fKx{s10amri#Pe=OPE;} z#hc%3Ml{Xu+9B?dB~a6zsO1Y~37P4`#6U1cT(j3-u&W-kNVfe^AD7^sT9OMJ&1=+L zY!2HeIL>JW4R?Mtoz>#4gK&VI{|wa#VwFh_D+|4dwf>&Q_Ok63i5mL`*|5x*bN-__ z`r&KRQ)zH+EAM{#2PIXI7r~9W{Vu^~;w(rFT}(3|i)scQs>sY(q!KYo2|Ki2P z`xX)%6cEMYdq_*UNA zJNh;IjHvkD@oac3r`s!1uBis5bo3yot4qyc?WkoKuKQV1Ugq`C2%p@V3w6cUDz(uD zXu{s$2bT~fbl>}rZ&f~UujvJG(05XTOCq_oX-X9gix_OEJ=n56h*<}z?~uL{IcEm| zbm{*7Wcxwx)c?^&<+Q(XZCXLATfM3^lG?n{7rRuiU~>HBp8a%Sy?I>DLYoAION#lEE^Rd>fXpf&0IA zG)FPYio3G8sTztS*%?sji{mwPg;0~+L>Z|V5TpSyy7oA(0!u>QY)e~?t)Y_5siYk*V|2NX+$yViRkJ?2tMyGhFjYiB*94yYD3~gf$9C-$;jvt{NZ}j;&eYBZ!VC zJGp-``fHnY)Z2fmrrsW{qWmm>Qu5y;LA%J}f5j!`_ONycX_i76(!o;MmQ2%32Fy)m zV6b6^IKTl9or%ok{N$Mv3@mN^T^PqADhJRCss(!;KXWe%(E5j3)mVd<=2)$dN6y7n zn{{7&#aX-FOCFwgt+4v+@?GN+l~20Dx#((;<^5Dp<4s%5I%l81u+ok_uc7BJXh$n0 zhUe-)SEEB-d%|+fs@CY|z*tZ%%lN&S!5R;WUztoK-% z0JCoJ#D+87`4>nJy$W6CCqi7E+Jf4XL*ktFY6V9wYof3YBqq(W2fYPRw-3+PT&yLN zax%jIZ{r?P!1qJbow+rdSvW79*&-gw* z3pXHUzk5aOWBVV-0AbZ_@td_X|CP38TP+9DTt6w%-#XpJ0Kld$LbXnUM5*oStVZ6fn%tk>~* zR2*sYRvn#V7{<2sP?0Nd?sIQ~|H9HlW1Ke_`OJVc)a@Tt%aALeov7j17ANpo_bU$I zK|QsHn`zE3C_HxjzmpDI5L=97e+Xm)?Wl-Y)4NXZ1b=dPiDp* zKHB|*l7__RjTdr8y6Kd7K)Kb>yVX)toN zYwl;8{Y!-H625)NO6$bi@fs=g<>D{E`7>kvCm9AZs!d6o#C_xVqM5d6U1 zl$5o}dDhwFFZbr_X)$UnhnPRW=C)}z|1>=r^Msc$Lw(|3p;y;dNpf&Sgi@pd5`^9J z6Uy&=M1g>^+M-k|)tdy&drYa4_RPigP)7Dp4BTF*cE$P4e93U?m#(s57hGv{ORa2) zS%5TcWHD%=u4J6B5XZ5?wH==ClPHm|)>mEsd<6Yf3*>Vx_#2SVn6u_w8&_6N!C2oU zcrq8y5IF=It`t)zlQNAm`N>#sAyJXi6g?u#zWno>(4dLlBf?lT)xBk^*xo9FR+|@V zI-IuI z`Bow?AM!L&+_5GK%-F*jK*_n#X3Mxmaxblzd)%L8U&m#3ZzkwoL@Bb1FVsA?iij~! z;&z~|al7{pabcQbXjqj|$P zHfi>ZnJmx#4-o|oV`3Q|Dml5uznZzcF{>zx-FySa|M-5Jh|zws(J1u~S9*XO_{w1^ z?Tv|pNfrA^o+3EI0on`^aA1tPbChadOLuHk2pg-G5J>lin8|Iw3x)hew`1}V0@|js zmkuN~!DeZJ#r>buajUyO`QI!||7xBuBYBUhRVJHKqA*UnbR90B;!@rF!lYJ~z_oZ7 z3V9^{!HOg4EHE=o=YQ+Om7L{c zY0}>&^y_dw(}HwfZ^Ph{Wa->*mi$epWE?dG*Wnm)m`oXo!G1AKzsMH?k!pMQy-?Q) zeNa))DNz{=P$DH>}zuu-rD+~ zMN{}LPfA}KCq32emB|s-Xz`wS$r6Qm23euj_FntVlV81s1V~lSs7&N=z5=t1wGnw4 zENu*aqLe<+l6$TLx`3%M_v3@ z-cD*aD0cie>heDY_5X;Jkzdq7j53Pu2Z#FQ7T~a_swLqJ6e^#sGRcUyMSm_kDydS0 z6jetLr(1xKrmqoOcc?=YYsJ5VrbuSKm-EOQeoG*!zU{ls1g{_ zabpVX4c~440 zV+{CCQhBF#)03vi;Vwj&rvlv{kC@zczw*KoU#2klf(;~`U~dn_v3Txg0y%E}{8Lm` z4zge=+Y1`swxBGLOJs*8E!|?^4RS}JAIm3~&|z;g&h6c)sGFLib8&IoJ1x%cO{v{y zuy6nal{Ns8<;kno4!fl}788-&U-zG^oBUmuo@O{8Y?O(n!~e^d{eRaOg9o0Rq4(5o zetR$uTboBo49-k1GPSxj`YFWGNuA%8brg$NA8^)kj;;@lVWa_QU=e=*z^-?Kiovwg z`5=L<(mJ|iX81*#gYP&(xtW>*C_*qq12C#OouvQ(xrU?d+_TZ&!Ok64_=s;-l@SGa z@P&BLRgBuY6I%Vcy~5}nS@i2gR}^P^v?@Y+;FZsg#GH0+kH3#=g2USrC5k-;xT?Si z9}UWf@~;P3cg66$aTHzG)3>$7!}SV8p8}oNV%_>0pkt*-8!uZn*BbI;m7BW?L-2wU$h#F_nP8h2Ls2t#7>l%Dhni)&nJe8pv14|@c-Sr` z3I{p^dGmLLBd^gW)(~ftWeJox4cC=w$7!4hvwJ;W@(!atxQn|xab{AR0{XIrx-<>+f5H1-KQ1(42NQY} zknJ)jp%_`p(>EpB=7LQ6B!r+0Kzq2wN^^F&qMUl|d5$qhuqVqB3f z&AHlpF2(T@4F9SSB#9|?RG`e5fI}*?4)ka{;deUn?zMN0r zmu(3dgx@?j_b_nxF2ng^rn{*{ix7Mj-Y%GwX(Bi<1 zyFodGP31f?Hh_WDn+4ZX4KM;2loMX+IH1cuCdCrY7c+`xDk+?ONP{dJ@2C=q&mtQg zX*^Q;#%x+@UnKc!Pm|G3Oy&)Ip8~Vzy_JFQZX0?Ir^6BE6jS}EvWWOUQV?p1cfUle zAFG9C3<64GL?R#|rvWsfdljRew6;~%Y$Fl95kg7BFO_?Mm73gSSrH%>L6ekGc0EzK z4QtOT%#vs}m!46oc#U*Y&ZJIP!UT2XpzTnDBwa{v#F8y@R#mA=Pl1o{(GtxqCxGk^>c)e_|ydWfW2rGN&XXqcfBRo>5CN2^}dY<2g;V#sg)M zu;SYJYKub^b=^+tA|biwPFzBYvcdwxat*6y6OEky(l4zjVK!C`}%Wj=tRl}LmC zzf*Mn4=h*wZz?jhh>TZ5)xjT>9W9V$(TtlJ4#q-3EQp58^eedpo4{}71lxtwDoRiW zqMld~57!~1#>2)Y-GZ3vn~3cRi$*%K1d(UzA)9VkQEOIqt&=$&6FjI^TNDE>vTqaO zG(;>>nbsXo&Wvj2L1&b~?{FGT9Vi=C?oTHzp>Hj^(xkb#`hTk3!5z;ZRaII?%x8@pW{nJ|v{7LyVdStso*z)uFu`Urv zO>(S?kY&xU&i^jQ${-$7nnJf$V7L;bkiA?U{?BUv+vR-;lboUTCb*|2BJQ=vAaz4A zWS5I8@v(}=N9zyLRfs7;F=#m!#k`MFtN*u*=4c))vus0|v>}r6U6N9N&P2a#Ael8T zr;hGIsuJxD^@^&zuVCEIrEn8Pd8u;^@A*e~%&)zJU$44@|9=hewT-%w=s1OcYwk}f zA2pX8m7t-#{e4s?AQiQ#fh!+^gw-d`B=$p#u&}Cq<#Z}hNQwkSj0Su0SZ#e>%kflH zeYfJtuM9t94A`N1132CKr0F3+%vx4PTMh8y32_ zd$6hkfwA&RWslBjq!|2bVHFRVW8|O_MK#5;f^KH!hzZl#^1=epgC^XJv2`|WZKW=ah6c5k#MUyYs67e#Zhm8F3Uc@m^&3uet)v(ao>`fTjHqtG zf=zDDrA`$U>4P9e2qTBi@Z`4FQ^$Cmr&j~QK?svr?v0x(TOPs`B!mEC8e-4l17`JQ z0VX6ZI+G-&2TfWii)Cd}vy1^HD$ydy0js2*#REzGIf7sgAFs#8J3ZgA-JUnyg zzdDXA@0;fCfAD`Vo3lad<%1t{5%hT-9Wsv|ccbL9vs=+=Y1obN6>2If21^y1a|njI zsiY~zRpDimjz~5l1etdf1vFO0mX}2dK?0y68qlfakF z?Q4O{(B79@d%K^-;3XT|DEd(f0@K8wY{@{zghY`mg|eUy0U)V&G6~CE~=)9F{KVz z7H0-~Uw5jH4IV4JPHKW~GNh|sl?U-GN;PQ8Dy(oe(Xc-@XOu(TWBxP8Y8^}vG$l|2 z=kGHRJ5Mtji^M~>;;5+z1*6W{j}ko)C&EN0!esY#E>A>}(t#@#%3Khg(HYVLXj7tj zsmw%3a79Vs|2J+jyi`a2Bf$Z#+R2!De1Zs zlN3scNy;qJ5nU;^p&=`WRCvv!)>rUE-;Hr-t#RE>INRq`5{IqvHI`6R3&=n*g)ucF zhV%=iNLrC*NzNA-x~lh4gR>FswhXFEX2!BBn;{OYR*9Y6mpvR)6}C8f)5}(AffSTH zCb;G*yFqlD5+ag%l4Oz+n)*Cum?&ZaW|m$or)(x8NIFiVq-SEFadS1#iJCVbJBkvr z7~R}GImw6acjs{PI~NZMc%i&sfx9~T0dbiUIAQ-;d~$$~8s2>s#fCX~75qZT0KM57 z5Fbhh6KNDltlpk^XbzgN9_&*L+HAXzD4h|3tLiMt-dE2>)FH$fXP_$R9+ZOc;B$?_Y=d&+U>=*zk~L1cNXL zDH@pQA!@8h8tn)O4;H{iu>fjYW!g5XB@m*^)Xz!vjk1h=0WkNVuB;9QEitj}Ut-?C zlHEU5#@m;sH3=1{93;~;#;PNb4VPz$#a5oUNMCq&m0203U0KKh?WuE6;($ymPBRs^ ziR>~yytlI_PJa!43LUhmv^4D5*%^y1ib&ghQ~{_Bsr&Qawd*?lxbWV~`t}EUvaVa| zTbxPV#^mHAouY27Q4rD%6C4g3+?N(P?MV<4519S&P@Kkh9{mx+|Iu*-q7&_rK5c*wjDtT`zS(UzV$w%ZQ%N=dI*yK4bg$-RpYC zWxwQn+6MgEn%DseEFmG6zKx@^Si)LN<&BGC!-vX_HxR!0xaH}R@~~`nqKnMG0$6n- zOOR?9g{z8Ng1B7Wh*XOYRXzwdEVF|y9xcuoy4q-dWOk}yLL0~ma5UE=*%ZfPfIH4| z%>l|r_+caR-sorChAB_hG4@Mw^yRvg)&IP&8Fnk2Pm0*7MbphpWLiU01IYyp>%fz8 zHX71kMi0xxxOKgR4#SxnmWkdyE@YpHx^o^S9iH2D{Dj2wNdbn1W@{!cHls3Vk;-}TmFFxT-8U2ipZ*`mW*n0Y0`Pj{LSp{;ZA_Jagja=IezF6DK$ zK+o(jK}a`{#67Pa)Sw`uF32qOA<<1kGg=@`?~M4^TtphhLYv#*29s-|Z4d(;%^UU zGM?AObind;;A@cviX`HNstpLGzWQaqqiz;M5!S-T%@-Zgej5=6v)A%!CDWgg^#N zaSj5}ul|WjzBvWCEdmR~ked@LfOhMCNtBC8L^R7F3rIBtWX8b&lF@|7sF55eG%8ST zEl9`m(5eQA4nw7I&yWzL-UV=xN13r{l$mLU0Y`|V1V1y00H}0CyDI!|)|w^S8ZMx^ zxL@Hjkq)qRk-e=Ip?DFz#&rlY=^R(kgT`L|IyP1n&8Xj*DHW_^PCWZ|4h*5o1)wV^ zs9bcgRiQjX*L@{H0J7|SR~c*f_kJgt+)W@mS+k2Y(z0&9HE!jY-r!_^awSr6RUwgO z9j#ZqkjA;$I^lI~M7J$FS`iKk<0%fK=ijf_U6t=7_iGdBVMX=iI#KEKIlm))3jcq5 z9%J+V)TFTkHYD`DqgZ8thku5QQQ`^bfC^MTG9ZSe1b^2N2viybB<{ALOmT!2BPsrF zXE~G5fwD>sM^YgzLkkTFYJr)hK~g5C4e_zsnvf5pyl;5Z@I!Wl4flgWU`!1208+;h zeb9s*I;NaJ|J{IOO{E8Goec!TJXlt0{wFpGci7%sYG zz`nL%QF2r>$O*|6swQS|eKm)PKYD3mK{cqsk4B-Y%E2zFR1MtTFL z=We=ex;)N1Rl@rvd8OAe!jwPBI_9%}LF*6}!x_*0SGUtzWhb(CQM-KUOZV3GGv?t} zuoCvr|H6M2>iv1k`<~hCDiG(Y1O6~EKNi6S3Jc|JXi+6~0JKu5Ou30}-7B~TXJ+=d z6l(zn4F57gg^Sd2KGggV6Y@R+N#1vo$DeIv9UxZZ`w0t`QNkE_#{3ivD9$AX3Xz2~z6f1BW1$-S z>=?MtBJ+c{&`?oA>MKw$_w*>=@4HEm#(kmq`x5o2n6x!FzTdlKLZZ6CWgC2?22rQL z9IPac)hje(YQ7oyOri!S!xqn7PgKLt8fb5UVtnPb@PlTo&XeX!kL5c_G8=Vv_FHGK z92~=qZl3 z|9&Rbs#MR3%e#>{J#Dr8Zvi2=^Wl9xPSEms)$;l@>@b8?Oqf2&AzTYLPEtIzQ>d&- zDtdI;NGIqDVIO@cX2EVhz349wv`pg|nH#}sALKw-w z!W$BPdTI&)fl9YyCrp$Q5}pd z8Ce`1j>gm6oPdX;ICzC0j`PgRk|Tba)rbUx4%O=j9m`$>>jc!sg-btnI#q#H^ zhF~);zz;bN{QGW4^$35|>2r)7s`mIIPIH-TFMgRM-xm-59zED?ymXwaPM+=(w5so(LiI<^Qk8yw`x`C6*Mk2XC0+Um*W>>1yM zXCisg2Njejln_J|PYGKRj8_mP$Kc=l!6l_E5FfBO6) zcri4(9a`F`oX7r5JJ?=q>|)5E{(>5T)~0cio40fHKk&Jb0l#X! z?tbljTEju)eIbO1WX%5b_t_O43#ude zd6fi+xqWW zua{Hgdm+kPT7+Eo(v`5tw-Tg|pxg&B6gmZb_|7;4;4LW(TM)k2ri~9ho72j7irI*h zUd#4A+N4H_;5CJ(_c~X5HyR2|5#I>K6wLIOU$(G)oX?TvVUvmTI)AtkW%%5*TWqZf z`1mGH9)kqD=+LH+dDAnTs|DU*j^mPRt}HNhGr;_xb?Er2D|L-H-crkd_;&1W;rz0T z|L?p;M1r3u%*F8V@EQ+O+$k)cC`_pp`=r7la0a}-W_@@=;ShYBE&*lMyZQhhN-yjl zQe-?1Q&5kGo79eM7+96(E=qjt4T_p%!_fYjy<9W7@-r0wo~4ncN7cjZS6k(Z*8FR! z6mqc%npE>K_I^myP70DTgdM(+Bsx$m-Y;DlD8qIsXYk{d=7(neWLkp6DS5MYd=I!# zk?cTLB15Xn*n%%b#g{GiwKm#&B3Uz3+_BZuWKi5O0;R}49SyrlQ1AtX;e4oR%*mT) zv;sxmc?x_0AI@Zvzki`Mh?_zj>sGq{^2dnOdf4P8*q6L+rT4bqn{Q_7ejFDwaK|&> zuLJ#@btW`g7@^~d=mgrTA|0%n553UxIY}K*m7@2ra~IFu`Ow4O;28FQ+dvF|@2gJw z?q|Ngd%b_J|BG=6xU&1rGz4&xdV?Vj#Tq{#fc#R#{M5x7!8^U^HsT1(lbl-V?1fup zIba+%7v(iz_?^!}ZW5XeWXx_yjx)gof#ix}rN|V~BLLX@I9{BsNOuEaUEm3nokW?t zCPGFnp5Csm4{L@eUtZ`$b9=pt?kqC8=vO<5f_5bI0IWTn7-uXXaKStf+2jW@FgCFb z6s9F{rf{a^90#o5gf>CJ3mq6o4oj5ANtJ(2pLWYm*-fElUaN=WA(01OHW76HB1gf^H< zOkv$3xS;qCy>y39c4oP`x#blW{tHgS5(yuI!m)!SX#=< z%M<#y1;4J!ln51Q?L*AE5l*RCe>L5?#Vwzg0kJc2~h=Q zV7sT|OO~h7tjL#Age46qF@;H(&Xt4@KFYC=_qKYu6Zv~|z(KcKBqgRs2yh7pP?tLH zuyJC}oKZB@25ZMuVm(OTH<#JoMc13vza~GyDWxHvO448t%U8XzZ|Swc9Qr~SNMt*y zfX}ZupMl4Poy7W+lYq(DYW~W+tb`IZQu-wMoWq}!Gqi+!!YIpWq(Z-Tnbrmix?Es^ zT|*!1XeC_{Q$VaX(t9}ST08*=qAO?e{@xoR=F_&dE5!WL2K>nsxQSZU+%nlMD?ys^ zsKFg+lG-eem3t25<<7>>upKkG{fmYUdTL>RtOmpP&LdeXVzf8fAf zaA?@S+X^hOIh`xis5SaoR$h)Ark-0wR1|OV+dbVFZhY#mC|LlY(8e9K)DX$ua1TK+ zj4LgN_2mPHTiv_ODc+Hrn}}yOcqFTgr|+$st%d?cQ^u?ss=&}2Zq71z+cqJDyqo@* z;@>Ie@YxW@OMb?fpjhEfOG~RUo5XHtY&0B+1)R(m$DnXNv9Ckebjy(C1FKtGv8dIn z7WlXvb_5m{7cEn^YG_@hZK6M{m#b9&K_cRJXuefzHA+1aFc|b8EPn<9F@iF-J~n&y^GEMP%l*R9F_2(4R zxwr?c{POVMx6|2;dE=E|7M9U!RT>TxAVFDz28Yxlo6nSjLB14oHT{{!ZqpOMejL#e zRyeLE!P$q&X!Hw#=fnUG6k*9k8Sezp(rY}>I_o<*`k)SG-|_a}dRT$du2SctNu0p> zM$~JAJ&w^86=CNCGoELx$m+p@t!y|DkE4*J6I1%{j^lUr?uz-drG$&Sbf+^271W{` zB@aSHpJm${2tAFkY#eJ(l)bxXJM&`>L#3p$wpVVygt7~ytz^4)EZttpSr$q#AqlV1 zbK3Y#?HIsWx}6dGjr}*EV=4Q6HiDo&xwJHcLzC08KD218#%-~Fgl)_J;;wNdm?{oh zjR-r|S!@gkhO{6PWrWoSKh97Y8TRYW){aNeX5*j% z3!UGuNeVjxLx{JNL~3Y5byVIK?iK|K;83x%hpg4{&kL*^1}cSTo9pPOQe9T%h)X*7 zI=^^%%ryoT`63^xqWIG*7v{A#B?%G~3HRpw`f}kh?Vz(VY~9hFvREmavf*0~ol$(~ z@=HiEFyoe*W2e%;Y=6N2^x-se;Y;}yX!t^1CngwsNswetS#T`*2P~s*9s0)9(3TsA zyt@)vS-%St`dH0LKHIs&*m%}x9jHf=^8#HV4 zztBprWh+Eq-N_ zLazf&C>-Q~3Phr*qX}>Wa-7<6S$KM{tr#P}bGynyUX+m|LnuUsPx#RA!BRI=9*^Z` zh+KB))DxYEX#hU7^wOLdXBTTK8pUH7xatF7wyq77lZHPCOUtWE@88&h@T1xn@=rlU zG1vL1EzVBDR&CfRCAxLMLag>8rRpvdVWP15Z`L2Ck9+jHg>~jwfGaG{2?mcD^XXiKbO>_FyYc^r=mtYQmo5$uGggT_-cKDyF zJUZ`oJm>*N0|B`6^ulea<4Zfaov&#PnV0k=)vZ5KzV-V2{PL0#uG>=#(fvkp{_UO< zU-o_Ubd}(h?#lDMnmZ~-%W18+36afagir}@);9DI?J)HIueo6=gPA1HAx}IbF#b+O zJw0|&juc3OYPN1K=YFV=7f12-cujs>_C8@SN4#bGxDd&E9Suh?h$O`9ex~wwYa^ngLEZnu~s-J10jtQ zDXjSbJ2`Y;9P(4G$}%2zJ2NIr4Id|{g*MJ}bR>>gk-i{Gq_VN`r)(>kOHkSjx=sAN z*l&MelQe^Nv;>erF7$hy+LZ7n!#x~wXU=do$M!L&fB+il!YN=y| zu@dg%9;qgTD!_s%V_$|2GYYaNyzWtFPwg8}?0oq(LEzDlUGWkpF@tBSHIP#&{r&tz zX1DnGkkL|T`rx5l{}tuKX;IaR{~%V_v3cT>y+S`GUY-xyeZvvM%4%Dm-RUWv6^y>~ zC2y_!wbFjSj^I<|l8HK7Jt5=nAQtx5^#&(cbQa6hx1+pf=SG%| zq8v+(;yl!-Kw9!2vl=2~-b|KiMq@wu_~yT&2nny>osk+xYU6Nn{p%J=AI!tXi$X!`aWj{UH{vDMusv4W`I<0OAB(9lC$1uh)RkcbyuY8-!5+0Vs%RLCmlj^V_UR| zhWp69>*t1tW^Z@O*3TFRf!U1 z#{|*^KI=Hzma7E+?)aZ@?^;V~&~|x?69TM825@9PAxz5=gtRk{(YT5jE3 zd_Dr@rZNisC40TR^^xh zGhu#2Ngh~RG1&FvcHD*#FHG)*t_K@^5=Re@+=!5tn9H^ziNkr>H(M%wHgEk#b@e@S z?6)nSr89*-q>6110-8LCm7=i6-m8_Q@Y!)?0gO< zjMV^{!XnWb>=DTG@mT%-92v!Kdgu!Z$5?wjmr>}QMZpk?SZgf(k zn{BS=HC~TaGASH_=f3~EIH#(`lr7M-@~v6nris_hSSW2UtgFXVa=9oE6Su!Uz{bk0 zjL)K{#*cr0t$89YW#u~GBA6_Et|$+ZE1i7cE3VL=Qp|*=Fd_^-dog*O$%LFHHx%EV zgMpE8_i5Wg%5_+ciM|TjdJ$fLT(n*)O6PBeT`!8Uai05aBE(6ol|5%mk4(ujdHSZj z2)M1?Z}##X4}Hupk6%annh61z<5`?)j@mL2R8Bc_*tVWVu;l(QmmLHSTg5Qn{PPeZ z{X6m$*SU?Wc8$UJr7<0YJ|Hy5tMN6xlhkIB-0Dw6z6U6?$u;>+e4m@|ty^*;VD5Df z0so%T{c-F&EaMG*d~S9@^WHoM3rG;=+SLeZPBtHrzS29q)okD8kUVGigCfCfjrSoc zG+KqOA%^o3L&eL17Gx@LG92MLhbls?ByVcNwa4EKX1QUJ6QGqC=A)XI!zwO^jGfi< z+C6E-qEkb+->;}tp2GkGrQGy+O+F3Igv&e}Ipw0e=>3fyF*~#K5qcTAu@YvNO$@0r zmfj&GNhyw-+M7UoeNTEba)=z#dB}gn$OBXmIn-#vWw)wuWj1|5*&GP_CSjJArd{bn+$hm>(T0y3W)Dgvu1S7vZ8UwBMAYnFY)Ib3(Tjbv`FCHT}6T)#k50C6j|ouWurw$5XK5hk9#es4~ZI;*rbG)eTWOc z6p`Tev`s-({jP;iOeN(g*u@%{i4p^#x$esi_wcm~@q^(yj+BC}MJ&?e{-ft9vXa*3 z+TH$D_MsEjkGQo>TAWZOAkyr%1fHLw$_|U6?}xX>zr8!~vSajVon*W*^BYr1-``Z1 zQYBe@wy_Gj*MhSMu2Mke$cc54GgYJT=FxkJSbGW4zlrTYSvQ60gl<9ob49Y$T!zaA zz3qN81t~2UBdZIw`1;NlchMnlzkR>=e5)@AR#9I)#u^xUFKzXz179~6&57J(n_b3q z(Ww117*6iA%+j4GT8FBv{GbC1IlO3KD~zo)kk9qIE;0_QQ^KjTTyvc|Z^T}`&G@eD zG|v)B&me|=WV{@YvWfl_&*X=MmaL-QjVMHzO9c9c?32z#tJB9wAHfy|z2q4;c;p7Gay zaFlR1pR31y6uU{@mO{gi)~^OA;jG(fP)a6?2@7xXeAaV25a;pdb#0?|{6GT>kNx`t z_q)Tw^JN65{X}nUFkoHvGixU6s>j({PsCG`bm$o?*niePdb-_Ma$bt3`@)pPt+H1z zA7NnS_uzno_Dx;vd_?tW%##_nUQJbovqHJ-$El}{PCIw|ZF2U4(bxQ`)6>0a^$%#% z!$Ug8$AE#yUx4D~?wAoubq{&YN0#IiJGv(fr#JcRjE`yI;6{`Y(E&a23(sETeUtZ# z+oFPByg|D;qXdG=>T3skwoft#K?>>P9`eRarUA z>6gW%kPZtbj*rS~Vg>NplhDa4idX}I~*m;Xw;@kjZ*nRE+^j<>NeQ=ADay`B~= z>7kzfzp66g1{_91_h_n5dI8?#3EL159GFw6-2aP0&hNJW=jhU zP4q)`tK9>6tLg@`*6M_{FEAOLH(D7pH{fMKBQTkwvPHO=VNT#4sDe}6u5rkHMf8GWq>DO4Kx#Gy z;2NJmP)hF`A(eIi2%?Rk7?)xRTa*G#w1FsZfRpd!u$4(Lo^XE;tmDE*_E3u?q`_QP zJ;U#%DoocNx)s|`-`Z(Gal?1Pzay;qSiN_IS=U~;f#$M(@b>!A+*@tJ2`5KBa8Nj) z5!$kasDem-dM}y~Fcexl&%^qBnq=4cruf@GVNQF~`!d|sK}VdjY3SDKAcx?YW_ePp zGf0D;9V<9IWUA{qAA{ zi+IM3Nwgj3$#w6WrX(JvXs&iT41XG&jHs!xiI$e3{az?($ZxKzH7}*w0^{n>wE%fu zSpBnxr|Vlay|-@jGn4I6??bcr=Gk;UfAd{*HUs{p?D>r2HCPZ2kI}9xG3Dja5X*2j z*|_O=)5Y%J*%rgVqDh{n@(*z3WxlrGFU-IAPTFUd5N~U&9a2h6zRsUAxc9 zs97r>?}u7<0G>D&V4kK-F0b<2X!CtL`t>w~TxZ0ecL_FpIX;AR zSoDLmW~*>iL);me>h@SE60T|EetUK`I6B(Qx8K6o^rsj+W~d=NJSLM72L!xrPfu^) z%|N{T2_Czh=wdTDDJYg%Q|^IA>0F(7buIj=pyiO6BIbahq5|&pNejF_@huh0#57>g zrxJmLoa>e`o}kT^hM+)S{>`2y<0k}%X1o{N*K|a1$#|kW*qi|Ht~v|J|z^4%BQ4M#$?!7O-dDs zamOIwV>UmZk$aBvUtT}0ydocYaEHB9qmKq<%+#KDqQqh7d!y_>@nibmII*zulj*); zr5bcc+FYp~+||d8(};DoBY%&}ktp-U=Sss*lyo8{yJp1-6uSyg-#+bobe|sV#@F$; z#<%ZRod$P!q&{qMv*We%qKx9s(ujty%(Q@3Ia~Kt-bn0e)V3v;{w5+qtL`~$rNHqa z5bc+gVzszC-B>o@DgNpp=f9`{Xivm%oQ7> zG9w8W;jxbbggImSSgm06ay0^Mm?>`)(Q=vy1F668CKvSOm@6O`f`? z+L7?l=BK3O)Z`9^O4+facd5Qw8msy%BM|Q0q1dU5R7|OIg8h|SkMYwY>n60$Un}A* zi&et-`;@MUv84E04SX=Q3di~x`6|v=G#NxG1a?@m(n=7Gebr#A6}GUZrp|>TOO^Ft zXen`!q{+=|d(7bdIQ}`~l{XPWi_w_5OzWWcVDO;^y0d*V#k;o?SFWoW24hj~5hkcn@?*SxBWGTW1Z9)tI^fpqVWzbSu?YIPr4as&UcM$uz3Z=^wtZS-x+U4Ng6%&*J!AP}_Xh?|P3PDDgJAM4n7@wP%UF0MzN`v)`IQ3)wX%5ihQFy*TO*f<+l?Rw^3 z?Q=cKv@a>btCyT)NBLIqRnO-%TAx4|fU7$JPN5G4D zGKLonHCf=KbGqnaoUk&$Rzqhayf|vy_OBMA@-x+)m9w6cZQ!`-hb% zgaH6Rv44#WCRhoa$t)e}7uIwf`tXJ1)Bz}{PFiaI;bT+_%S#55()gFzZzM!sPqz&9REhVJ3G-{4i9zJt~jJq-%XDO?)mSV z_HlrD)BTZbk3v_5ir48G7Ya1lQwmhk22X9mWWqZfaUC1r0t71OK_fX~Pl79AVgIoa zhbfH~i`=r+zi8X0gnHbBtqm4t^gW_{`5I`mhf4k%dziqL%Wd za5hOuYs50T8C_ywMUH6gZ)qL1lbC|)8d`J+<-n38;%%pEbAHgzHEgG`3n` z_INj`2=;-Q77O{GO$v}Ys3C`OH9Fez68&P(rGA~LGSk$`%5ILfMMkW-SE}7{ZsM}$ z0`$R@D0R;Md%T>XoUUzyK>>yJaSaX=g|EGW-e_rRD74K7*CB0ZT zoHS6z#4FI?WRs3Kv|<(4L>ZBMz7J>0D1|jP{wmZ>1A%}QS^GC?$aLBd&(H5rop*S< zSI9v%ewx6!{Vc7~+J%}vtTee`^;kwa=n_*dq_H}>Dhnv+3t^3OL)IT04KJnTId86O zLA&LpeI(@Snuc*t;x%U}4cs}_e<3qG>;6b3Ux;e+G>oZ~R2o~HlPS2FV3yT3^Om_e zLc6r*drUd%?MNZ-MOv5MveYL#HiJ@ri*(GUq#ev~b&j1#yB@cLS#ZDWxlLKIXUfuf zFo}7!Ew!<*iED~qvauC4m!{^TFhX2p&%dsKKk+lDWx-txI#(NVIFYw=oiDjwm;WoG z?Jcgjre}%C1-Jb%<-X8$Zr6T#e@k0Q>-FAP{TmC-RPpPM5n4K#PSJgDM;Kuc%RIBv z(8BL)3X)YeyFK01C!P8)*){!-vE_sA+WG5^X+O0uJI*iA$XZRpm*`vc^_hhCRK&e6 zcz68bx9i}co!<8Q(DKcab{|@rHpA~ek%^4P>|h*bH=3!}i(^dHe{!6U`&9&ofB8F* zK0B}Z8d0-9`!E)#yfS%A!|gJUZ@>6Ad`NtsP@L&xJo2lGNP7Og2uGK^BRCN+c;s9` zj^$tb2AB9Fri};YdmL==#+7Gsju{tal%$w&dCu8{CIAZ zd7gLXOAwOtb>%F6=O@&@g6m1q9c?--e9e%ZDnes&v=U|xE0dwn;%=W=TMDmh8Z0@{ z3Ot=BBUGU~U?D-p_%OLqbNp3Pq%n~B!NOV|pu5Y_B|lJpZWi%=5fM?xDYx;bV(Dl0 z;Ne)1j2_Sg!el369Qc@U+MZMAOv-eam@z3BjGLJf;=E~5jqQ(`*8$AVbq zQakwEt;p3NhFn|~csp{`hBjX=Bx>1=$ul-|y-%lyR&-`R@8rk#Q<^4NI0Z?tX3RT0 z@eerKhT{_VJ=g*%_|r)qF;JkTbkEfF3v};@ykMj`ETMpXjw1Ps9;dCZEyum;ip&Ny zPrNS{7j4H~C+mLSAP_EM0D*4?%a-lCImFSuA0a+JqVQNfY_HCtq_KVGDVp8tug?=y zFS6#929vr=s!PY!!rz&n`lk2W`$!6f+ok;TMWXFY0pdb(1tknnv6m+-r`FrP(PX*K~U{~+tTtd=-JFI}TDnS-XR|2^lu9>hj)4zMf%G3S*&pLnT z;ksc|9i8uEy&Mu3rKc_$3l>N?!kXD}TjoY2ujl3YD^cM#K`FMRtIVUbv5&F{_3OyIys~4b)ec z=B*XhQg2t(_K#8dyBV+#cNa!CR+yUJE$KMFLr2bKm&b;QiaZ#>LM+g$u&=A%h1(0u zM&p%M#`6xA#VM7Zr58PL`}<+OWTgF*YU|~S!5YKz43v~g{GiyXe6$2Wz_YC93+^y-`s1LzqpXHYtSCsA)sV&n$* zF*4Oi5W~~^;-^@!mI-`cc8Qva0A3s)Z|Yrh{Sr+F@NnBU1ed_|v~1RZs1S zy&v*7K70DpvJ#o6dDlgRmF2wcPk#)nby0ayq}JB|2lLXE#w~pkw(;>SIxuh zN(E8yl6l?yy-V&c8gSiRhppNEfXp$J5RU7n=N8LAjtcaYfOOP*aM3XS_Iixzgq&Ll z?y_FMfo}b)0wN2naSS{}p9sJi1sro&#(N%Dt$_3Eyq*pvNC1bZ6y-tfC4T0i2$Y9E zYiXbxyZfs`nQCxHt(d749bJ_8HO@}bO1c2oX{{(ecB3S)X5ElLxP>O%Af;d-KPG7- zRJGE)wma+Ht?J=otsM&S(63Us3qDl@WFI~0C@KJf1XAu&p^CLZal-By6_TSiVVFoz zB_aqTBC%D&f`#^!BII!4$}<-+``TA~sPdfPoUi%w-|WV^`Zjk)OVrq?bRKRq|y zA~n{B-2OiR*gz-0bKEm*$juS^pKxtr(Y`05cf`4^+LBWa=GizBJQrmG8Oml6mi95^ zG%Ms(G-Dfy@J51?Q{l6G9%c3FW~^GoAV=TxrH}Wi9V4sm2x3#aru=8%2Adv_2!N9LHViP(q3HoqnXSGFg6{=$OKT4 zl<}clx~7oTu4otuxkQkl((K}OA{CTtYz&{67{f(Vvlu3XvpzZmQ~T_VgF;8)(C9HZ zI&>lq%^iya5=USc%s^$gq*InaS)>(5O+EC!JM=TN(iRzo@Yr=Kd_u!dmtX+vO{P!5Vxt^;&@6C@Svc0WczXRIR(xT6pa;1wZk5 zt-Ve4Z=F3`^S1qxBG>h)JNFXp*D^tZo-ZHuKoGZ<0T z;BnpfM^d`7eI>4Y{W^4Ix;#D`|9BnZ**2yBWUOvkWv)xx@H_kL({b9VC!nEWfXoAc z*VnY5VZvm5?Wn1!t%_nrYXD1HfCDc4mup6yvDur>m%j2B;wk63O8y>v=mGb* zG`u~2b@rKLb}@`3L7HkKg_7H?H5rNt5uipZ(Z5>iu`Y z4==KT3U;r0o`@lG~9gCjc(ct7QBtW{`D%g z*Yv4TKW{xaVNqvBGJ9y8vG&W3i4BMXV~0 z>${5lvv!4ZVBDRb*aI@j4#*^g!iAx|Nc zTuitXk$0zMA|i1^G9e5jhR*gZG8KKXwrMe1n^&W|xdmyNwCBFB2Vm4YrCyS|@bHQZd0E31@MY$A5B;1(}^#wZ}B-Y^IwAOr_| z1ELK22TmT2GQKp4OhxK6C6l|3SOi@%K(!9&kB8>2LX8YS5e`C zKmWc6Uz+hZjIEuj6If3A>?)*vhSKV%{lkH^dreO8?J@0qn`ys({nSqKX@vxU&x)qo z(@HkEQW}b<(V6Si?@f}R2E~oxxavw$s>HNQ2y=&wQxY$e2&1hjjkweo{YWO5x6R)R z>%KKo1Rjdeoy5TkL1IkdThk98S&2pSUd9EBnsLmydYrRIA1r9kU_o;PzrN&Oxaj*= z;o=|sMdgwo{uMv@@s;@LPbh!J&whFpe*QDcU+{~c|5ekr5RDw0z*-%h-V-4?Ew505 zsw=25A*M18@f)*|P*k^XvOc1jIHpe74Fh%?fD4}dH12-upFO9yorQ#S@Q}esB~xh1 zHKJL5`dn!b&zE|IE2flSGKhFSj)}FqXnJ`Wr`ZSRHP16`oixI<__piD&JFrPA?C@v zOZC}OQT+!GMz^FHT)Ecmf3`1DSL@c>^QB&t`di&?U8L5o)x3rb8M0mUx3aFQ5q;vd zC=ZqQ=wB+U+E(HE*RDr*x_cu(sd4wm_88xHG=kF4?wNPbMq#%^9)0X7{QVy{;_Zb? z@xn{9v9@kJ&N*Z%Ix=~D9 zJf`yaqmN?d%>7Il!V_L0=J$VaA&xx!P!0dj>#r+brR+sM_qlWNPBe~7$i#K?`JZrxr zDPq=736HWx=*|6u16u-Ka7|;1P1?bhpTfmCvLUG=t>WeFP592Es}Zd1FVYVwnK-6G zGFb6Jys|L*Ja#{B{p3fGl*5j2mu^GlYG0Tu;!?lb${eJWlsa%GR>l-p*Tc2!Am~uz z*jZju_aoWy0!4y4R|{y$j#|ec1mvkzfnGVG&(jsgvy{?lyhmRE3S~37SUB1 zZsX%QLrDv{r9`{%(1R_=R2+sOdrd)Gdpqjt>xF<;p}nOMsayc5ED0^2UE+H#Wzx@= zMXZpC`22@3W54||Xy`CK@A(1`o{yU>skbP-26Ni8CzMu&Cm8$4dw~u4P7Dl2Q1zGo z*nh^}TDO#3RN6#Ll7GJZh@_LB4Iv4wMg%KU@3_QNKPeI@H#Z6d?AsNboXI7L1gJHa z)CnX%u+J5%mP|t3T7~!wiH^n-ue^Xohp*PSI~}ZcX%|j_`ON6SzkUQ?KjTpBIt+T( zex4Ar7hYSBHLYb>wQLc_jT(ko`_v-40rnQaeP|}~_p^nkVYewqBOcxj&(6OL)1zO&-c@@miKJM<#rkwjRZcZ60{tu)R>u!7;94%IOCs>;x~uvjl=e7z{yW9MQuEfzfT{n*I+MLCtf{l8I4{4yT|+n z`Q?{ij$@BG76S(jL?vIwvIWTUS%j^`VKh7sFEe}aAc-bD{% z+JId!s&><#9l7Z7iyWK5;HtqmW9k_)ohiKBj{37aR(Sl#q9?JkV;Md_;|orxEyF{P zJc*ZHcnP~tpN_x$>CYHDZVXo5I5nJ&4C2dlVO6y6I1c?MxhWz${#M!@u-K<(A^AKVOOR z@-m#k?a4mg6PPQ51ux_@^q;yI!*N%uW4Fid!6w8Q_P{teM=HvGD7*yc<$@)S+``B$ zjg)9KfU>@Elvl=)?C3;}+m9uTGi1v|nomed*nnIF#Uq0{l*=S19jwRt&K9g_YQ#IM z*P^34g}2{afceWepuCJ*DS5$>gd{KC{pZx*ExU*@T+KaVZT|yc`K8cyz|j>tUAtx} z%`YdDos85l2a=c&&Z_b%3`#fg1BXI5&BTCaAQwV58A8jzk$7tE5^#58nWQiCAVj5o z!(uAE(mufYv-#09c^Ms4Gl6T_fncuozcJP3=;#<5i4%OYVA3={6R}uW2V6PTuBbJX z7WXchy~V^kEyrfUXjV?8zPJi4=LIqnP9`yWLnbKhnG}-UozgDl5+)~;FKLr(0-bG5 zNF_QEm2~?^zwcKa$AG$ORLaFR#~TK*3Y{=CHMi;ofeYfgda6IG<;G$x@=p(3qu{JU zy&b#pc1>?UxBZ>pdxf&B)RmJRCrERWFX{J7-|U?2%EIIvEbD$7%SF~E-c(}BXH0t{ zrd;V`I_=VK>l5u*+trGut|qMMXu-jb zuD*E?R&?~2em4NIngK%iM`6MIAK}OW-^1xMzNF89ZrC79*U6t^?P~Jp zxR?5QK{q>*=5>q2lLI2%`Og>2@hyGXASyF;n7Z$tn2#6m{bxUkHSNot)V4o5Iy!VaImu~v$h-u} zwh>J$JmyL%i7AgsdUyk?Bin(oeaD)1$(X)0d+lu9?#noq=-M<|gRQ#a$ZhG&ds|`k z=kuTh^PmK(tv@8$E-{^U8wtF}ijXy12@^ zm3Z;lr|_}UK8A@C$Kvu|{{mn7$`^6YK~r$ulM7|64&kS#AB2jC%!xTD3qsC}UFWUu zBV2k3x5Xai9KHWQ^2}}HTSH8_rTACB{5cLh=n%)n$9nfgwHQYoFFIPscv+2%LK1|1JZJ#NXY~t%NI8>j$9}xysH$+b5bZ5 zx)8UK3OTKwj&z_N8-$#8%H%y4D@Xl+!7@ot;ohfS!p%2bi}vI~m z?8PuHZkP|aXdzvKT9~xSuqU1((lDlWLI}zPJQm5Ls-g-5Q%%U%)X1bz{%eIIcTf^gsVp7ap3tor4}l ze+;)7BLAFtCZ5d3t5~2{1$@k!aebK+R0(HD8lS?2Wgf)|v$t&9~UZJ1)AUWmK zj(X{;w(7&9f*6=1^DD7AI`#;rr+zjDe>^IM6UGU@Bc&|oZ1)mywUpNr5>Ap$k_^6q zm)m#wTy>7w>-tmmSc zl2f@31X>WT45PhyJmqzjOGhsaXMmf5LRJ4WavATUR9-ns;#sz+h3F#B@ z_}%N!mCRx7hE`XX9`*B})U7l;C%zgave_Ms;H~Rtm19wf>_OYfF5>vW$<-5?HX?LY>tN}wShq=$1u4!E(*O8^#4=pkE zg1a)<51D7t_d>T)to|9#jUv^3+B8(`w;#%8&P4gFS*Y1>UsTW92eo_8K+RtJqHdpA zs5@{L1|4w-8je03!;U!;!;d`*Bai~`wusM~dt)(^|aawXTS z*>3t%QW<_m5Qqdhj;eKwWTg<)>x7_o$-L9+&Xdd9YvR>1U)}VI_@-pc=+XH14cFuH z%PzweKlw3!e(5E6@`fw%>;revxF<9R=;n5^Xs_gx*K{7w<)>m&ws+G;SKo9)z|2j z^Pa-^vSY-#592xU#L*ZGVBL%}?XH{a`0gVAT`5?K-PA5&VQjvqQz1-3R2wC1 zF588qOd1l>K3&qX32{ryfRU8RLsuwM!t$6C)^^>|K@kAyi{ahw4Dd~?Kh{TD0++kpNs_3IS@tlz3Q~(J%H_B_v zkZx{7v@D3I%*VOn6O{7;I#5eH%5gZ57sAR(92Z`Nkaes@Yik?gWo244P8PVGUsoR- zy}Z3oY-@N}6YO=5 z{hf8eEroC9>M*xnCStXDj3hx9-QydY(KnI7P$BD$Z+7Cj=hh+Ayg}-w3F+>3L{pr! z3CUym#7st7fy!>IS(A{y7C_(H3=SLkRUA3^8yM5DC!+nMx+=rxKe=M#C0||?UyC;u z3wzA^Wm+r?S2jsLS@#sKP}L8p5Yi@Ps~Dg+93pc43blohZILmin=5e{1QPsqvxLtE z^ivlkr%Z<{yd<^V-K)^rxK=0C%u8}E(#L*QhUiJhQn7wsh!6j{@cPs4?MK#&I^Xxw z65Km`4I10J@Wa2~fhp-qeD$C)+P=I~7~@NXM4}NsugPcK3pyCk?i{Nj|Kv}v4LcF6 z=SV0b*Eb=jfv}89{3^E)HyMZ8Gi_*0uf>McIy4J0ZA|E5L^6l^ zUHan6ITzun756!*Za?r@Q|ice;j_!EQ?KxP!SkQjhE~y!H>%9d0n?Uy)a{|^(2dua z`K#yY+k2TNUp!O_ex8Zx(Vuy5E7-qP|5ig332xu@!dnj8{}@NNRy)G;&I)hdSh3em z8;6o@?KJv3H|(|*A?Xhp>8xBm-CEcc)ULF7=994XK{GDrOy1cYu{HSEsVC#R|My+| z`nSI-lIt)18m0{Gg9~qc5@-JD9-Q%~yNl#gSKaHRuyb(8p@*ThL$2kHoN?w^j?eoC zk39CItKTcH%`x95-9mi!bLVROnL@mMyti=4sU3J|@T60d|MgEj-IG$?teC@1iub@{ zHLz}8Q~vQ{7b7|4+(rgc6(y)Lxt0qZKRV78Bo31N97Hf2L|JVGYKHVjMcp7oYh>an zv+q99T9gkOfV#bpMq=9OC?`4XTZ2TO2=aaFao5AoV$mv@Q0c~C^K6lKrOKAQ7{*=o z{eX)XN|waryhX+wsSD{Ixv*}n4yD_X7LwX315{Y5X0L|P;#NXVIY=c^$jPA8$mf=` z?MTW5A|ZoAm(*u6CzC=UNeLM?x}|N>`uPJ7$>EXd0DA0NHziKgZ595rX;LRO1T^i+ zraLI7~C{ z)4T-fFYZf_D3|}@Zz__D$^ZBZ$->oR zTcj#hjYLvNrP#Mt`1a@ZUF-46s#j#Jm3rmmh<}cq!rQz(<-e`+(LKiCmaiUz`_4O| zSLrF9FTVUQNP(OZ*26i}V{3IR*5A6j2b&VF)$1;zh9s&#Yl<5Qf?Tcig2jQB7eaoL zgck$eA>{;;x>S^x3yH0e3wMQ(od7ygb;yPi=#mRc{fLp+_nW`Rq|>fO^N}ws;H;~>$;bp3n%Ed ziAj+{7@dqJYRa+R9C6%THe(}gi4cr0cGsD973;`5l})Zhq`h~U3g4WbQXp9 z{3%~q#y2O|$NON{(fu*^)qf(@+KfIGaea|bJRFd|E`6G6bAlujpln(uK3O5HiB2qA z^ftzg9-%K8%Vf<9EI4^EechD5psWZ{a%{p`G43?g>OJ;^Q_xTA)Ug*yZ|>VqbbD0J zy!66LOi4<)WtS_a`VG@uwGvZv-O1}VJQB~0)FqFTfuz4KQYprO}HzjmK2ec z(v)CY&wOj;`w1+IZcXMEeYxIpBAsl_p=~L!n{cnMjt9OpA&zg&sKLp*4#r^zHQ5KlX2GB4LI?nT1?w3hJNuX{ZtSMYA)432$L=c~WoiaP^nZ-Q|L2n=jL}d0HK}20g{2n-y+BrpXr?BGZkEcnIgs=!2to z8HDGTrE$WDJZ6n9$1ROH{B3an7hd=^{NM*)QThJ&zpUnW&i^dV`_4Hk-#+g%u6*m; zpEmhBDyV%YL(V9)=i1PkYe9RqO|D(Mrb%6712PuLoFOG-Pb969QF~3_YSay`#hSNQ zBC#Zm?@aq0ru3Qaq`3W{H`b+&*zY2l!rPnqY$>lBeIkQ!)`ZXFlnH06%o=d0_7&c& znp{8GnfI72>F+cyL`$GW&ked;)7rDqtP)qQMluiPy{#abRQ;>VT-_CSKrABjd(m<}bH6*oEGS&ndRrRKrBw+BoeX3;L! z>aBr&PJL3}Ntiiwrn*r-d+nffrxG$I6i=gl`0%mqaL+0ZHDj>M`qYpR9* z8fG(oPIwisyZpRRUrpB>bJEH;4{{QoNpmI6TokxXgLmQR&ezE+ISp1SIc;~z={l69 zS7PkgAsARS7U^{%)FeAlSrbAb@7X1|U^lHas56Pi%Skkeuf z3)r|MAIu-?*p$VZGFK-#jfRkvI(Yi^S8#n|2!2+!7k*bc4S%bigzMsC@Ic)pplS$G zNtp);LCq;S70CzDkxJv`fy43rRSo#YJ5%w+x&82&m(w`+)pA_&VivD1Sb}o2iE!fT z5D>!l5i9D}vzUHTD91MaiqaL6R>#!(5j)ALadRfh)Z3cxD*9(cj+u_J7awal$wylv zAmlXBtlt$1V#=>PJ`V6AyZu#JE98@+<80N)~^wA8bn-(DaomD zR1-%g=zLa{FI8In=3Kn~@{5L?*4D`6UC1d{y)|t|F`K77w5ACE@z}z;yCVNe-7GYo zh>36NX=Cx$olgABWXEjNvqXc)2>GD! zB}gQq`gUIV@#Q++71M5hd|xJ@`EI$MNqFI}N|p$>Kfh0e<>N$|&t%5SR-t7V7@v2q;1A4OZWxKBETDBXcd+RZm{a zB^>Kp!!wMSH8nLl3FXT&x;neCaKS>%e|rhup1T|i7A?o}Wy^KDZf#{8`%JFE$4{xj zX&>*8GtV4?Lk}1%<4ZpbO|%2^UqMTAi>~^ToCeCI?nqM8-P+dPeBJU1=;jscR#YD2 z>|&$v{5f`lFJ%fQ+mKGC^u<(X&lro-_a2F}_N>6X^}wGOcVKm5HPV@sjCtKi$^@H2 zyT+Ga5!|GCWh%~#@apqk3DKUHekJ`>SMRvfhvyR?{SgwHmH7ha3~3pQ(p({xYh?dn z^@x^*vE-F^Ff1_+KichT467Wi?@}O9>M5VC6_PbRFUtNGNmi+zT!rVggV%tS$#=9a zN%AP;`j3}u_dxv|)r8uK+GlwkX5ZoGWAZTxEB%I&jmY)cc|M*(a>s8h^Eq$k$-H~g zX-kA#>s9}{I^9N0Aqj4u_coTj{5+Pw{<_Mt*IvVtS6{{AS6;!QmtV#^FTI3?FTRKc zFT8-apMM^2KKpEsGXI%p(6V^3URO!pS&p*)l9%MkynE7VOC`k52}ytGO7i>NTlOP? zrcR@4N8{LW$7=s!d+6Bc*lDilSS91CxwiP?i!a+xLZ_c`=8uLB9i|_d9X)!CT&PL< z3M7!jlnw>Xc;p?HN`|mrQ9P76prcJ(@==JL`DW57G;Uar?(Qy(A2-h2edgBEa2W0F z9ayz`rA{b1yE-v`{5W)UB;_I}bSIcVvyf9x8F!RVJ&{AYs}<{)%)_9815jUEE$T?+P#wAWP@kT#xn+OS#jBq!O0OqaNe zbOf_#jRnzf$#Xb3-;B?max6OYVWe^))5n;vr$V*vUGaDjp2HHK?F8oP(MNQ%6Ch4B z0wNa0dTv@2wtf|~n|$t8~=PaKKXc0|OD@eLI+@wHDfjvg=puF9m4 zku=izAgTvU!GljM#(=(k(XXx^v3R+VupFWla&Cp1H7tqgyxDVc!#^*_M~*rf{Rh{h zZ@<2hg$(E-+%IS9-sEXa@3BCvwtT9RI(opimGW@qijxq+hEuUgxo({NTKjt=HMNzP zvu+;#`sS6`bI&oDSTzwN%En@J`Dip$jlh8DaP%n~gxc6ZR8{svU34(|XNDmjj-x%> ztlM}~QlEU&Yo{G0)s2YVN`4!#+FaSn6e3&P%!}$E5%+j8Ivk^#V%F5 zfR7_CXl$+UbPPY`Td_TsGm%a6N3sM{BYU4?en32yRkWi;*P3OlhB}D37ClU`U_c zZ0<}W*-?hoLYnHLt!U`qjOxmA)Yh8kgZQR!HAOFK$5mZ(MtI=ql7x<0bdz8_S6Cih z>6G)Mv9VDn{OptE<>hD?+TaoaqQ1Ufu3YezuB z@>%5CnlOeAk7NELS7XY4`(fT2uVYYsrJQH{j7(ggxef8A5w9DpQ%ANGS{?!4{Ht{! zHQ=_FobQ3WA-*pPDVQ~DmYi2|4u>PUa!ZWrAIHprS;R(-#iwpxiTLvQxZ<$skV~>u zQK2rqx_QSvhVdR-eYlI@86g>C$BxyPE(N3I1-&*ywgorM|070B86kZqtvAsq_MH@# zn3|Q-G-72@3>@AMiMB2*o4pvv4f-@bG4|_-$vGU7>r&XcHf>LIwzs09qC)GfG1Z9n zV6zaVfSe0m>ek-fjsfu@s4F*bl4T#^4UCF#1;+K2IggMuZh>9dv=T3Lydd)(nTzlf zG9tDg*<)Tq>bm=5T%U3Jwp-pz>C?Brrn|N1Xm4@#Ppn+7`SHBzTD%mgrAv`mz6PDE zm!NCKGITpqWM972Jx(oJiNw<7NG@A}?6M_DFB3OOBht}$@Zp&-W8j=_oJPt-clIe-Y;h(bHvUt05uo)1%o zOm$-W@Zn>7AasV1(}tnLv2eixj2b-}eETX-I$gn$F-Qk24)P2w?%NB+DRHnfcb}L? zHk+17#0LE+^SH5N^rD!S$utK;e!FqiDj}z_sFK%-6DOiWCOMI41)61|*x21ii7B`B zjI6CdIyM+@E?R|1WsQ`U7nHOT)0Bis2uW>Ehfsk|tX;7Lqel)!!$9XE#yX&=X1!qh zRmV;Q8`)bFX$Pr)q!aong7SC_6Uq~qKX*BDRm1qE2c)HMBxKS^V&Bmz6FniOygO|s z1{omHg+QWHh-n&KohigKLDXcTI5_+|zVW%k(432)g_Ad#M3w1a>trpU9#$8xed9Lh zwNELa8%8onpyzWxSox%nm~rWu*kXR;MoyFP%~FTae(9=;u~ zy?h@=$mF_z-(4|yy!8See)D;iN9MkW zhvq+z2i|!Gr;Irci!<}}+Qb!8u9Dhsmkt&}dd*8WV9v@pn74W!=C7HLx7NLdx7WXo zg&P)Pank}UYJD3^+7>D?eQ3WHT`hY*6f9rIFqcN$E4y@}c$2||eE;GF_a%q{|btfft z>06;J!l61LpE5yjPs=1eiSBeQmaSy^jTqLyQ;8|bj(vvGf-kHiyaZ<>qADPXqdUvO z^OiS8T3cK722*2Gqpr+w#gy)A*RIu<8qtmAwx1f{_aYgFx(pgL5JQI!72?_#Rh3nG zW0W`OI7TKrl8AN4M7yjCgX_w%Zs9Aas_lmiKcgYwjz3!luB2MM`Tt$v6piI!96i?^ zvaS$+9ieh&Yxzqry@Z)FXXqG?pb##}m%4`XDVd;$aQXf7aQC_{{NodQVNgJ>@j{%b zo7K--*Mwe^cs{CW;I)^M({MEI`0RL)oDQ2f9EtXnAq&#BB&AABm6V$2OY8dgLH*!5 ztXsSW9g92gm0f;{=>rcH-G!8j{*)botc;Ua`5FvFQh9dWMhxwT;Uc5QRO6ku*P>yM z&tvqc;i#$WhrBbX)$~mfHxr(a&N*WyP64#EwCW^Z2l%4%$<{-0F4lERa^G6ya$%I0 zM}?$r{iI*4P#jas^ZD|_sZm@B6J z`}fy!_U+qO2`b$Z-TY2#+;v~|{4IzIvB)NcTy)5FF=n=F+UJLBL){oKVINe~)NB4P z&7O-1)Am8U-$-;x*_bc4aPzr3UQ>zEafLdQ07M|BQ0r3DUWyLl@1I|DH ze7$Bf{gtg*{OyVP*wC59UJZS5(bYHO)YFg0S7r`IWjKwWUv{0oftp}=N(Q}uWAdBd z`jo3TO>P;!{PN3j)KN!a;J|^1S8n;+Ft-*TyK`6Ub?kI>H6@hD@v#fDVk*~azT8NT zhmLNLYia=Ry!ti-WbCFT8*; z6DI4ffNcTwU-;%6OrJg-^X|SIsa4C6YE9`2m`p!0eaylVX7*#(o-uFa4NDKUZasnS z$-#p$?ZgxD{PWLm7yT`$<3C>hI}RRmD8~2ioj_jn_(j?$cz%wo8i|u9o~&_8NvWL+ z(Ej-Hr?9kTF}||@*PT>+`0%m4;H;bu!-9niF>3S}@OxoADJdKf^@1YTAont)mcm78 z^U?E#DX-4*Px8@=f##b>TWc%UtzCmDQzq+{US1IRY)ETc8&<94w%!Pm$pj`%+C{fD zWz*g0+fRt-+Y7|bxA?{|wr@3-HU-eemAvwh5GNr}&Wb6?X_9Z7OLn6w9>eODt1)6& z5Mvs4p;n>~3vH%DtcM=4HP!HbgOCS>w=Bxax#$r=oG(TwkD+#842|<&Mtiyexta>( zThc;2We`hqI~8BB!@Jc&QWGhZrP@%LYT*)xBooB=STjC*z%UG{t3tVu{&+Zqiija) z>9kC&oO))J)j+j=Y>g6{_~`fNw@h1N>GM=z8nO&@5yB{Q`sA}bwhCL&Hu(R2am#D z6Z4p{`$&;d*mKelOrJailScJLL%%W%tf@n?r4zNg9D=@;GO-q78qk+funkJu!GY1C zXEFZ@&chScWo%^UnDltcFUpqAT}VI; zb?O*LM-ED$^Um)@9a~3IbZjYwg@jXi36oSN^Vys8X-i%iZOtm9f|3f#-<(aodWBNQ zRy8teDLa4Ss$eF88?MV#-!;Q1BW@>*^2oEp=LNYr^68h%%uFGnXisoYwr|&7rn6(@ z5Akl;utEIdWe`S=K)7<3|4!-cd&zFRQJlZ9geDXnpF{~wk}08S3yNvdj62{}R9ad} z#iiwx8W~Mn7ydy}$xVr3nh7z@ui#EPCkrEBZor=zMa2=Fen9fzI{HFtLmd>_Kh#fi zr~gF*ju;^AWF_Z4E{tf*?{nz2iEC;8+EPkOZAnib*Njr*SAJ~-+AJmry9^Qur4D3wf-!K@ohX>*>6(mwMG@PRviEo@qVh zytJg0QktddRO~*G{^9~`5*aS*PO}%xBfdGQhUNyqntku_Irm zf)X=JNpUf)U%!?zw{NE&J-Q25lC^#Tfs~V*OWT;VVk0Dw*6!VV$oj}yCZ36jO(>&z zI&ECDk_xl8QV`ZJL^qX@rQn(}t~fCg7=hN6D^JcJcPtBQB>vbWAcg- zDn!T$@lG_uT^+}ZKXhnpOrQ&+`O9e^$5xsj=Xv^828%}mCs^SKCLjvV+$G_(xgXqI| zpQ5%IL_IpCP)aOzvySAn2T>G1Gx70p6dN1E63rctP};IRmjavhp`_RZ3gFJBjNY2O zK{%sw+90UANO|WDmM+6mbn=Cq!p(%H^KXg))@;T*Asxbg0XC!xRFO6qudIEB`nTvy zt4kJBL2ZTX$ZLoxMnKwzccf+8meCCv2Oc?uC5PP3XkFZKb}& zOF<9_6NWh&vjM_&pp7a`_zrG}BBxC7!=mGMd6!t<%eE`{Zq3`2)GCEa3o4j2fSlsx zXcfgL#8O7bmb7*K7TWaJM!Kl&opey|>z=0HjZP_@>Gw51Q+{a?wTx@-5KiR599QP8 zq;_%b=!CW>IPRw1_Z8@mUpbNcNHug`-wSjsdya(*7SQ%>+Z!w?e61}k{;BY^h61h< zOs&8Vpoo|~Mh7_8_6-rEuTaMVHJk`YDBf7-2PZob)X%nLdtw9s2=op7cCr&!0%^moBDttJl)HjoWB5 zccQkf-^3lFH59sZ0(FQgrGMXiHI)~kyN_urGUTV=PAZGPywxjpz5hMJKM=R2NgoWT zY}FA5CZ*gofs~e32T~yuAGV;FnrbR2$*1FvX-C~FvMDK-J5^P+YDyJ%&Zr9CG|VO9 z#yv5l;B)D#FTSMgtfkbmdl0oukD}lL)*fv&&5X0wOP)! z5nwkdi~R_cy6F(^3h>Do5Yy}mwIeS&otP4esh;S-9LT`4Us4?=9Z`@eTtnO=urCV_ z7kiwS^7D@)?wiVjD!%WssiYuB$Pb9orcIk@)uPojZ{A#*`Nz++WWgL-w`wW1ORb>G z&u&VO-JMRKeAtX$emS0Ada@Ore0-8xBgt_}T>v<@iJ$vIyBVmvN0gOt5V+^jp2&U3 zKqndJrt=9ijv$;M1PKWVGSX!_sQg4wC|+1rm2$4DBz?@ug=peDq@4YhRmrsvD9a-% z&84kdxg%dh)W2;@S~ufc=B`B)&7>C7dK(IpU&#@k3qN9j>*4`6uEF|$P80S42#%!= z)eGpqgG1Z3hcJl_N)P;f);xq}2Th90>ANQ4>gQh8-<+2jW7U z`vLE}08Vx7k^`Wj?onom6yI)GX57*VxM?j?nLDkKqOU2xi9%4iZ!v0)K%9o6P7s$s9Nd6{ubnU0T`m*e^?hYkF5&P`r=|YAU27V+7w#?HJjSR%WlH>s#NheH>Uoy>B3O zvlcuDp?pWdjOQ1Ek-zn8R|~;kvt|vIF4+j6eY zF~W*zwET2YTAOn202a!q2}Vvq5J7^?i-R52$DVsi!An;g#SZ_RH!s1TPky7Zn{bmR zGTIM9Q?zCQC8oAwJ$4UJ*BH}xG37WUNPYGK<$!g1K}_n?l2Rx#C6Sh_+CZs2j-b%w zw(>&Ggby)hFYMrcuaifeb_0w;VJ`-ZoT^N7y&V=R-!5*Nl1{B!Wl(HFqD(1OQ2AD2 zu<$?PFljPc?lgLeN!gi^({}CJ$w)DX`>tRI+1)8Htv9h{G8JVPbDhO)QrEWJMiH(4 zeI>P_o^)g9N4ZXGBI`>rUGwikXhbBf0L4H$zge|Hri{l%#!_i6UTPJ{4&NwST!ZYI zY$`7;N(yL2-f~)0v5?9`^5y=+TGL>R*vmUybrFKgqA5Nzl@4v$pJHNSxPP>a znrF0g^13Hw>ju)lcJ)e0e|Sa)8Oq)sC~+wPvXj2<(Q)-Z2C zIBxjn#grfL?DKDM9T!Z^nyC?McUl%MTuQIK`MzI&21bAUgei{RHts`rx)l{c8aauBO__3BsfdxRE zFTVH!z52?l+<{pp8z6z0&iZpU{qpN?G-c|~w1_Ln1q&BR3t$Pigv$ znM_`b>6Ft?rCV;lm9D=28Y-O8~YL?KPQc}~YY3r8Ms(EW_ozjMqxIwK6EThV* zGAb%6;0g#IvqtA!C9<9zFhJs5s8`XgRexyv1Dw1`RF? z`uY4+^AGND9EsL#$)$)^hf#Dew$BHFz=vosNWs~S4nxKp-# z4MwKS^KG7C1Cvio@5Roe z*o73+dN;0FI6F1ev1?PMTft)d56L{#8Cel;_M=(|Q5(U1of*Tg>bpgm;0^We12m z{|LwA-=xbqM?@MPI~O_Se#7pN(>=krtKX*h=1qjmwCmi4^0V`3^|V!VVzW!>)Ql@B zG&oGshkNYrfGIJoe+}m}u3fX1T4l7NxUe{?&ISppqT+yJxd!Ed<+Pz}11&9HN~=m1 z(faDuR1r`@fuZVN4PkPMqml5UcuLvWQiv%wqFTIYF{P)cQ*_MU+mOngemo0Ef19># zD6Ca0+P-+XJey{%v`JT372jiACxE0HJNE`j!ByC#EQrGR9xCUXG4#Y!si{eS+TKmS zKeUK%$s{n2=5Lxy%d=K-UnYVQ!sDdwlC`MSo}*d+YupxXT}o5e{z65S1vI?lanw1r zvkrC75W>%AEVeObV5)9RhUH48Ixq*$c1`irQv3o#Ff#oY!QxJDf+qG@2Z4`X-vOP14X3v=~c}Yo0rXR*k z5Hrf~i?2pg$M$WhcdzcWapPvG|8BYID)Hw_OaWZOrAt@Rjn`dH#~*jJ=*{_S0sY3r z^3X%->NgaK8)d#P%6o6%*%#iRmMxm^@-++i@yBts{RbS*1n);WdiXIE6cVZ*OeQ6m z?xWv+DX4}?emy@81gbmedm1`pl*W=P0j|NM5}Pt*GIw~^aK|NIq^PKf3R&=QVohvG zNwIt|JvTRpAH3Bno!s~i959du4jf1~-h2~f=4Ml3QX&-;7jiVHNV%)ddBT)ke1HId zsB{8DYN?{4iYmBs8Nwa(U>1OzYJJ=hl&hx{>M0MeK-9^O!rhfpZ4e|tbT_n_BRBB} zVlvNCx@Y7>TAD+&ttOrVBI7AFsEFE?FQrG$ z>rd_4w4tKHVku{^F1b#KN5~eZ2S)=$=sFefxun`<52H#u?iF~Nr)Y8JqPg73O zG77BX&Iyx!l$BZst&V}!QQS$6qD9Lq>Fo3WNBI@C^!&RIQ$Xe->XQ~sVKLlMh~a?I zF$=~TAr%)s`Gar#vXP-P#S5k(MwPxO;L2&ti~lm^AxBa%i&2N>DRv zPV@5fW%OJcd#?b@HLMTyM7B4SV zESj?MM_M>!llF1o08c;QzOT)5VD5YAu<7fF^JkuTl)7~3LQ9q`k)3W41g6L0^D7YO zf}DcXg@=d9^x3kqa=tZ#rEXundKJrRI`q)~)TiG-83{sJn$BT;aHrA0q~9D29D5hw z-{ivpdT8??h#Mm(Tc>?OVWlNZGWprBE*H1Z8Ya(7oM9K8TS$?82T@>2IR#Y~(&E*d zsn6gOsHRC%Dx_#3NHsyKUBM2*CfQEO1WY~ zDRaG$N9+TDBc>wb2!Wdc!o%|qJG8T?vt<+sFSVQm)dkj@w(ihbM%H$9hgH?e>>e(g zIDk4G*^Lqs6KMV7HB_>$oUZEd0A<8>;`FOs)xG;Je=o8!GbwBPR_feYZGN<9 zE6k*A1zV}IrjlADwxE-HoT@|EJJ^y_Lfdjns8`!0TC`vRlbSv><}dGE-cRV=jB@kx zi;mW<@BB$x;4mov`*M`9-E$q$s4B(yzns0oY zx0=hTsx*hHOR?s%EMwF;K0ZOFM#)PkQ8VSC;xlLa8!Bi1@09w`?dNnlz4PhxP4=fkMnONT3ImeG)5$4ZC6{Y)WzWl)Em!MT!deGbm+9`-Wg z-c!mZE+0VBz~KCQQ&^fdsN{WO639XEj1&ss}Os?+I`cK@T;uy`S+=)^ZhTo)5i6( zWCzxKD%^^J@s3StcZ^PZ;fMApM&+ZIDkrC2{(<@^ig$)-0;xK3NDq8)!Nla_SO& z$5REji$f&`WzpSP+2e(n=w3|0M-4O{8V)Q8!ql*e6Z8e={N@ootpWPH#+1tTakRm|n^q0c;8p z5`y(6nrw1KVIpX?gT0^(%Ilh)v)0^%2VtTf2nkr*hh?{l-V6BVV0o<@z5{`KL4+)Hjp~CVSnzUd8O`5-fiZ?B#r!O5u z8BG&uTXhUyCsm%(iDQq>uDk-aKw$V$38@SA2NzMpQS0OWfFJP%zdCr;Z{>sDw|AIRMb*MrBcS4R5^02*sV8! zDydm|OZxnauV~iX1vF^LQPi#tIt_8M%Wq9Z8J9PAJk7K=zIN*Qk&H>YA=m&ZBs_{G zl5p!|-IhVUIddGe0b$}GzX)Dk54>aoIo-N#8#PN!)z33F#ZYLebqpgJnh0eW+d&k7JL$HcG zLw?{+Kf-jwomZIMaXDr_sPBkkc|(wF3S*`!!VToEXy*GA)ucJiTeOUN96FeSliO2O zNDKvWM;G-Z+M_aV#^mLk`vKckxRdWms-zwHKs>nrP}VT}=E;G!0zs{+#n7A%gUiPu z&kY2w5vG2^AI!S~({tDzT>jHQiVBUPBb%O1$G5mpUILgA)5Z)uE8DhgqN>UY?htYZ znMr+7aUpHZ+Cq5+x!h?hrz+emTslGFffODUM)7g+)GRTLVxr>s`6!@u>(+6N>2GYdfRCAqJ6F|{TVrkawxlB&GX$_E# z98G-A@ghD3ZucciR`5Nvp3c!^28098@QC5w1pLE~zMw8$Ita;lo=HZt)D*{$8>@w6 zeyY!iju>>96V~+Uv;D@^r*{u}lSvB5A;LFdoO;S}Oio*P<;9(LEEzH8Y$2k`j|pSk zgvoUMwUj&iinyW5$%G6v#w||)3 z_ldbbaJ^8TZ8KVl9>Si(MA(#}J6_)~c7&h{FTBw6ozpgLr2&@C0h2z}u%X$Kg9B+J z`NzAd*WgaDFMR!bLE9rP2pTx_A85%;JlR~Lm zWF8%Rcy9_x%Ait;pb*wY`KxenZP|>tI7~!?I8C(50H~Oq_{F5ooV4SJ@L-RBglX(? z!1dH__+e*P_zLb*aR*$5BX&Am>9BFf2h+;sQ#joDGxw^>giqjpVIpzE+fH`i#pq}d zrgsHXP#BkCR0KuDaECtzpTgiHBr1|ZBEl#zG@J=hHMQ^5iTd^HONm_B#c@X=GCZ2X zBBIz&JcUKYP-tWng|URoF;d*ZqLf5LMN@b*6Vot!VgYH89Bc6$8Vr<+HlkcG1s`RH znGYZyC`&xEfRtY&0PaVm#Fg@$;-By>Q@o2gAF0U5%n~#HvsZkR8l5uHlt$VD7i_3OzlmG zPo(tb>D<<|k@a#Qrub$k{FgIn1^2GX^i3p+Q$!aYgKAo7J z-i*4mO7N1(Qm#uk=TK=@AypNXQ})Jf6vlnos3!4T7peL&lAm3Sji_`VOJv}S755BUn?^P6tGijEpONXpU| z?tCC$2JnlvR7OE(&6ewkxM$3qEq;3R=qe+b$Vcy9>V-ri_ox2gYl01~Kw|Ux`9hpC z*zVL*j(5U$>lK%j2>C>wr%e5wI(BL&>7PG;G4(&R54CRHN(K*BtzJtf9zR^d$jQ!g zg*}JC7`u5%88F+;HFjxpYG7Z%7N+R%M3zC#7^5QQDLc#92{3I@Pkf4 z5H~;}(&?3{kbE8}i!(rIl|R{iO^)ikj_B|q2wSEaA_6q7{Le08@8t)&>R%ul{Nt4$ zh;f6G9JOCL@~?650^Bg|RjnIx^c>;x({_?}5q%DKs2Fz<6{p({;m8s2I^x>Hz@05F zL)F3H_)MPx{%~N=Ql_kn5d_$xa|U~mHSFk@(XIm}CML<$9+~p0!;vE!aEBocUTK%` zm97-N{F=z&=E;i(2oLv(Dl1by>b`OLSCOmua4KTrQc&UZk$*foun=cBNU~sud_!;d zphETp47lx7I>f9Jq~emYVl$2`QvRZdmosX!4|H;3qGM!pglHz4nCXD)sLIVdJSA$j z0SBg!+8+0TxEn8QMv{C0I}t}uoeSW{Ibp~-ER>}(E7TYMeg`MQNn!(KeCuCm%<3^T zcFkCtw0;at-87CSXO5N8(kVqh($6{LS?6aC7x!qx#a~?eTjUxUv;Gt41D-Frb}VWn zTs;@2KB%fvYejKx1i&XFuz?cpO&l@Oj8Qv`M8eKj+=Ry*8v>*ckaX)j$iGgrW9I_S z-FBiU1|=$uoIn0UK9E1;Gq0#jK7kPw-kl;^52UJyWU2`a6+((pbm&yns(fR#6_EBu zr$yq_aTu8N8+*}m>8tk56$T5g0bbggYhfVzoYn>jW=r7>uSw5-5F~YX<*lK=QAP~b zmvTMGE5=;EY*mP!AQKZ?K%J170D3qSDdFU*5cO3JHg%{I&y@jMr6)-ma4 zsVpg{b@Nuzwk7K+gzJ#Fm{^Joi=g<(Sc(mfq^!kjyuwOsl1K{|E%mZ!nD!+f`SYHCxjw7T8D|6!aE zxs#X>PiL}b>;W9yx^+aUiNS3@ea4^EqzOM0?1XR8oANgzBo4aps{Oz$&<5isfV&ZG z1;e5J`qG9Cn<$gXEN0jA>D|*y$5-Ekhl6p$D78Cn!;cmqoIcZZ^N-ckNb}mMOTdY zQJVTF&gk2#qdu3sYC9;&L5?t~b6>2Q zQSMq-$1m1!mp`qibrG*2qvD5;k}h+u{j2byXLLP~bGWNhWe^YA&gH@69Y+JC$`kg^ zL^wGSOKsIrm6fwodC&AnauA$PB5;c_%*HHzh!*csq&xRAW z+g$`!_;LG}gUd~eM@i1bO5h34xGSSlz(E_upfvtIF+fTh`q!*QYnnfJ!w#ici#8mp zx)&QN?l}IoKU@( zXiMDW6mXjjB)tes!}vE4SGmWKV6jkUw8OQbIl8Y=w(f9?m0ghxhF(`ISZwnHcC(fbhUKkx_| zG~{Rzm|+Ju=s?$B7=Nd@)8E~s|Hxq?FvG4fr~mJk@X#P?l@jBe&zLobwr|@?mD}@Z z)8e%hhx#QsNxsu-bPCH#D6gcD$>b`>4l;1yq4e8t(`oi!OboRhMy<>_fMa4}BF&w* zP)7fZ9t4CjDk_R%;$r0-JK6$no%#eYW~Ae%$-heY^~KeuU29ssb{%cn!sLX{SFKq` zD^{rdU_CbKr4_50eDnFrm20T195Ybr#swI2Qc4n&o@Gv$Mld1>GG@vlGdo8{bOE=X z5x}24$}%-Ig?cloLzr0iIpL?NjyvGi_a}h+{P`E(aKbeCp3e7xTL%K59L)L5nX{=W z=hs{-07rZk;m7fl{OTcm%yPhb<>oEY9UZ`!cXZw)FO%MW>( z;>R5lbioA|JdoDB1+84QTBcgz4WuDJXt(`!3IJ&sab%G<Lt1?}R7*<;eE@gQ&z^h>bEU9dqUlW8-nDm1)5;Jq_uX0Pv3={PG_x zb^OQ-{$%Z?Qc>;#xZ|JQA{2O#qZlL}BMJ!9=qWf( z0*`~Yy@C#&J0uwO;7(+4Fei%@{pdWQXmr?za|cXFCa)9fTCa zoqv!9gpZ>K$btGrILNCiBc+62=tIZz8zAWbIh9=iIX-N*1aj{XZ0PFvBoOUSj&Ra; zI4D~{Tk;V)@}vGG9!zb(rXR?wxVwDr8tVG<*r+t9UsYyuZ^M9pEr2-jiLyfptI;O; z><{e3gDA;S&H*{VLZ54Ub!zMYbxj%$rR?^CYl*VU%U2sBDMG_>XeCcMy5s#jVD1hJ zfpdLu52#rc^74`4ex}^_lw)Q{d!Y5*Fn-M^U3?4OkSC`e@B!{~zZZ(F)k{VN#4ThQ z(dql#oj$qRIvnHfz?_PTQPN`Ic4J6-)f+kD+DMMRfKH7pCBgi8?MDUV1=!VBu7L8T zJ-Pg%+}v>Tt;-DY!EEf!xdUxYURD2wzX0*`0i4yp{d-pE%#aG|a#EDaB>eSyTG&F>c9(JTm4_$~Ur9HaJ zw9W!1i(h>Cz34#VVq>V^A-!nYA2aF4AAb_NRxOxgesiIoFg4;Rx^Yv|SkFqInX zl}|bG7$=Pz=~-F=_H-5qxOc5P_cvK92z*FQMvN8WLty8ZZuk(--K-+lL^d}?m} z`i=C_$6q*UJLjzWcfSr8GiGdUzy1Sg{Dg@#?C9aLhDMPkYyeSDCqr5l-E8uS+LaX} zIM|2?Z_?2k>W0oVf-Ev>$$z-<@X!JJpaDJk*Dxjy35qQEGq!Ssz6l?Hd^ABiL5n}v zkzvB9s4C+JIE+F#KDyyiH z%MPPq5Yb0U^%3QU&XP0Qq5QA`maIF%O9uQ&Tq;_$inHnqhY=>uH{rdH? z6R9CrNQdOfr&Cx55{`KBfy+k6t89>Z4qMFnh-AnSZd#9jBxoG*$0y33f1xJ=BYcQ& zFaIik`ouV^gFrd+kIQ{WQ0nrl;^DGIrG(n=HAEAO=?Y^0i$EA)N=%bIymkO#EH5KY4A-m!t~0& zhQ#FwqRzROzH{(CH!y93$-AT#|0sX{GcOm+CugLb*be6~J3zSZH0)!5tXo)E)J67R z%lTPkVj9lv3pOq4-Mfdju`u{? z+)r{3U>fb7VCIb3d=G7)vvxoV8w*tHpc`J#ugky6CW&_S4dh|9q!1#A8 z;D+eLe+?5j7V(F?OTlnB5{8;~2Ov)9mzH6dW7UyU@pDH8iDX@LU_knmfJh=KDj%w| z6Cmk9xSnZ#oN)GEjqAi|U?=e>e#Ia3OveGVvq9U`+)Dc z+FH}eQk`e$s*w!Obwt?-5IbzbtdEIxS5@E#=9JpM}eeOOA zk#p(!1FkXjaR1_-GtZ*|m%0<4)G-KG3+_V@Q{2x6(5)k`1Q=bhWjCzvMBLa_6fdp( z!T5KFDd+A#9go|cPt}3XkzU82>)eQenDr^j#{3CjuLW_{IS2FsaQu0SNAx5_E(cYg zX)>x`00D<#R@9nes)q?GwL#+ zpY9L%@q3_(fj>7Z3jXYOL8i}~E#GMM=hoOnS}&N*FW_oV88D#q0T~M5j*2?hO(PmlZZt7cr{1nBqJYsigl8I9a}EeOLZ@0f)2z>g4jm8pV{Oqh zqy<};BOz>A*YTc{(3x$SarxAr5KKIZujk)lx7>0EY)_ zn>qoRLZ=_z;l56!91UAawS|P zNu^DRvhx+=$CC$!HXpVL>jlrf z;1YKs;ueznL(Qge{J3;*Zo+hji+coho2jb+Ck`X-xZKdz(7{VmyllhBsT+=e`Bxrb zXO3QiKi9cdckW|JH`}Xc$WvB;u`_#yV#SJ&By?*-k?AQE7#=F;HQXNnl3O;X4*mO}VXfoG%0E{O z{JAwmu#4{l4?RJhJ9nU7y?Xf7X>8)@1!(B@mB9vmBENFV&7lZCEcysR#~F)*@wtej zhaXK-r%vGx0!A7Y!2+=Y@eu-vb3V#B6Ci|*uoUUwHWZC1I@R1sk;aq%K~zi2%B0f) zzv%E{S}8{I(7f^~lhOdn&e|^D_(@MzbI+lp!cd)sv(7q;R<2wjA1RlSN4ER#fA6B- zfBQ|sk!hVQ=&(!LaLx{x@*5QyDGffz4~U!)QsjnpQHUU^a?XuD!r&jt4+4-g1kHcQ zD}1UQhuH_8C&h=;%{SjnW5uwh0ONW?DWaHA#@U{~&NuKEWs-T%!^RFE|8K3~^7XbRt~5 zY(UsBt7{_{N5!R#8f=nFg#4M#r&3TR{MG{r2;q6eTV37rl15H@ITN^z8#hu)QXF;Y z(2+7)wv0@jR)p)I9?Gm8(|L zi6HOnGbx!pkBG}{`+X$xN(%3m8q^H+v7RHeT#btN4dFB zgzS#z3ii?57U2F$O^R1K3_QEg!F^`#HPkC_zWF9i{Ar@pw|D>VZrSCtu&_}4se8u< zY$f+NUSM$?h;QP=iS*=?Ptq%|yh0B=@BqE{(PtD99wD1?APfly$w&QxQAK`sup|IL zJ`J&xdKvC`;e(99oA&EY3(QEvyYIeBbLY;b?c2AjaP%{YG@(9*4(yZ`Bj zIx?8XjUOlN4bq1;Rno=&}JV~-ssYlr>0HAD{W--qtM@6J66V}FZkO&!2e9l5=7 z)bQgpCulgequ8-ok<%E;&(9Omm(eOilTQ#J?u;;5K&M!pbLWCPB3NUI&Wwb@VSwBq zSd0Xz#+J#OH1+|~*n?0CIpr|mj>XK1z`~Cjp^1))q7fs8)9*9pP()<75HxhA6l%G$ z*(_n;J3O+>A4gbGR<87n8bhT=Phn$(vU^k%lT#)Uh`+3~R7R!Hlp}xeD};fMAPA;> zM0B`PR_+mkKt)cWx-Gky%P&^SQFZ((se;K!Wo5aT;TyyY1Qi1ERa(mAi_1}wQ+(sK zLJ>W7LwZ6&F+zsO5vL+SNCVPi@`qzqR<0}-zvb3jxMMh$<7WcIafOA4N%^Df(XndT zvISjo@x`3X46S0ok&}@Y}Vzb;y~~y161zC#UQ7Zd_O31ijR(a$f+7BM*5&D zYe-pCnz-Z1X+@ms9O*?Ip6gt}#2p(HB_<}&?RVTkKTVp**AU;i!|tG18;6$}rF`VL zV2Arj@(tpq;(@3RqY4`bWpw{4pxmUh3|q;sSc;$wy+k|tgSa9>5&q}u~{P zuZ7KcX0o%g7A;yxeVoPjAMWF{^fZ}{+oVYor>^t|_1q|83WbnHm7GPCHYBL@0)+n4g+ zf8RzIUUV64+Fl@1&UK=3JBd4Qn>TLs(r<{o|IS-9>XVQBy6uYK`-f?%sj@q!KlcM! zumQ~Nx7|SZ-+L#8hlbIVDNMYKJK)mYB?0`|H&hJ#+56i0ih(~j2;k4Yp#u1`-wg@o zzEX6{rqsGe7r*XSto##&d$?#IbtCD(_uLyGe9|Ct0}oPw&Tvstk!s}GD>~00bRbx8 zOG-+hN+uK-Sq+Z}<4!{%nM_MsjX9x;NAM%0D7&_+Y zFku8Pg42iiuzOWeQ6YDfVufg-(-adEA)|H8nx#^1PLAXqY0AyXmN=xNAV(Au(k{vL zK%b*CU^;tvV~tJ>@_}?Aj212Mk?LmB0mO%Su>c zADyZfUU;59{^(;GI8b#+WQ3fFRO{BQB_H@U6UZ_IaU(DIuzSmNRff1Wv9U3d52PtR zK9UN!9EI=R>~ju9?Bt` zuLB4iKIjZm+`L(mTzBkl7Z)EbqY5BwcnN@uBiBr>g3m9Pq0_0BbN+XqvjNvov`si# z#7=(w1HP0MX!Bj2~^NS=TG`7&}B9~;NTw zQBF}@E_hBrZgaA;Bn`M`D7XClT=r8&$$SsvIm*q=kr@sc)kZnvnL}D+rh+r_v!m4S zB2Y$%07iB2#$JqSx3QBnOqwu;uDbRnDVufc)@j>+F7Tob_a^EE)JwR}lai9;{%Xqi z5wLCBHpdQtA3X1PVH6n|NiEY-#4q$fauEi|T5>`RVL1kLQNLh@1?pXla;mmNJwtf0 zWS%cy81e=^(*^-}K0&~$D45!J?k*dcVFyKAU!)Vy8OSQks5|kD0Hu}uToiJCT#NL;XS;Xl}?rWY9>X;RAsKaey}*F>-g_dFRrk zpC(c`cV61HPN(_v=hAi8UP~R?wPOO2B2z1}GBfFi@4u%nJ|9KrvVLps*fej^T*5F@ zXYai8-_$fdirTkIqZ3Xzo|03NIT5w=6NmkuyZ%F$UUrH2MdyCSiWPKt|337e|NMvA zwr#5#drmJ#r_d=v<1FNqi5Q5a>@>?Ae~`GRo_dlJqQa?T#}0Jozwh7;QabnSGwDgr?|=aV>FTSlrVro$fNr?qdLf-4 zir8`*X#o+MH+LSjYu{cvYv@3s(`QBs5YL-$y-97Fr%>CLDN=Umh#`G*=P#i%&p3ld zjrxpe>ZM`{uiMcq5LqnmHONk&Gu zY}rERo_nrLoy*D1qYX^lF1q+aA;6bkb_I>(xUahM3huNVA)~UZR;?29+>Y>61@Kajdn}s$~nlw{D`2?fLm*qCa86 z1Y|_wcTY=na6 z>f5u6lt((>kHDjkK1vBO;dE%99x}rG%rno>RhM2wUyb^hI=5?01-aX4()claPlr<5 zR_WBTS&9%O%=R#((wR=n*QBfzvjh}*GtZwF*b4UIN8hv1$5I5Och1adQupI!CG^IR zA5RZI^f0~p>Z@Yjnwdvs%uSzu{$;wG>+hFddP$yz?4oKRsULp$A=iaB$W&pBz+!~= z{rBIe#~*)OrVao4>#st{G5QEnT3%L8OP4O?I{IyXejlQDxZWMb?b-bK^QCRP=l(|| zoR?pInI3%TL7FmkisakWDGu}lO34E_|`Ocm_n{K)B8hYl*N97*w-le^~6wS)c zVskrMvUIW78~yzuXP$j7oq5^`@?z6%f70>8XwK|e)US6JdicS69J}u-Lj4 z57Q}Mdg(=4ylfeb`tmy=jpv?w4%Jqb&o#p?68$-MM3%^i-<&_ENqR6X5~IHu9Y$wJ`cn|~QwQi&sC1$82{Y*FB zaHHh&v(G-2&eNt%8>ytKmfn5uT{`vD(}WD=F|nTg=L{Nrj~iWdB(a{!bRtcM5u?-JeEki*_`(ace9cBGuBfHAM~mx$q&kj^AA#d`4yMb8*jW$Q>ILod+++|uah-?=tvKhFX!5Br(nHWRz*lga2Mbn3=IpV zAAa~=-b&*I#HW1yl9H08yz!C(B&o2tkluOk1A5{4=cr}+-soEZ0RQw!L_t)G=5*o- z$Idh3L}{-=%r;<~eS7VRE3reV;=x5*ZX0CHA*6 zSpo4XEUl84MWaWLk^A+BAAX><8@JKcty}5ZYp<0TAgFIHz2s8Kdur2EI_e5qqW7BM?Q@+XfS7lLzB`hhsBKR4hXWs1)=_3YJ?f@{_68#ejcC!f}>TTidN@Qhqr;BzL}-Fh7&_wc2cUP|A7 z`I(HEFIcjYI(P0O_QxD^jOgwUTyptU^w^WnQRj9o=-e|;(Y8cC{5XmF9MX?w&0S3Q zKJbWRw<)tgWaf-NXfwBiz?LoC4mEEf_K!UFH2vQb&(O0kzDm<(&7)Xu<8}wLX8lEJ zX{loF+N~q4Sg~5n25=ubWU#FHI;3xJ8aHl|b|G4|daX=nhuf*AoFLygG=LlY-E#9a zT%RnW@e?M|4cA{Gy4PNNsgOMM3wrhJt_U%su&{`>Zp)-r&QJ zMp2I*-RP<-F4i`C4|q-&FquTW=bd|o5LE-bRNA_2o4Eb^j+^NB-)GRK%}gR)SiXD} z*Zbeml~-Qu=>72hIMKuR9Nlhr-Fb`lr7&&UOxnWr&E0q3#(f`ke^^*pGz>c+r~X<= z)loo$h!Hb9_-JI&2!=;s4IvW=KF6pMI;D`8UVKqD6Kax}KtqNdO9Ku&j5ch^l8znh zF`B8!>3^wd)21@z@QyofX9D&CZQ7bCjmgco+(g(_7NfCOU3H~QGexHcYg{j3@|cm) zN;cuh;|{pfD02gynwqLe1Op9rWjWp?vm5&bImL8dthGT02V|^gpWbxJ$tQ6~Ws?vh zqC3A=I{2OZh1ApR;Cg2WN|HyfkR=Fd4nd%F2`}svvWS$8;gs=)hf?C_gi; z3y@K0tc~QfqXU65d4UN9J~)igi9;lv17lom*M*bDwrw@GZ8vFy#J;;^EOw zg7|B<#IAl8{kz@BYVNO?5M#Imch zM@VrSiAFrU_>2Zkd8$#<^1`^%UyP+OiFUe~SJ>Nk1d@E2RazJs8~fp8XgV9y*xP&n zyaDkFaIc=j6?i8jDQH5vDhwR+<#(_?tP)!@oX*?Lr-~Yzt20pv{%eX!NTeO{ngz!fiZk!GAfqWcVy$qz(kYe}0 z55rPHcR{#;Nrw8usA2J}6DC+K=r;BXsyx3q=G8Z&XinMJTO6M)W)Yt=00LiSl9eVb*SS<|?nciN zOB=_ofDUubf9bbKh%Hn3qs{hN$QM{7ln1%OZ9dQ8S=VVfIeqr0Vi{kd$Vr=PjP!Xa z23Hn=#W{xbLKxi?q%hnotvKMIMPaMr*d-2+Z^7Sj{{Xi#0QEV8f4_M5o?s>j^1Zyc zJPc@I7Xp(5jgJ7vL}0TVyDaAyMFRlLvpl|dRvL+-4q@r)EW@!B`RNIPFV-gp-Q@C9 z2J2QZDeAmVIjExTU6L&8KCXu>`IGu9uQa)_xU40BCi?=b*WTEfjeOeCQ?t>Z^hhPd zvB)|OUmS*=$@C^fg~y|qnSr^8@^{_#C`B02{#BIROv=4|t*J|7F1i55QEh&bEFBaH zni2!d$bg($fI;wY4MY@#qPux)2eUdsC;U^>dIY~-YRz#k)2NCz^fOIHswBHX3>3~Y zSSQPXky-OU7woBm+<%@iJ)P!N%DK5L?(lt1D$2_Bf8pMBzoR)x=faUH0xa5ml&q%d zRum#@6fB@X1mXqPeysJBm)f8bW$}iGZEKLdXt3SHHi1p1_XoQ^pjB>g-x5uE-jP>pF zBOMFe1zrp9v^-XN8@^HfX>j*_-@RC7tq7`Ydn)^)d)bzYQzYsZ@jg?IEeo6;9&~!& zA|neAEXL?ql4Y*9uE5lh9&i@ime9TS@Y@c7!9=}T`=|x~zKv}MFtB}z<=-DkT@tCw zxb_qFFh@-#YK_+|SYl0Va({{&`rmWI87fyb-;U!+8ce49YLtve!8LaZrug(cCntD9 z1sQo@&v%AM9n(dpql(zCT)Hh$2v_L1w8KvZet2W{g@5 z#vd7g2k_q_ZGWv{-)|U&4sf9@9dxWR`%aJh(&>T(6!Osg%-=Hl4RP~Bt;-o@y^tSsLsn1i-q^z zqRNqd`r#D%O5g;~@fM{|hL-4GOkc>pl(u-cV3U!sIMC`xkrm_10^%}lR1VVvWbbW+ zKQS|E=x>9lafOBUY*d8~LFt_jqev1a6nKVzFBeK3c75${5A5%*=?wX((GM-CT?4z7 zqbw(1<|szHqcCI#UeOs|ezSN)vOyh5wvHTt zVSf_P&{Ch&w+>ltk;hNTrNhxMQQ<%bjTcOjlX5(%li>hR6b(19=*tz9z{ApR zanE3s!6J*k_1FWk&t=CWy$FlJ23YiMno6QFY}z?Hi^rUUziMX^XW^F%BVQu9;V|Bf zSw9K`iyN(&SVj=NOC>zxnfgq~=b|$Z8Tzmh?UySca#z4xVpLp(pM<$mNM#0lz|O zC|tFKxG%%aBr0cOUQ6$l>Y7*jypzZD^-p>f8iXNAb&Tf;i)9^p>*)!rQb zlt@5g>b4aU%KndV5h`!S=sRu`TK6L{n}>k|F~bd6adbsHn^D`@*=L`JWy>YKv7C4_ z@4BGIV)8O=(>PxYDmMHMNb8{vtii>DKVvodKo2*%x_L)o`I?}JyFhQybSQ3@V_U^a zjQ$6Xmikv|h;_eR=DQ0)N6wbf123DSoFu9weEGcMq`>~OzqatHbmlx;Lh{dqUO8Um z&fI*39cWVLWtiBQFF=b+K*N=S(_$*kdZ!tjE)Zkg1v@4B-prHqd&uuKUh9rvM$oad zQaPS%m`JLcjLi81%F96QF~4&FiKbntcSQ}fFdQYPGnZhF2i(y!(Rt=c(idV*W0UyO zO-)S0##KICSr(xbWDS&l;Ap7DzYKER)u|`8Liu-pGnumP8^;oYB5$shY`yw|Qi6a zkc>*gm(J35B(w|#(S2lVWrT8nx~M8MX5OEkXFVTl+rq-ca>&D|jbT5pO0Oz(8P#V8 zOXJ-OWt0#=?j4bWAttJN73w0@;c-oaH^;rGCrQL>m)dSW#XxSC42|h9%rJ@^;JhxT zn*^)G2^-BiNZ2F%3A2&uk8Sf|m#0-qC2N!YK$*yi$$942`9>lU`GPxIWn#Jm|6pmP zv=OWFEC`d)^WJd9>>2e(F2gvp9hzbS$n|#fUqz7>Z8S9IlU5Z(UhJ=@HFL!JAQPq6 zfjj-J>43=Tyg)F`ROxl%gMq zlHd7xyWL$>AKg#gxBQ;75Ru)^XQTgP~^3Sn804 za>{YYEo(l%>*2^CCwZxIN-}*k5u{z|^-Lt0b1qa1=Le~$1FgEQuIoimV}VMJfChG1 zED1wGG+_d{PfRvruNK@F2R$2lK`pGank_4&8@X8V%(G;(GXJJk z14oOof}C8cAC(&VbpnaNhzuXVzbQ#k6$uC0_IjfSn3Jc*k@scAVO}T8MR59V+tLzd z;(uymoi)uG;(|=VxI+ZfhDdxVb6g*y-9{NKrx&VhCX!l58{N*Fhi0af9O`aOIj{`f z2B(+f5~2&nYMMjFZrNh?Wj*%@xaQPUf&j(=ldZVrC7m#NvC0l2M-usj1=b z!&pm|VdiKqw?~a}aWe!*pzK!`VT zh?dma?twK7zqS4GHDY31fp8nm7&3`Y(be1cF0&bv0NO8Mpv{0+`#g+^fPC_3=%}Hx4mUB#JSgYph-R`oam}bA^&h|S$fxcuG?rw zLuHH4(02dOb`*|h;3V@^wa>@l-4iUG_G^agJVHQu;NR1SjZKUE)+-}DwGz)YJW^uu zQy3p3Q%&JjIX>VCE@(XERo9lnmLBL=cL;ziaeDuejIX-xdsnR5`4(}5gm{#0npl){ z*)D0%clm4acS+l2OXSPrIR$Ig0*Cjna@5oum)Oxt`p*Ihqqd){p%#NNlGGc7nIajV zm&+?r@@*UnQ`w^T8>0Eiqimd5Fy%02>aa(Tmvd8OxgmSFoUYVX+L>czKKPPO8|s&s zGr_)7?`~86Xfyt3LK4PF?DMZ6uo8Wmi=eZp^1%z@7_v*c-eewcVs+;Qt%a(q-2A#b$#T@tsK(N5a8Q+mLrZN|=WLnV5m8mLQDD|JAMOwic!QROvtGqv zS2dJ0e~Q}8sc01zXe_`pB$2m1X6`>9ub(Um=xCkpLt9g%%XJZWzgp)lj8q-JJ6c}F zLES>QjiO2{Ty^Nog?%`!@bL5ibU(n2u}GFt*u$!(t{6tc0kYkWtEf`@!)rVI&`KZF z3jMOxrw%klO7OA+f9@Wj)>}?F{4u!yp|y#-4zwXuON&iV*w$7XM$ija|LPMBO{vSG z9CWH@V)05T6Fh{iqC3~{=ZNg83S6#nHWKB#sqh7awGZ=LH{biMcY=Ky9^jyzHuv;s z%S+ZQI%K2=PF9amaDG#*H#^5-JpfnF|9W7~$N2NYvVt)cEmx28bF4G+bYx@qVw}#L zN7Ds4O8lh!H=zPPoenWkK5wYRONQ`_YuE@p)>o`ZADQB!sxL`@?R8mMzv6z@mP-`9 z37S^~-&JWp(Ksc=9s+yka)8G^+bS2P<1 zZ4T`^?9thCXhtRN{&0@xURAqjQAD zK^!&T7U7&Tg?dRB;h(#?Y{HCZ!>#?E9!Ncg`pe;Ng09HfitLhT_ei|E-9yq}#V;UH zWvh`^+s5#&Gi&2WgIvo;tWZAA;hkrUxjf#?1isu} zQvK@#U*;fAkZ5-{74nk!S}R-Vc#u&)Z6}ZDd%Cg^EUhr@#9$W% zLllySoamY|F(2HFbP;M!?KImAoQ{+w6iSzT=nSth(Gg1;uM%Alq`zCC5*S3AqO#Q2 zMX-%kI1a%dMtTSNECdlrmBaO5dxIvJo#jTUM6AqjQiKUXLfG9O?`3odj%t^$cZ1<4 zE=DMxE>;%Ms*WpY7n3OQ(*rNJrP8@!t&uNblUMHDfBKc_^ASM`}Ig+E9q$nYt$#gNaDp6GT<8ByXpMu}JRH^_cNf-$uk zf;{e_@3ZEL`&er3J>DRAj09At}OBucRiF^%mF8+P8uk zE(>i%I>WZm^iSjhR^v0#kV=x4&|;C|+^v<)KPTakdZD%!*To3`d=flrk;k3fc7Ts` zY}USo?%oKqyi+3F-VBRJg`7=vb?aob`IPe}CI){!Nbo#pMcW%32>({35zf1f`In_y zKrE>xHse0bE%-NuADN5I&F*ATwksT><0{HXDhdl9aWTpvdbhsAAgb){RB9+lJR$|} zA+o(lB6Y^~FP8JW_##NMd&U@24cypc+)DLp6y<}S&O5pr^u)J$6*{AW5L<6GOG6^f ze9*cL@4q(^m!A1Y0w|=j?WtnfNq7EFrJs{%fpXGn3_nagrH;E8sXl!h4|+>Y{h>iK zY^@fh#9fu#s+go96lg`a$KUTd+Oy>i<&5bP)0(;-7Pd1yMV2d$MK>AWRtHmn8O4%t zf{l)+f|uY`s{CGPH;)0nhU+q!o$9)Qnw_{;B0p5$G4q}0{-Ro*q`!ysQklE!1B(Dr zu@8aH(|=^Yl+KXX==0EGxyNbwBy$hUj40cN74@mCwcML4e9`md6CoDV%snYCdpVOF zKy&2JgC6u+Nj*wx?7=)iHSse8a#k?I6{#IQ2+{kLHp*=ZHD_O@9Ga_}JFOnYRjzj+ z)U#gx0eK`JQ14=AEq|QP6;}TG6Pe?DRWB>nJ;~LSXI^!i))gF5=3Q6%&Uq^>^4fdr zUH{@VKV3vD3>qcD_o%e&;b-P*?e}nSVVYZ8Jfk?0&0HH=sfTkK@7I&N|!K@C`i>MvxR!z z-yMdr-bRNRKMH1sbeDDtO%!4hzgh1Y6;M^R&#hiTuEpWkvW(6n4XzWPA|R8|Na^jQNp#I?1F+l_Wg zz-!$)%s2=8YV@LW1N`3^8vcMJY{%$RNA$m>;8)PaDk_GBMTCW4yT+%fC|t!MAkY0U4xHc3jn>t0an-iJAVBJP3i zPfEO|7&1zKl--dKd=IxZuJ67@R0X;_3tMTX=2rt1bLnSn%`xbP_OR7Fcohwr?bV%| z8w~TY0OcjQqPSGboHdsGTIDZJ&~+$Va-aCnyuL-C6pH}mZW{M*13LiWZ z5_I3{xAWfFl_V32;*8`?%Lu3U!te=s&gi{4iLr>3tG;s;6(tf=Z+=gSNE(5K2cct% z@ESv2CD!_lFo}$V*XnKPl$MA-_&j4p@p;kl;05q+52wnG*!)-qc45hxmz-epP`Y_H zYLV0m(s&}>*xKUOXyd4<1H7}y7 zf>y=Rc#W<5$UreJH4$A^e(xKrvmdY@6v8((XA|zrf6S3cxV`e*_hktoiT^)kEFlrp3U1UOna~O zAK1-hSn(vMfs3-d`H3XmK>xgJ&ri46szBs+>sL)z;i7?$N*=e1moUd$(AM*gWv#p) zay&jqRI4W-)6b-v`86dxY1Wt-@V;-^`W7>mu@*M_gs}Uc9l_$ysFbF`*)yVrj?qs9 z(I$!ZC;p$>=nSG&zp2`qi9X6h`$?=p9|GukH@|)9NIYi$USa5nsquOC{@!+D`A)C z+$GKB@VXr~G(UEUW^M}At6qO-Kb0H6R{q85Un!m=!J{PN@Ir42w%t!Lytt{WtzGI8 z>*C-lz_H(K&jla^D&gVbsTyh$Wx2i??Vq!Ft%<*yo2$>i>^Gd$CpOeX>^5Ua=J2@9 z=}tB2O<)_wWs(MHlVu9H#~eMWM6Y8g;YUGH)m&g`??zbvgx!ZWXjBW$Tfrsc!(5DWV zv-WS{mYi>kraF^VrHT2^@Cn~{RW-j=4ATa^Q7J!3!4WzYBak@^sdTXwNxCiuUM7#i zK##lex@qr2p|?C&&Hvi|W@C9oVIM_gY<%*0Ho_4hMwmeYwchR1^OT+} zI@mJrO*E6s8dFO`+ibtZ+3;_(O0-N2#YG?8N`#i3Kz zYi`^A99)o2J=3DPXDT@?Ceh764kH#X7+7N;y;qz3(hrh}z=9@-_SgT#3e7w*R)Hjkt?j=6n=^!ApnT}C)Rxz-6g8)HnB{oMoG8%>i`Eq2FUnAD`lOtS{Wa>ap>-!0>k)5--4-C&T-uM! zexLs%EV}EJt5Z{181mO)S)wn2kg-kk=S~W(*EbsJN>VW)HYP!uPgQXEzJ}^oLQh{* zzb#B_8T!jY!J!s2RX2xRbiO)7!?|0xJ)9ri08Qxy0(-tEi2sIz`!M9C-J@5mk%$ub z_(2%P_XMBEi+kwusQEGD1@&p)KM#^$9l^)k-QYqUE%<0Kl zVAO53W3JM#5B_Vn!Dx<18l&n2Q*=hK1c8ue)pjz<)Qt5vWG?LG@6YPi69wH)KZeDE z?A$G<%(qjnlZD3EC-)OsB&66bmHl-hBL;I zBnL|C((P26@57gxCe6ll&S9}ALYJMV9_&<|X?cMw6cM5-={v<3KIFl$r@ZCI{g(kx z49a;T>({rd^La;u-!GT;8TuVNz?lB;?}?bD86n6fgqQ@o#gMG<$nvtfU$QKtgkig` zD%grV!QO|l2?HC_Brb?M5W`uP5g_6`8Ki!!FqAx~ZVaj8QKp(=x;(EK5wAn#Ybfzm zCKS$(5&AsbY@$M=we_H^F0XfSLSN``41VxX3_Ym-+0|n9eodr$t9A zmQL&>PN`cA6Kx$Gi}uI51Pi-utFHOaZO3eO&jeLtydT2k$Ux0ZwNgu<|R@ahS#w$lV8Is>&C=gPD?j>rathmDskPw+jAA z*m=qJEv!iNF=xck^>B7OG?MS|(9k13txdFN|Iu<2eOVs}_3Gk)tCaJ{g#JTky_yzM z26;S$;Vyb||Mo`dbJ1dHy%tt6-==CfI(~pEu0|iv_W&L9)A1xCcB=R7lMY_=eH{Mt zUSwwFavYV%t#q|`p;S73uw-z*i4Q|*j*PTP(;eH&FbTR}GNY13P&tN-r$1DA5yv80 zQBnUYTody@FL7N(ejOOVg`)x_+nHI6g9;?gV{9?7l;?lULYh#f$vTGZ`<^F;POIXTIo3FKz2$PrpcP4R{8he9^PgB`DUXe)J@Ttes;M5Xvzl(oK)hk;-Thi>6-q-;3xjG$3#b zmV$G9*KJiUJ1>pv`kFEw+Xrsrw*o&FId7VoAjD6Xs!Pxfk-_O#ko~dT6<`QnNe|zL zGkM-kkFxaLo!z~xH&}dg?tVg6>BTC;GW{r)jvZZoT5kEmYW=p^!hw_5nmj0*B@%{P8a_soBuqRcl$ zTr!~)Sm*Tel90o*km8dBl#0TaQI5Jv`ySAt47(r_22n5WA$=_K-2cYKeS#+wd-~|S zMa6g;lI@U9@Qa-kKE-D5%X^+~VwY6PhLyql)CCW9A+y0n= zf1Zpql{6s`K|Eu)K@6!X@&GFGoKMPaGOxFoC=9#~MHHW&-C%vY`T#DZO_ zn{`18H6NEaxoT4Ncjs}mgq)gpS5;A!P`JB-U#xA@b(}tfsKaZW>j*>vz&ZW)2VS1* z+1d-N*Q?DM1t25L^;mA=y9|jvj!Q}Wq0-0-C~A@Dgn11EfBd~4T;s1N$uUhJ+{2lq z5EkTjh{ao8$kvh49xtwvzgo_*K0`#mNzXf&m65!g-FNCWqE~rPgXWFh5T6kN-M4AocHH* zS%`m{V)Cr#0v6}g`M)WrBiG&Li%{-Q8AMWaHDcq3bwJrv=)dCLjnL(dzOal#+hmUK zrQFtA+!N|pe9C>k@V%U={QB#7f>(AH(Bd+11^_NQiKb1Dw)Qyx?Pt6vUCl4>X_4Lq zv0iItXk88xjE4uBOBIFfK>{WVNHT)gE%=2O!mVm^cNT6v1BdKdgM*qSn%@kh5D=XI zC;~rggLMW3Dn~@J3==bu6GeQks~=oBCOfzsrS`D zp)AJ>c~S9}FITt1x9je{psA?pds9pY(Z#VN`gj-+ z6fL;ZP`iX>^mlWw#I}6I7*Acyin^qP`pZ-&Nx5v|&+%d(^?#X{6}u0j73)Fb0JFBn z|C~5Ixi#nYlP}Z-N)q9p<=JY8{<{e+L$|1VU?VHlKiR3Ybu47S3QVnN!N+)zjS&a@ zzju*})y*qlF)YZ}V_-}FNf~e-X%mk}EH;rnNHF(8927dd>hm@iH z!JiGh_rFSTK}Zs!L~}v(K(%lML?RPV1_Tg_uGEFLWsSF9kEbLes>9|-76fh;j#U?y z<@)LFMb=@Nx027^F5_)RFXNHt$db7h_QMHpK7m-C!in6_Vc+n{4f-3qj0D8IrfCyi z#b>!*hUD*_iqN9oU&-PNO%wQkmVyN&Nw3OCeYHz}WpH#nmu8V9M<@I%dz*fL%!RYQ znVO?M1BANj1`FS2gfEtM_X@x_Su;1x)ywskbF(Fi1D81;9a9KcKIHk9Io`N{be`zX zUt4hD{!M{Pih*1EHOaW|MPUDRq%}!I^Cz_R57D~3E-RRhyIDows^0a*qm@R%_eLXr zeYXn&3Dlc(WXi?W3~B@aXKAk6nt=xXdQd>7Ks?y>bz;Zk4S_D2Wbgb@q~LMGTjPvE zRrH$PU-W>^=X5>M3IVIKEYBKzxT;PsDY2W83{??PQ-uPABiV8vAXLT*Cr>IdT(qgaH!aBtW;Tr z-`uRB^x9N5mMDk{eov6f(9;cla@Db&)`8r5IK{coJyY0`0hr#E?c4sHM&Vu8t@&Wi z;+bu+%%$FkdmXE3|2cTv>`C3Zefb&9FaTV!)b%nbC}E|J%jdXJ2%~Jw0pB4@+OE|b z`mR{hxsO9uT(CG12QMKuTFZ~#`LR~BNx?CJTy%~8%tDwlmyg~Ujao0DAg}T>X||YF zncmeGcirjz-mTAlQQbmCgxNIYwI3^ShKDwv{EG(v`g)st5%cPwqXQzx{F=_UibJIVK$B`Lbf|v-8&WxLfB^QvEbI{II9fcsVfHL@isEwk5SX@_ePd5aOHO4s8m-i`c?4xgD>nplRK+EifS)|PoLo6JMh}vA(9`?8@A@>B##&TGG_Tp1MA&kxXw3!e+# zK-JiwuAkL@SN11s%#u;ogERit=TCK9+mSjABD)ra`S9mO#%xsaOR57~09R|KG@@_5 z=u6-^MRu*8v4eI;NUP^1%i;3!^6cX;Ruv_20DZyTlvi|AzCC37-Lb)H&Y%=|cYq3l z@-?sR;y34LOhtbv9NIzWxd}xBtH^7y$8~Luae0#Qsr zTnw^!)zGigDaEnhR_+E2eJ~ZO`6)-hy|BETzRL{t_9>p!>8_4$cJv1m$@=Z2py3;l z+wtsIIp*n3f8W;Q(yTqITkXq}fF6jC0|DXNv$+O``-HKo;^MHEhjS(p>Ch~Pciwlt z7b1U|S#daY!^@2hv~u?>WsR(vUUS>^pH zq~%F)adkcVNmRYidHTr~ebeVvlF;i33fW*^aKufUgv z3}l(>qr?;KY`VVk@9rO79>2h%p(}q%taL-hi1{}QS`v4+_j=Z#mp8}Nzwr*wi#hY* z2+TnYHAAF``DjEdlc4|P5BZ-^9(6ix4&Pml^_iaNlm9RXjmWo*7+0q$B$Mf1VU$l=*!3#Y=!S&ik(Tg~RDe9f&j)VrMn1%f4v+-mwNfekYJG`HJfHOmjF>C~XsyBRc&4 zI2q|T0e9ZyvwIme*K49$OZzKM;ikTVjWy+GoWCZ#w#)~Y?(3Z0i^ZKABJo`y_K$^l zkynrGhi$S8?lOEKG5`C^wu=(r-x{wIO*}OU6w98DoFof;E3kh=QxUpX0=$7W)DFmY z1&K{m$RZ|e6WJrgrri+syC~>Gw$+^x0uA;Q#wPV;j-6zOaerDZwfg(}<@oTGCx(Ze z&L}Pb@z%veD*6TIR9B%sFmZcejIeMdQ!)Cr9 z!GL1hF8!kd-oJLV^KJKQgt-x9yp17Kq>`6*6U9RBZXKbPB^(c(>nVYJPWl*?kV|a;5L!UvUjk_>Ino`!87zIKI3WEtkfuB&kfp z=1jD$1#8=z1aHr9*6ZJ`FP2XTvZ)z8F9N4?2)xS;Ns#ApQQj7f<*B9rQp8T%W>K1WkCqUCq{NgoEO#6F=mI_ zPK8WjwZ9iA@EFx$Q^iR8ev5$@g@EDj+k)+n)YRF2hAzd9Hg2Z8)ttuvxSBD-o&Jmz z@chymH8KMj(RP3PE%XG>^3=%0gq(%nAxRYGuhSpCZ#Ec^^YHxaeDR1o19f#>dG=cy z*R>5#eEuQ8TO4=Ve6sxvx!@^ij=WVz^3~=G~Qysi?##lyg?@RqK-;Ff^Tm>Zna!U zBm6M@{t|ao=3G<(FuFMeTH3U`0)%O3X!wndNaiLXT*9n-F09*Gg+H)KJa?>L&bnb1 zTr%BrAmC}Hi{&xj+0UBKnX({?hYF4?k!k%I$zcDZa!fs$SLK+k$MFsh+06~PmLFkD#ZPf z9xW&F;DD}EzmrcQJ!_6%cSuRmI0D?qm^X<@EycxV&b&-a7$P!FY=v-?-^L#ahppY* z;?De#IGBl0>)H-dSjc5?ei03R3kyu8|6+CaPcluF z^HUG`?>hX|aId?Qlya0jxC)B4v{O<5h{3$l#lWCikJk+!Bh7bjF}VLQxL7``Bfn!< z{Kl>nrXJ;^NX7rTB#nR4kM^pu!TXelpo+PseDAKIBvAycJ&Nu?p=46u0v1~?nhWD= zsulTUv+$eX19tdu?&|$pKTKhQ`sIt$N=4bsX-)b4Ot-INSG6)}K9%?Le%f3%|3~(e zmX7wBDm5I=%mec&!yhw}dmCNJB3af#8Xa$Jo;Mnb((*{kqN{iF`yUaZ1nCd2y@0b3 z87)>gRHu3l-#l@+;<7=%U7sz8z-+d;jhC%gQ!6fafp`DkB5Uc0Nf-|G+!BE=uV2|6 zVfxbp%(xuetm)2>fELJXQ+<07_G~5MxUN*l(C=8<=VD;7;q+n~B#D}Yfrmvq4qL7? z9wB#OJ(!Lg*Z2$1(COzc8q)guoFAHIw)aEJB(^?0{K!aIHp`s7=*J73KtMnG5Q-Gc z!{WMAtkOsL`T_HOpum1JmP#S#q|jnUsqYV4N$S9IRu%Le2NKS`cF#xDyXhj;VWiN( zpn&%mL2Kb+Ez6gK$ZMA_qsmM6AyQR>WBCL@9&Q&XYV5fl!3KweBYe!~zNI|iEKyUv z`}l^$g6nUmt(g}H>Y>XG=&2iOosUpCb&uQx37sMP`+B&%nfNn|T0CwYU*X?qt7%Kg zq7o=*1ia?>c%DmCWt>qE6W_v*->YzX5H|9)K?zovYlhQZiZo#HRKb}?E#qrHZB|u z9WwttYoD9z!zX^P-~{0VFIr!FKEv(bwxzsU8k>Nh>OWKgz$C+XoXioNyPXnMRTa7} z_WNlESlec;`-dYH>gm>12=%W1%z398njREUy+y8v)rC4;ZumEg*vlVgyR!JdoE&Q1`fS)T&MA5M1 ziT(%LL32!WiBInHzhP4k57b7hXd@&>;KSmH!}SA@l%Z=MLUihfK-(J z{!KYLGFiHmj?c)-S~MI59}|<1%+S8X24`%y))1YXoU->?4ii3*nwBO@Kych(J?DXl zfKm_^20c2(YUFb8(vCo<79Z>*nfyBr3@J+zhEI$(%E3n;H=>7wwZOQn-u$~gb!XR< zPdR)(72#vS{#jz9)&h$fWzIHSZ;Vg{c9xEcK#qiLV2w=aV z8$PfhVS170lQOscGy4Lin08=>tp0%1?Ns@rA}ZD;Y0gAZ#S=#2426GP+QhN$W2;p2 z>48m-!3%349r6Ct<*ck<8FoK{ExU0rAh&}GK~&$X)J@@=dUxFErl*3|h@7}Hz(L!Q z25H~MJpDT=c)ES_%3mTuI(vqnLV*~j?G0}N2p|-tAc#r)8(d6G%1>V+x$BZqJs@;= zY#rS91bhlg*p9gHNxIEFzS}<4B`2x+DZuSVHuUOE>_;o7No2HVx%6m?!VAX{@cS zc-dp|oAdmz%vNu2qJtC|!s#Sq?tss&k zIaG@y4kDS9ESP2I>!O%){UDc>S8uA>Ss`+7bQ;98EdP!Mj~Z?-BP(330dDIsooyY_ z_h?aQ?BRV?iE(EGQMNBJJQMIg?X^v8jDb%btMSOO0W<)(8R{SGT$u0e?JZ>C5;ma> z&9M_tF#0xUi-K_vqUE=tBplvD2vZ<7n)3KPUU1EiWPudB6?e`a0~a`*rX8Lt@dPcf zgEnoA390F&Amp^_gAmYfmcOIkkG+Sw_ZwE;oVz)A{_BVpr7b%HG`m!1l2%wGhCEI} z7)%JF31aiCmq|FwZ#w8<;3B5gy`pdf>L3U}q5^#O{W>M%JjveP9mfcoGT?haqa2azYID)1ul`H(JJtZ<^Im?LMwC&-VyAF2D12|t zKwpi9AIJX{_~fYpc~qyB_%v9x9Y(P?hqk0E!?ZsI0d8!LlM(V^tMmHY5c8OqW+}@R zH&f?wj88=_Ylwu)pI(F;p^|~=iK(-gqXDRzfcf1ZL}a#!@oyZaZ*TCW{myhMBt(qj zlt2+fb0s-%fdnR8h&`n#aZ*cWufQ6pSC&GI%)!t`lll*YP7gRRO$Pd+x%qM8u^=`W z%e{GRIl}F{k1g8X2XrlT%(zok9mXg_enL+0R*%+v4_<=d8@|}oQ7oCM+KxJotp8T( zaZ#NoT=W%9$w}VV2E+e-BN=Exm;bN2o+}VxH^IAE`HZ}>&0hI^Tmsp)A+Gtu(`^_< zP&JZ`LRDatA^7?i>wAQnh<;79B<_UaQe@p)8Cs-PXz)#n(A1`a&it64T zWg~c)9fFjyerj~cB6xzHPoyL%EI1SR z`Fo3Cm1HytnuVe>q|@TRFJ2dI^DrIVY&A=1F_niVNJgF#qxelR13Td7&tMDf|NUkP zh>mMY(F?3?_P3(vIF}tm{Dxfiml!D4F29}qBc!VFr2@jOFG1=EA1%WL-H~zf4*$AB zn(BuPvaY`8RfjQqkir#RKCxf@ae~>?(&-tKN8X^;AD2+0(Lxoncy|#`3wE6Ouhao= zKCD-gM#EPCn{tiI`_}Tk!f@^C(4oY6IAJTp;)EaHD}2|z*Cc;pQq#!Oi?CBeN4V8} zeNDijBd70t6D3EC*1mVuPc!@MX)Iq+iv$@mH6_PnarP2z1MFVum+$Vx)~^}+*R1}% zKJZ}*yxbLfIyHyO#ZyNG6gp5{{M~JDF&yA^l~y$O@-$gaYC^h9-yvU0nMR zA_GrwX6_&kN0qs!NuLfTc2BO0q*lAP_NDC_RXPgqAxs}I!OI0!!eZlt8(OJ|eL1XJ zCjWbugan^t5=r$1t)|IeE`~<9OrD(V?dzHV9c0bjE$bZMtfkm(~8SJ+EXkiDl*GasoC-7%LW+rhz|l z269a-%?2c02@{~AA-K5$tA(B|96e*Kx(Yh`E0mU+=5gZ*{+mey^r~-p7z6$N)9zaO zgXdbQf0w!6IP7Ve^;=V`JKs#~O^uzeAPozwe%IR1iu40$DpevLhf=u9k3=eszjn5lGORnqtDN*rt}%ZmgqsvNr}nwp_=q9)IV!l@t7rY<;qljFog10dtNgz$D;^)% z#i@d{!@?uyXz+51?6DIBEz)^(w7oz-enS2;62XQNQsLGUPGHS|ava_5aM;g- zxO{t3c@@6e&Jjh5g+e1w>x)1sV(0=F*#B44^6&xx8;1-)>(elQZ;AMiFjmFvd>wnUCbn(n^ecmS>t9yTE%rBCf^z@1m-%k5H8fbH&Qq() zD36UX0nwP8<>lq+BT9l95^o!DdC?m$C|TuNQw{<=vBKioR%}&UheiHvJemgTRrZf8 z$yrY_Wx1!j`4MUQMYiD#%a{p zwrw@GZQFL6#&*)!YHVALZ8Wy6lXv(3JooJp2eabhY5e~aQ#RVkU2}K*Hbk76ivV?+^1jbj1JV)WQN;3Y6Jl> zrl~v*3Crai%ubY$UG5Lcx7J%yXpqx~*ZOag~5T%F-l0H4BUKn-C=# z)%TPtU733G4>3I+H^;LL|25Nwy$2`m&Zmv{Q0`9O$zFjgL9@DtEMUgZrHivAAL*%$vL5nH$ zSy*SVgzL*S``ju$URY*&28KK!0Ve9IadSUDG4?wZPlpZf^`~KQP|$R4|LYu<92&w5 z1T!FG_IUiIi&0+SSd-^$y6di2qG0c3ca!B2N?-d;z^*NB?CeZ8ox_d-fAGN~+o?|W z-QQ*})O9}@QyS|E{(B~f+lN5UvG_F|nwO4mx%XzhW zsj8__KiKc>?ZG;+gD~lI>D)1(5vPSV0Wp_4D~u|3@rmCwzn=s~4}AW9Zmo(HyeCm} zk!iKM#kjr&g%%7DJj$!9$1H;#AD2xw7_yE0Q^j_rsOjQ*yAl~BaB8+nB!0{b4jx4O zK2`gD>|F6lBA{syVCrst!X-6QA*O1)qySa()2^z= zO_z3LY2-PKiMav9M|r;<8MyUW42=7}xH7#I{%aqiu$;GZINx^;^;!TuGua*B5tl## z)%3=CqpyWJ&Gz$oBG5EcRLD0xE(fwF3zdnB>OGb;#U~-5p*FZkK;`5DJ$pmw4?s}v zO_=k8@Xa;>{HJbO5kF^|Amj=fMjR+42FzFx7?ROaQ%j9&a%!ra2UwGh4Ce$)-t(4Q z&piE@8fo!3WG~q4CGJH7WWDE_HhNqQqVhAWcCqj)k??sM3bq1rj-#5iHJ`xmOdlZv zKxZG+HwsfZUxD=vHZ39&WokDBDfyN{E`7e8`>Xo{{^OkL=*S2%KPQtM7R2LlxJpCx zH)~}+dd(WcW{=NJ0ELkCse*gZKF_)Ug4TyYbM5hVs(bEHH{O^O&^ub3^E%9y|M5e( z?tqQ7fIJaiH3e)Q(0qP5IlVkCk?Ia(2pc7~)zH(EDHtx5OJKUM>&Op$!JpOXTW+FP z;h5zc8e;`HUOWV$9lqX!}2B>AZJ*cJ^aTGCjy-lv%Q4ukH zXK1^^gM))hh{h5C-N_ubRcW@SBc3m%UPfE5jKjDS_YxEjX(HJ#8$#k+%ka72`#%Xr1ta}>e^9#3)`jXx9UIq94 zeI!Es%l)~WFtO3y%HjIO3D<-d=!u(%= z3SMp1`5$70CVW#k*}$eNdoJmz;{GovY?)3gx#!t)1%17zr~3E)$e-|PYHF*dPD~_Z zEg*%Yf6||tZ?}r=8P!FP(0I;m)>-f4K>)FIur~}Rrz{K1f0d5+^)@GxC;)T)zvzH4 za%jDfchA+v{YO(B5O~&brG1|Y_v|Ossy(|SgnvEg{TD;z_JIk@!^@mEF#PwWC=2bi zMzl@R*2pI+CZOM4HLW=rk{+(^J&MS9mhk`1+n4XuLtG+;?!K%4Kc5i(!CU>&No9&J z(8>#;vTXIa^Fsa!13^rv@_n-GzY7dH`Mk|r(wjL>^m_9z2;9m2`J69lXZIb$P5*P5 z5{W?^^Ue|O^~0fptmcXC=?lVG&KcjEUScQq;t$6E#n_MxtK-p)0Jiw|2>3oZxuQ1V za4gMVaf`08%buLTQwM9IDiOD@+AT?u+<7d->Tns5(8Pk=5Cs4}E^t`VIgU`TQm#q< zI|E+OCn=}*V+`T3$?b>J>tnxzu<_|1D}Hx91+4|$A^oV?aC5KYpzW#ux#8L#R%e{t zO%kAK2KcNg%oT;5N{EaAXcBhxXV;U$sn_VlTloy(=6v*Vl&?Cb*0I`j%o+KWXUj5qr5 z@26s}|G7fG(qbYzYu~H5xf>k&T&}zyU~D!+w$@9QBrf`q!4R_k4h#(3Yhi@MPf9D5q@kuy=DVN`VwwR~zZ$MMWGpnHAF_(z zLdrp7KPt;Pz#f1sh^_*39rv`C5v*P<>W_f^s-TT07+6E$v>FLLq{~L#50mxzqcBG< z3PjS;2})bklC>%U*q-=z8^K;W3V{}0C&E4Be~AgB8O^_`nd%xEG8XwE=MRmBm5C9U zUz`I*y2KuBxbcqEQ`l27P9`*U& zRi7wEp#3Pkw@IyDy_|-kgs7^GAo-v#PRtJt{OGI7 zFezV@Iyg~xBT?`-G_7GdE@3QUXGH#~)&Surw{x|1={R>vUkuQ-bTvBp|5-e$;#Dr} zbBB8s9mYKbDmgj3TWYDj^T z8GS!_8SNUH6qkp0X`ZQAxyAp*Z$Ug^(2}HHp{?+H$u|EUw`ul(UMuO>ud&s}2Ddq$ z{Tbk=YfK2HVkb;;o$}SRsJuL)u8xJ8hvr-How~ZZvaK!E{{EqouWL=5OsR=AJ&ii? z57`&fMTCz(v&f6R^9Hb~N{Wg^_a?Ho5W&GA(!8WWsaZdN-n;6~gleei?BZ>Yg#E@? zroPej;GvmUvrk$<-kqLC4kaSx3u07B%Ci6<9&qH(^w{jFvM+>WI)@4Ygg45fqW!zR zF~YgUO06B}9-h281^(6QE`xYPm`H)#xoKppH5RQM7OLSA2aL+Rn;Yrw7lIjr2V$JI zgS!M7yn#=81X)M(2znh}A_K&2hxCz#*;FN#&KzcK@(%mXvUhZU6*DU!0Y#fia)?>3sZ zl=Y3sm*iySpONe!Y1HGyRW-lKKU0wwzUaarf3Qi(<^qMf^e)he4;;Kn9gOp6A;yJy zR#}|V1`$=j+t@Y?vzZ>U#d2^^X=6gZ34|cvRk(~1KvYCbY<)`}1PK3Lp`20Hjg7uYOKv%CHs0WNy^i}K2uXA z8tS2#)pf$3=IjR4$7c4VQ17*N`vzclkM>j)N~#4uWY^B{4P6h?3ZOZ0X4~CPF^I)d z_59KI(bU6qegB~IlGVM!6?DDD#PEYe{T`;E!>GkiWLrf*m+{a?KOZ+2abBV9R+|c1 z;Zs#e65BpQe%oyk2sYG`U=qg_`Bth@5~HfFE~?XPn>U{6`*JeI2#|H`P3ttt3*xPD zYH*$hwADl;H|9Krsf=>65=9dI(tZM zHWuZv2iwZkSo}}NfkX)C`|J&VuN)B(U-B~7@uYG{mLoFo&;IYS9H-*(nVhub2+MKz zoHkh&wCQ~)18AUkE~<0gMwwV1#ew|a=V`;tICX}KrJUwFP2i7Vu+dVJX4VH!A1oW3 z6i~kEdhEHL7T>dZEIN=JY3BW0XoGZ_`wpI82cBNv@*M+Eot0Y)SGOnAo~Se8t@^}c zbg=u>9%ED0?o=I>wBa$Ox7y(G3B1*E2E6Tj%VWkO$G_0-$Vtw08k*;k-jB#yxE&C0Ie>e|9!W|*)uz%bhS0^Gg(i{4(+=?4+TJvsRx z8Uca0SmC7n2|4VXcXkgTJduIoZ zII0x>Ivl41b}(I?6&1g+6tTtPtG}x?Uy9pXWQFn_{20cwETMjkC1P zVp3H%2*Y}z?pM?-i9ewMbnX9cK8Rd%<&55 z=5G!EcRTm2nnH&>1AkHhgFoZc`77}1OSH>a)DT&?m^W|{R-oB?8s9CZMtQ$9HYYrO z(9yfw-deTb5)N-@_hqL2Mo0FaHyrQnK@Dz%^8Tbnx-^o0nJ{SElkl_`23``3HNXPYLy{hObbi>Hc zhszrzPPgHNNZ=XPq_%Ccx6<g&&ran6~Vu zk^A9bGv4}f1tWi#itqdJCDoKU8rDvB!ue(TIpV{CUz7Pg4bN%j?cFbExpcBWx6S_V zJSQ_n_?0^C;_apJ>a6FFz`Epmu0*{5{(vSM4+@ght~KV4#`14C`{X+whQj7{f>v%=*Wx@V9T6E* zg!ZsT#-P5~qOO`WM~Wo)4Hi#5v4slf{+Mb$t-?SUkZRfSRBplRZxPTFYi(`)mKGdT zj^}ye^$a$TvuaIIpTS{Q+}vtA#eE1qIyHvsb3PUUp!(ooG14Ca&NzjOnSofX`;pZ{ zbC+`mVKKP->rR@r#v6!cXDtRNL6p4g(l8g|v!u8j7NaG`?qul6L{6I{qx6N4W1KaA z3|j6@j%rZm+vIp@sHvUExLc{SJa4SDO%7om>JQMix&HEnhJ+|%dra;a*IbkZjl$nr z9Y^r3wzMX3*wUEH>WR}Xp=l{{}ue`)DVw{j-CHsAW8ae+!boz z3&JKgl{~ENk1e!fJ&eFDK9SH8^hja!YVkYMX_5dDKvvh5czrt5nibDl`A#$ouI8+BxF5(Gj|KV8rC$ z;oKEapB@{lPT28%xjC)=Cn#M6xL^ft23+bbl2iO32k5=BI0C+0cAFhq;zBwun?nB3 z_yS?(Q@`XgezDn4j29mqPaFq)yfflEOB#$C=j&@KOXc`IU{7Rl#%}uV%C$YD+myDn z#N9;Dl!@J9pkZQCGAawpo886!_OR-o?_QRQu;EgWl}}8_V7jgnTU$@$HZ5h~){i};S^WzC3Kh1`1iTiHlRCGBQ&1O&c@)F^SYLdrju zR`&86ljh>$Hf?}T|3zFys{}-j*9kNB9~RHsbELg6rOoWlS4q6nrK%zc(4`b5Qd%+Z zTiWix8Pp9b3bxke%TlAw()2B3=RustfYS_l>YPFSN7AkRh7U|H)T+mkBz z&80ZXb0-@Rw<2uZd7X%U0hY`6+oV6P8~2=%{4hYfkCj{BirSeqc6qviS^^fan4YGV z)}UK*`4rPWhUnCp_-3aLCt%^h@Xr0t3G9R9!Awq_e*F*lnOT8*2W}U%ss9PIS68-{twXA%I{RUra*m51V1fh*p;^c9svI(vp-W$s8~I z&%B~6Fx)ou0spA?6(oW>^dZWuM1uf?m6;6eFIKAze}0smnoYngPD7mlO(BNA%aX$H z&VB_*S+^*DLHLyQ*as`E0M5B6X_1r;P3)Zo|Ubn%JF8A*UrH_|X>PpWcvw!3dED8#lAh4=En; zFf=4dBstan)+VsV{{}cwM8Tv_dZ#{A?%`#5##J5HAC5_qt&gKAMcw#;?vacw!fbTE zb+GPO4y1B{5yd!WydTnCU-Fhi8}sa4iDcF22b}VsD+>zI;DU=(AgtKZePZt1ZOX`W zZhznUSYWvS>~%3)lp$~%f-T2hSCYYS9{pP3meGU=bRI^<4Gj#84v8hJC9^a>UVr$E z*v#Lq&FpsGxLy}&SYjeEiM41{3$W}w57{uzF%M_u>UC^0(xE;AMhc3}1pG%~q@mME ze*|Hr2)vUlq^~ZFm&W2?vnkvxp#gfr%v>%})l}Nv57m6P9+n7R`}Sbt`~vD9IlYms zfbhg>W(SFOt#2!zg(dGK*SYJ<&h3=h%jMr*2}K}9V`jHCxveVA1&_&4DEt%Z507$3 zizsg3K5^P&yW_R-C@ocPeuDKsX)=a4-B>Ks?AkMIkJMdN+WDI%F5NioX2A zMAZ&EW<&;NX>7b1Jq@P$bUIw$cN@~~ztqHk$%%=xFWmd;>rt!EqrWWhB<$9j(D*+i zSD`BKM1UT~s2w97+Qn+47Y50#sjcO*=AP5h9y}KNTG)}Ie=Rn z5gsqbNj=1)oN1zpSzt|phrExp6<`r+qk8(2*C36L~9O-E7VbVpm{KGYY=@x2qkUk&(%`w+gFyet7>^gk;AV6dc>W|F(v z*5rike!7{Z?|BUgB*Dy`(-ndTpOezi#=^_;T;*0ERqE-CoshozRd)Y4KhROSNE?8HhB?&(f=YO?Yz zruc&K>2;ENl%0<+6VSCUZ7EE+fv?eTimR);X;sOPz~wZXD__X?5E6Nla{CHpKLWD&l8sWo31=%n1L+R%CY1vVSWo=stQ&N`c>*}2aS2gthZ`s3}g zpLngHYpA4FZQunUKMqOR8$!5_rA*w%xL;7w#ZANR1|+#v^*B*x4!B`${q$if@|YS` zWN!aXL{S3db}q&&XZl*vFbHHPW>ty^aPJ3GT_?Q`m6%FcgD>Z%#Ql07LCk1`1z|fG z4$*~diNnge3GcW#SV2hRmSFrBN;jQFpy`0@VmdKYTJzoP%?sD+%0&&Y9KDh zXEhg7Gz#@JG2S^|Hc=?#+{BYQ&J_1$8U9~<7M z14d~p0)~gj$ML-Hlab2i8)?aS2$%GHeqcInp!D?znrZwgEp?2Dj!BxC5BZcqG@;cZ z-eqU~>DxwRxRtJLVN+S8Aw^~Pc$x(MTJs!-4`Gh~GlJfB{i4mzvP0TkL%u=4yIOIb z(a+d=M#a;t^4~N^OVlPnQL-^9DM?lWkvC=s^#SyV!d!{To2Kuy(6~ATl&|Z#le(=Y zFfiJomd3t0stJtnib4qte~P`Dvi)v=+a#>(c5um` z7pb2KJ6~Te+F||g-(mBA4;G^z5uOEBXtqy8rh((Hu@$snQ55^%bq+uujd+4oEyh3Z z!}<}19n<}xL?@D#x-tIiAVQW~QxoTXe?p!?ijB5suJq6pJa~^K``f6~=hEve0=-+fmK!e!0BLrriJi^i!PTi5$c+D=gG=+T z>}h31Y5wRcQ8_G3zSk|L@<$gxHSgBF-z2`_PLRRzqg6eS@p6|{4^=T$4RT*$Cg~R` zt*cAOFX*F6d2f**@_;}dF#F9p_mKHbS~@I`!Jk9?CiL%Lp%=G9fB7Y)ebGLqBPnM2`D5q9LNHmf_%749h#mw@1kn*OF4d4&h!46O@NI^i6 zCvvmRke9eS70vpU_A+-(`TDv2Mo#troaw*+kO0+geqL5#u$jkfls@N0zJDVlAEtn$ z?*q+{75V>tYoy*!)=JC_&3T9rWi`7`m0LCO3F%~twytbY)Q{8=($dsPuzJ$QUvkdZ zMn-9AEI|qENi*faO)IZY_p!fR$CZBG|N1Ys|KC4iB7eo?e}Dc~T1TPSMIY`kv(3u5 zd|_~&UFuQlR;y+qU4^%-pYu)Z_%|t(__ivkMALjbM_nQuYSoqg*aQ2**H7*ys!GRY zLpNjJ!G2gpT0i`pLWh8as55x7P?85<`Jy?Di;643%v_6xfl=&{y@yvykBd#yS(Qc> zecwA{{JEHtG^d9!U^2eo|GBI|K?L?>>(F<6;^`@hT7(}W@-m~fasi(bJBcWqiR=iR zdfwpCzFfQ*OwRY_*?=SS$I0Ub$Bq7Sj$`UoZG`tnV}@|`936DK6MCKP2^k?uu`Q9R z?tvJA*6fXi<%ZeX>W5y|d$FIbkTfwHTKj zDAP9B0L3;q#fneBJj(;v(J3@=2ng{G^MAr9To~OTjDj`tN+T*@gQ~1zLI}?%yCa?; z;mT0snU>XJWEq4X@RYi;E*E+$wmC=zGJy*8ADFZ2pPr7>66a)uMo6XrY*jw0r=JBw z2ZL!k!o_uQJxqo?Hbo5#1uN)apM>4=@EfIuKM4+6@!E4cS7TG<$Gr{PpfpU>Egc!K z&~36v5$nLrW$~qw>}uI({_gf~PzeVIs?M{9gaQ-AAeFcx*Zw?i{^65y z>97O7M-QdpeV7g8xxx3JYdM*oe9*_oZ_u>mHogX<3)D5;k{FK?uRpa?bv)XAsqkb?@(&pyTv2xJtu>+SWb(3{k&dF9o=ch!aqz!G`q%b_Y-pD0O3 zEcnBzaZ3i?(A(6VQ%&&wno0Xz;1VennV)YfK%IZD_kWy`?%Sglk6<$oKF!*DS>xgruZx-=;Go07f*gK9}WO5?8WANkAM zanBy3{P;)EAMxST=D*NO33CB`a8*?>@LNHH)zaU%xtbcs+EQ4=T|`d8Uzy&kkN7~F z>E1#MEv?8meidx=6LP9ErB)({sXRpAjxmPL)h}4}!;>YSX>C-U?ph?{^rhk4RJ50d z2t^|UWGRPHn__hO<)%Bw{+Osg_f(71 zL9)Rma!{tX)^&JfA?(w-#^C2ASlrL|t&|XEH?T8|Z;32DOPhjfw{lH4B|Plk@f`Ef zJLgv>GkLv@7qjtOCOb159AI^LpS;~f=38~&k3Gr1luWNF8McRv!m+boAUvMs6iQ2dxn4R<%gwaq%ATpE2}sxqx22D0wcLQCAvz5 zq}-8NqNp#3I_Tg8ZRP8TCt17 zvL206Xr}r?`DL&%Q1WQezm5#%ti0txEhw2Q{cNI#C3bJ~zYfClR>XJSCKCJv|^}D#x z-3YkI;>|jjZASTnZ(alTR?$+5aU8zWa307+Z!4c{N6+(E*<8%JzoppL`-D3th_CLU z{qaIY;7Spy3*$SUTVDQk7ii={D)W)QMP6s$A+HIyINf=fS@vdsg@w|tQ*XFz+pXj7 zuCA1`=q9Ca--^3o#aHnE{J@VJVuU5G!^0Yeo=MzB-GEXe7v>q>n3|g;qBl783{{k( zAv?5y-+TT<8Fz6N|2^Xr>q+N69!W4Lbf_pG^7kQ$y*?WuV^qkEp!VPuiIWam0OWY0)6NL z`zNOhVLs0HBv;bo8nD&KMg5jfbTX%`Cu!LoM6*LDWvF0HU|Fx(s}?5vTbip;IVcpY z5$4+lpGDo*Q3Sm{f8R;!OPWegsi5tvQlThlEtA^H8?^a0;~BH~tA+HX*rua6&u!(-k z@EVEZ)@63!)%N-UJ|FVyt~mcQamr>1X6zsveaQVToa-WDIc5WWm&U1uiH@X){rjkl zhabD3`M#SdpZ3i@YZ?8q*9E=VwX#u1gOFQzgQzuTst6I~iicCbw){J#PHG{oi4177 z>+*Qeq4+O+VL9kxnHQ6P_DX21dF@*p9vF{{L}9(-zD1o$_#C}PfKE))mdmhf(;I#f zHZT&!om4pM?Oh%GA1a_*90%(iaJy_SdOZ!g9oGa#AVg;GwUHo&ykfD=(#sIC`>Te^ zHv9FroAqRXL{UlD+?`enl*Zq~7|=ToFa|?S#nIY|c_aa`&yT-eePc~nAv5sm6Gtr0 z(i5as91=ctF{z^L%Q?)eu|ZN+JW1r}#9~0ByMY?`+#R`S@&hH;+2sf?pkvYHM1DpX z5Q(mCWI##ENNZ&*hbQ|{l8Maz*;k!&R1c|{8(FVIJxi643~zBR;MBH#mK-+5LRi9f z$wA!83YSVBXQa(6auaUZ_j&LvygxOoI=FdMwk(5Wzjht^tN*gozuO}iI+WVcq3Sz( z-Sqw5QhUL-r;X%1xt{ct?tHKa@(-Uq^m|srn`Q_9^PYoVzyP0f;LL4_9hVvGZ;ypQ zj5pVAuPHN;hP@S@5Bw}cJy#1AR|$XkE|Jv@rZ4?WQFh{Md2}C)ERc9ed^5+eB?ku- zC_W_e83`}CG`ulYI>U%$?C2$qvlHRHuEVoi-Y6}M6jtqbYMDF^_8W?o5j5AggUL8X zY|NOO=T^v079g}Dsag!9KYZkjD84lEI-NpW#qp5Hcaz0h1Y{qVyaZjS2z-pVB&`@_I? zjH1Q_>%V7S_#Uq!3>kmd%jLY9l;0y$?n9PP6iCfqSNhHtPRcKJ!PA?Hq10B58(iQO zaf>-qdcD_=J`{Y-lK=+3Q%>$Dm_!)rNfNt1u8cBj7e?B~M|oYMSTu65*dICW@(6k! zL45obZK0o?&d48TK8a-EkH@~4cX`odOpkB6#a2^DyOV0XfjVnkCwEyAZS)!A`{B8A zNltSzzF-9b^wml1#m=tJNf)7iq!tpz?^df&j?2dd?8H%LjNAza7Q0Qs=fTrUo<0r< z@Y`Qj_MM)a6C|BhWGS+vZdrytU&YKZDsn?)#c=(mqNlx$BK_-ymVh`J@MS!+`}sS z6yY|=h*L;uX#*|E%JCWGx8-sYGiCbZe?>d|vaFFk{jP3?vYfo3{PD#^CQoqp?lPxa zhq+12xzgfVJJ$TSWmLGLopnkIHJ-4`h(SU6_4+Q1tIoum@AFuEI8x z(~di8;4;|Hvggyn!7neFFKycB4PWN4Zf6a-oyEd1??y4fvha~p_1m`z;HO z$^AT4u{fO44E*WzwJp&gyR#qk9eN_qTHaeFHi~)RpDb33{Tw~ z%{U?a*7U@BZu)JM*vl#Bx|6zEKYNp^a%pAmZa?RA9&#*|+#bc9!>n72r=;^0L+GXI zXrsNEQgKDt#J4)`XszUv+#ibLPaM|J(WI!sey`StvH0Jhc443+ds*sPM{mOF-3i#~ z={0guOG%lWH)nr5h`V%_AGZ3CvbL@gS5!L)RqJ;uYH5}2M-F$QM2F3ztC)Fa71QCX z9u&>RLWUS=1r|_7p+<{iBS@7YVaoFk(be}{erIBk7*Ru$Nvi}?Iky@T%XT+iJE)oU z^VGW*5hGi}(Po3EZl&146Wf zNgy@iCYE>9h~7a!Ex&@HDA}a@sE?a?C;p9`u&w@mn}}fz;UKr!))Rk}Jrix0^}XXu z>pr`rASIfL^M<;r>TVUU{jg5G{*tTag}4mJ^O(r{3yJp zx{i5Gw@#k-yy3S*EJ1Y8$D?{1&8(5hAq{a>B21lF*rwak2EZV&a2!wVjv5+DlYh=f zHnSLV3*l4hpHxkZnAJtmK6{(qIBj^&k9I1g#6XE33Ose?3-6yq;}tlwG?(#}A2Y$; zAwj18)>u$#CFze7tMXTLT{>Gf(P;&?U`An#(#mRBZHJ{I=2PVB`ZN4>39fx#P4CYc zg&?ZAFTW*kziR5J1_kgvA-%mm2kcI0IT-Ippr>&;<)?(!yrKD>EthAA&LLJNB|b}m zHAd0j@8U~vCD0n@T)audODUz%=W{YLVm3CqJpsORPD@!H#qxkXil)G2FV+k?5yyI1%z{B3)Dl&9_!D^g66ZmbO z_YSq`xg#%&`N4R&Lztbv!k_m%E@2t;5#?^KyO%(Ko|**n=|uAtz*#eTj!4F$THUjN1P7hM=T$3hFs;=&Fnc`>kIkc5Tzl^` zyGDdK(u>>G60fC_$I~Sy+y1obr)zDqsAltkAYA)r+M#IdXt2*OKF8MS6TlA#(|ya1 zGYU^Yw`vJS;LVf)^gN(~#cc}%IQ~=~lBCv0SO)Re{;|n8|8g3()b629m#V>m-t9fP z8QL_b>^@}jWSU^_?^6>TU;p^nhWOULgsr>6i@W)6!*^HZ(2!|(#au*n&HRenYmws@ zvc8VDcX(*BSfRDrYZNLo80%iqfg&3tdm@?DQqL+8KRSuaD{;nM=9s*zs`4#J5sw)q z>vXAlc3^)hajx~f0b5RQ zx=wXLbi<;gVB^NZLeZ%N+Glf#IyJ?*Dk>W8!C3#y2uaSE9%n(~dkNvuc-3>yIsq~T zcY&;0KJNly-eP@;Urnuo6#dIz>Cyy|_V>*|N>H2o7rXEBUi{ZXvSMoNF>kY}P8ZLI zyL~bYVtyuH9zo~+<5|20RRJiWUt^a9C6HDGm^rFHgEqYoEbGz>DHpL00O`^GHn-Eb zEc_Xc(A3h=HgkuF>NSl#npYlW8as@B@4#iupSGU|auBMPI2z0s&mQ0T31O!UZFRmn z6J)ln(F!W8u`~%s*Fr!c;)TWStqs`dt*SIt=EXfpd>i?5z?Zz;y91Wl;#xorbEkKS>g5s^j2m{6bQfI^FRRH z*1-lV6}6t}tFn;$f zy^%`kbY4C1x$V-RC6t25(_il7-xCaa%og8K<>8V76y+d1e;guPNDvGs+ zd8SBwSaGK%EK%P>a6_`iYRR}JDqNf3*IADLQt`mW!BNe{#6&l`-WgoBYu;dTyX<6g zJ7J58zYLx8u+kpZ9T$6WJ7KvseR-2#CdT+N%17%nPc7gEAX%JH35WUR|6?sc5U` zeZA4co@@{cltt}hbYFwt;T%VdBn;2euAS+fUTih1RKf=Ly~9TvF~lURK2%*KXRXEc zvOGr{2UaM;O%V%sFw%f?Qj?@FRZt@EXL~(#AI-I6E@C7bp6ItrWy~q~ zbt+D1wt6Gjx4t9Zoh~6cO!>n<@?XW3F4~TNoSBfBxMA_Ra;aA^3{_XRf-wqwfPro= zF&%q;yh>-cdhSMRdA?l_*Bb9j^W9zbd)_ZB)c|Jq+r7|)eLs=-qm~8(EUdP?WpJl> z-hPKYuQ{~qiFwgs3>QizHe@+U&IodHI9vaNeH(c0FdVbgxn0Y6049;=ye)1Et}&m$ z8Bf25df2pKM2|z0L$lu@+eN({Q(X7(QH12AzY~oI=Oaf=_UB`M0z|Pjpo#b=X2f#|MEDwB#&KL*zg7L+-7l4=fmC|j$Mi&hP0Ho zM+AibBFoEZIsmmmPpLk>>w!c~@~olNHlFikwWax;fRD$3c-pL03Bq?u(Ce(sNX&uZ z=G*fstS{i0#%w;$b*|8Tm4kUbQV<*7BEOUEb2*eR7U`<(lG7DjT2Xp4czgl)GO}NE z+%j;#B8$gjM_Oe6`Y}x41CAtk6Be=}(}f8)X#l#>pkl10}=ai)wS z;MXnTnDlijPI)dX$?p9wEHcx)^{GN%Cu;4Y1^%*wQ{vGjUki)HG)x}M-Pl>iXlH&I zt79?8^Nbk9z@Z%Lr4L2IXkcWf%K`q4zNqBh847%`Ot*a^kFJC3mi$X1mx_COP+$jL zn1HAVU3l}BH|j9qBl$ch#r1jsC^A3*1Oa+p?yj-dgB6d#`B{?fuf3YpEZQKqfHDhB z=#Tc{ePe~vw(GPj$0?Fd5QWE#AtsjWc}4g!z{;B44>0c{h($sTm&1BVA`JRBJhmcJ z2ko|Z$Vr@Eb8{LT6y8py);&J9iY7cUi;5DKMwEEyHQ3qL@QjXcl0EMmSDrxFC4aja zr=%lQVDq}^Bl5t0LK`ifale!fEX4>S0;G_kIyD<7(29l8Vfe1nbjhbBy#V;G_YKtR zpY`&h_Wl?I-bYHZYZii8>2EU(y#zjI;V7iy`9M(=V#QijjZ<3U41IoKVYfuE9nRwY$TkyD z3D#_JL=gbIBi?Q_G1+uNZzJ+tJ$uUNy! zW>z|jOzt-36ovyK;qT->ru-jVbOB>$uA{#{Q6?rAS;$0#lsjtYJO<(o20lOs+IU3A z-ESwqv6u{z>s(xFZCBv@C?4`<7<%P-6?zLk(7>qt!WV27cOX$hw?2B2oHknz%Z>_Q zc44Z19-h%3psB}K%sCawlcG4xrxe7Er7$kZA1~MLI^MG{8NLOofF8*K0TYecgfA+-P#8~xj8$K|<2@fY z9&5UM`DGHC07X%m_q|aMVtj2_Ui&wQOs@m2meUI#MXLN)LBJ?vun zj1Y%_S2p0-NsK*|wrIoqK+BU=3K-?=3U}FGf6j7Fzxs^CM`Y9;EyLKU8vN+O*b%h4 zs?9(3S2Enl7M{TOZ}pSm^S{V_}3O;YI&2fe@6)%ch3U$ndul5lkwvSJ28Xq-n6?x&AOoLDlHFmX!q z?wfPhYZ2pa0s}g z9*J+V$JA@>km^IgW5Y6YmamX#A|?%aSgKMCR0X+?C{LS{cP-AYhU2(23FeoGW-MozY@q)SOf2fBN&yB_A2~+3d?DTr> zVF(Hg#$s~J4f!}KKoXm0NR(d{^Sn8hK$)~oh*3eO`Au{8tUwvYb#M1KSGeW8Y0Y)7 zKA;=)az>^Q2M?>1$-y?HhGp;=y0smx@;htH(&bk9js1J36pr1y3OArUTs9pnVUQoobPG8)Pj0`Y02a+jd|H*ivRx2 zBfBn=L3=>nE+)(*;tw;4E_~7Y?oe#%E-W0@3R&soRC(rqLPf%CEUb9+1bl} z&Tg-WLZvE_gsGPs8!0J=_?I;BCWkHmw#v$~{{C3L2%GBnXt@2+6YJwIp=v!y*gW8g z6!Iy)!+E*6%}MMG-x|clo&X8?qR#@~PE6T`B%dQABkz33biQU1yA|WUBF;jf^To??Qm#?M?*SksZ5ver{o1~bi4k5Mtw(>)6 z=HP?W)h@-a7nw-4UBzG;20r-y?-{3xI$L22Hjy=BRqdy@<&mij{eWR)jq3_rr~OLt zz@642&3O7dhw}|7*THhZbcq2N0FI5Yn61fD=nR6{2a8%jAsK3!RoW_a=Mv0A3ae6m zkA3_Btw@A^H@_y?$|`Twg&wu>{yGGFP{zF8pe$S6cy1Lz`laah-SF&>cI0wRpgYmn zcSs$M`i5TD5A)oO6xz z3rmW&=0-uX-Nz!I3JQXX*BBWYXYV#l_R5+M!=;%Ul^6Z12Hb`-^2-PG46wV?0{<6?i_!+W`8&g`q9(EKlP}9>#b&Xn zZ1qur)L?44PUZ@%;ZDLyUM zeIlIIdQ?K$oy8SwJwpm5=6Ffsbs_+~?ACX5OiUU*#UYcff+@`(g{2N66U^E|*K zTGG9Jw5cNE?Wi2bKlg0iR`8$KmDE?nwhQgi79n$8?x%(2gx|e9YPcM|>-!VNxm0k7 zxR~X_SGaY4viR1V3J4icx=aE_Cq+%j!SgTHVSK-I-aM`>;CG^Ur`PzkqdcxjHamIvHimsdxeSXxSYDuRfu4H9!qWGK!^XItHg zUJ}JeYcapRL9aZQloz>4m*jy<|5k9GmH^Nwkeb2X0LY6I&haB|j~qnm4NPZbN z=C(%HNn5s1IElT1J%-D8h7`;`ZTn`P^A;T$dMNi<#* ztuVYChiiT6)${^#IsDZR@9>^lpOZ?Z$U5M);G6+Rg}POyk}wZNhj_N->vpmzR2 zXrfm8v)2=MiI&oD$`IU*jR=A6lPsSKeYk!L_rBv4D7V6*U!U)?9KxDu{n`IL-5>a> z06I``{SFP@x(miz`9cQtPwndeB zVNrGdClA+2JlNHg-b@e5+Nz9)-?jG0ktq$Q?T9A?3h-pf0!Evqc%hbb{c&SmYejHw zI^`sKsz2AJtBiu-hP$*E|>72 z{C4f{hDcPHbs6nHZB3yxRb7gK4@wr?hTio;HHCmUN2K0Ja-t_+Ba+JxeBNFk8m3c$?G zip+~dWIVHxfzfUPQjh{-+wS$I%n9I>D}kgoyWHVTaS>gm%PARL8Qf9UeDvF_e}}x^ zr&vDxBd-ds`+|AI@_2bgM4%8|Uqv|66?_plM?4G)$r!>$Z$PqNxmOdHyk2p)J^%#8 z>7z-snKQ$cy~F{uiYiX}swHZ_Jg?KJE;S+$kar9cv?05}9fb3) z_lNT|bUGowCdTvLWpL^J4&1rDOOs6np}M+qlko^nhHu^=##CHSwVnWO3|3md(oI%~ zHnWrU_9#Tcsf_9AV#3^79}e@wqj#)2@2M1_v9n4XQ?5ju!Z^+w}O z&1x0|u%qSLPNeI?}6M&;JuQ zBZK^KjG8QcNALO7mAIj(--^h6=lbNO7>@P3s#5;13o0uN#ehOe0EtH+TsJX%C&QDd ze&r;x2K#tzBVx5H!|S;{(Ec0kudhj*xQp)ZNAmTN$^J&ZBp9 zHRa_qkBM{pHqX=EUtTt?7H1}ag|{x$gJ&+cu<7Kvn|RFBNaIV?AVecik9Tkhnn{}r z^l^0sg*@l`^D}!&LR@$sMm-XC?jsU%g~zR#=d-T1CF2_uyr18SRV91va>HHhL=v~Q zt1HcCa18p^giK1x<21ep(3g})uMa+O?+xroSLe)=1?Jr0Cjn_hmiH=+N||;!c>|#K z)U@_ab(N6Mr2zE*A6l?eLqpL!8!wl)*&HU&{5uiQOt=A0sfp#$F`Bc_a zSr{9ys-Ivh{FqZJt+w!+%Jlcm0#%*#L))ciFZw5R^RIjz&>)e9AQvTF#I7CDd857k zl8Z+9#-48N3~gNW(qq;56D??}C72FdT*;m=s)UfklbPN4r-WV03#hROx4SRr7#Dq4 z2Z8@kKm_}Vkut@=&ZwwBp2$Of3p85GB%EWP?x5|@4>pVa8p|COwl!Ww(s-#;NA(t! z*7Gcu%ax=7yNXZI$xn?ZPevAW=%%Jk_>$U8W*ZGv&YxTUhNCHB1hxYNTUxIr1#)vJ z(kd9*bgB*L|O*)UkLGoMiqoIbzqLjI+Ow599<#A7B zI+WJL&8n{|$?@ZB>T#*SVZ(l^kxy+<7k0CWf>L_0W_LgWq)w@YX>ztbkpFbUac@D0 z`bmqhiJcE>0mAso*8lMnq9q!w39Zbn*OYu8`|+Le{l>7e-hG$(5@xf<>tBbNHO&kG zH|~~58+Wty50m36I>r;>ftb>rUr=b@u0+i;*^G14#ehYmJ%R>rJRs)P-PdAL{DR4| zs7-Z4(>{Msp(j2kOe3-^9Er)3(#JujMc^GThmN>kc5E8UsJ6hSATOA3-u|T|6swE1 z?TtY|&+(i@Z*UsDQ!uFhr;C2_g@G3jMn^dC4jp;Dl@-U|{p8~O_>Fb1(&^}i_S69+ zJVao6B14&xo8=;e;KbtTATE&0KxYQ04oGfyBAc&_LCsDj$RNu3Zp3ymYj;bIM|U(W zE)$dU^KvB0MkKa8jz&i{_lfT<61Y?_K4JWat}HkrZPJA-OY<_;p`|9bi{7eiMVoKC z7bsOOlQ&r7iS4W%e9%!^$${(G13Tyu`|D6XzUEa+eK&Lr!|hz6Ora6ywuQUi0=L0X zxhJ7m309ewleu*%s~~-v%qZZ|iUrNu=`Bv9f5Xm)>vEoqT`p^P_-S%uxN}JhX|`bV zm@&VHt$wqMaq*)m1RB$02NcJtf{Nau`nhyPalV+3WTB5=to8A7rx0HW_`AbmZzV|d z?M>P3l0UHGMWIUK@KPS3wyvV2 z`s7L*I?85VsjX$DZWKhFzjd}Tk;-L+!DPvdI@op7y}yRg70{)n4$|bwunmfl*Bj;0 z(>{sgE+Jt0XKP}t=J7$@$v^MI_U&iR%8j9@Z?`%R6)V@DF3DXhF$cLo0)Y07F7x=| z&#+Ydln|{KD;!L9jN;&C7}ivoudFo(5cz}>eF#RKC?Y=~dVM*#J*L7Kcw(UFcC8~y zes0W^zI*;Ueh2*aGK!1th6aD~nGj1QUE<6)H346gc)ZZCjm9uKIpTl?jsJ`{H~mvy zZKyvFx|lcB0LTF(G`MrPUztyFW9sUqNW40qMG9qZJ(a~Y=9@QYq)Fx%g71BOWxAjN zju#(|?g6PKtZ=*aVw5L!PGQzzO_d135UrfLlfsQlREZGc87GxFOReP`&gKXV^<<8h zmimG>x2M~4&HpCKz`30^o=|}Q*;#{=L0mrvIQdt#nEsHZ%jB!fDZ|ooz!lnNoA!Wy zjSl4uo53`~S3yX2Gw0!1*m<3N!^)5qI5Do?#9r}dxuyVXJr2i|POQ~)=9m3OmN2wB zep#B@vTTCFI)7h;@|wSe-z)$6CPQh7g6Wx+DE~O@!7V3&$8R=d%}-zb(OW}8Hm8WSf%8&~7y5bZ)x+ zuk8U@f6q?WEG^u-$gS=jkogZ}#J{hGm9f)G4tlvQp23%}Y4hkUD*l*q-pZ5idrT6$ zZEh%HpJQ61SEci!X_6zpo-~VF@i#@Jb6@d}xWN5VA1~jbjaJUmAt%n_2l9&i4EZt@ zMWX-IV~>0=(0>p9SkvGCZ>jg+pAGv;R?jHn$VC*O6;ig1kCAhsSJfmgv=E;6JD-)$ zJcyCYkAkXWYQidf$N+a%j`dM)ATKA3AtSlL5GBgZ)g~3x&;!;mL2W~hny@amx&1N5g9*{TA@D>UqebkF~( z(gEk{A+SIb52EuEcnfp}t;~5`-=y)6kE)Ye&P~Ao_aO(R7I7Nr4OgD^in;i5=Grz| zu;UBc1!4k0QnMaZ$BlT5SfbpGvlYd8JpW2PhfQ53t~A>J?zIKyM7DA_&Fo+n%hsZ% z15V+eTKmrljLcx}v{-^CX*uR^#;bgsWmSW}>#g}{kGm&KZNBNyme$9yw7FU(>(M_u zw2T@sm7>_Yy5H7+{?8r)7b;!K$w`^9Xwkwtqr5v*1U*RP&o#uF$#TVh;llN@D3GUq ztHNsVCVNp)^vwH9A4hYJ(UB8M%*i81?VsH3p9!$771%0{|4QU@k4bx`w&#!D75gT` z`LWUIIUZ$|Z*^{?@Pqm4$5ux1nCGVv2KQ0;8{5kt|6YV1RNpp3Uqu-QIs1W0tu`k6 zqVQLqDP1b)5L4G4*IrU$ZUfuAObwOxwL4n*I5Rc=lX@#=q5&8N@R>{a!HU_#RKY75r-C7Hw1 zb4ga%VRhXh1zAZEPsTbjvwjZi>NwsBHK%A8D7z-isb6-keselozA%D03{G^Ecg+Pm zP=E&q2R#!;<&^A2>eaJyt-`MUZ}H*6Gza@ZHGO9nnp~-Q@iHgdPurLG^$lEG^hN;w zXl!h(0AXfFzj1mqk6uops4L2=US~;@=SJsavQH5QQMj$6I2s~-$NjOTrhi0IfJG|F zdXFn|I-V6NkrjFFM&s_sakBA|yy{jK+a^QPM|!q81Og05mpIC~_J3N~p@%{Y>0iND zfB&n-yC9@6&d+4hZinjYAIQ)vP4Ezd-Y+* z(9;NLHf;2wDu?vPy{Y>)OagBw{_ue>M|bSE7eSQ+p=$USe9-^T%IxW;7jBjc)!62J zUHE7hEY2y7MhOPk{(G5$jylrO{KUng>_bxJdWHS3H}PF3&*J4i-s03=mb`AoL5?H zLDZTL3`(>>Z>4uyLzMy3Vx@pGWe)>kTDB z(2e&3J2q{t+Bdy0GcRJbUV+@~`k*POG@-^&g?0!>p!D9K`+xFNm^-e>y6H%2#1r6q z-9`*46YvuVLSwbH@W#5R91mpt)hcB)*!l6Qr_NAGhq5bb()E0MJ=whMR9oX6_>>=> z8^hvx=dg^{1Ylw0Hrjv@R5!pVnkh@5dC!A1ShMPJF6)>AK!bX6c%dgi_r*6jIJlD#ue$y94gzg*V<#=x5wbC(K}br} zeDD#2CS9N>3#V-&M9-tiJ8|fY&7RF$pD<4BCGjRSPPO&#fqeh`*9vw`<e&~UF*O1+f|t!w@cvY^ZFFYqZdEq~5LuZLWJAfJ-*^qd zj3h*$cbd zEkhNhgzPGQvBQe}%5Fau^U`6iBHpwEEAuFkJQGk=$vDCU&kti|0$+2|g@`Ym%`o`C zcVL{|#ML#lI+9xcwr%ocTMkZ{LILJfO^jBi39V8@PY>BKfbP|r1W)TJKNEtcHghT! zz>r4NLN&^GX8JB_``L}^+iy26ULWa-2qFjYxMlMc8y>d>H_kG&{KgG>Zp$WK@IOdk zhkY(G#e3ri@yQ0!(9rTN`gF$GV8yL3OPIRrPld(uu;B{B0xjeZ{)LMB>s=_*$loqZ zj@~9uj)Y8(lFLX^)c?~j&oqM_7ldrbP({-3>>S#oNHU%#i^l;h&{j+Sa~ z*1E9O8oo1{iKH5V_hs{v<+W;X?ul$Fjwd?D^tvhm4JN*`wa13T{C!VV>)dJCds!+> zc;O$2$01&cR;A1`xAt|VIEnK0ATv+%G)S+6;CulQ-h3+zUKr zQ#AkeCOOpOPDaH9l8<~2X0|E>Ff%;Q&_`NN*xozuUUacK zW;`y)(kF64cjcIx{{gT{$yO|Bhrdc^nhkGTa5F3676WFje~$;RC!UH%CXaKdi*btf zC{`nrCJp3jOnAAqp)sG2K}#6EJuaRt@KID-lvS}+{JYTOhgeD^)*qW9SXU%J)%g6q zUIpmYx1x0l>2kf9jNoaDW1-yWk^2M8C4R`M3nk>hkCMQeyaKdyxM)E;E!W}TTkSdr zM0^5*$(%GmoWZNOrp+n(n!%Kdu&3>w#20PFTQ%b2Gcb*5%2Qn26yZGm@~)U`HBJ z9f`E=26I`fU2DQ4-GR%f&@&go78Y~VU_g^O%qYiX*p4Cfnsv|2>|w4HF`(Mvt}I1^ zz?aOfTf&--NOaBpc&KN;yv>)@Kr>x-S$(9JFGugQ8?E9wYRTA&wMIW@ZbSE_M{vi$HcGt9T z(vB;xcK*xj5l!nqKxMOTF;+)^(ygB1bE)%Ub(U$XW^n#?pjGu($z}Y*jsHbWCUvtA zIcDU|<8Dku3K-(%)>a7WB41q7a5r4o+AC1mghgzVg2it4ONm9GRPUQUtMIJs{1=pl zaed{Q;pA7V@4Euft_>{lkOaVajy72A=iJIjGZ6wV?Q!l#E#wgb`P0?8LRpgNG729F zwcq>i(=c}0U{cG@z`L;qw0^*+tTV>N`mCh?jqre9cODFgW^}F=Ed?24_Bd-<`rk)n z&ekS^J|DMqT9%zGDiHs^7g2C1zY6$_s3=~#B;}UQ$cT_}8&dl|hUi*+kD9u%F#sBlsp3iyQ^AkZs zi3=%IQ?lvY9Cgf8U`=3|_d>S#;3@qCZKqT1CTjbgk!ee3L9`rmcJC(-6hbcfVU{{7 zUX2tZ%bU86J=ewRdB=2|!l#k=^ciXNYHpR)55h4Q*W}}bKSZn0QO~tGqr=+WFgZQq zP;gyg?qH>1($&sio}(WIzN)BTWwB&DBlQ=$9fc;u-X!&Sq$ploclEd3ahz)N4(l_O z?DX2m4yg`^=deHs9w$xB5`UT!6KSf7kJ{4X`OWr}&`+#1T7=g+wj7hPVU(lhqpS@{a$4@ibqUDR7uI3}fd12)Rx?&n6WSmc6r^v7uwqj}0Ey zR7^y8AD@yG@b%)HL5A~0=_PoiP+8L4@% zN=sj{Pgv}4H#YNFo6ng38yD3HKHrXdpL8NKe~Oa$gcGuU?ETCu@OYuLI{UBpYoeNR z)r<{%2B*j?$sm~7ONrzQ>hF2iyi>l#jrV@o6!7FON=`|kCu5<|SDe7?z_qsc0dlm) zxsId(M4Y5wo2qq6SRe`K9}-+A2_TrqyBPJOGBP0Yj7xe`(*OVV3h-nQ5LZ;~fA zYY-Bm1dB)A{+wj-a@B96^;*o=P{OyMVSh$7=t43`u&W2d7Ql9rV+<>f&!$R|p<92c zBfK6MjbBTD2Z%{e^s@-+-UZO=R8yqY1UkAlSF8xWPtjwDq5g(Yzd`7;O%9BI{r6(d z>Db&I0Yj#NkodwW%o~7ogglP@YnkJJk&n9g}d@GFcpGoPKE0}=70zPw-g({&wID>zUwaUug&uRbwT z0WW#1fk%9ZkbcP#_qB{cE?IRx}MCnvEHD@xdEB`(E-UZ%|c#d$3$z)|NH7 z``HI=8$flm;*t!x>UNuBR^=#oqH@Hgvn?$slbdA=B$Ezbk6|a7kbUv&C|XZzC;s4g z;WXJ$vC`JX%Zr)+zdH=1)wmFFdr+=nwXe;;Ttj5h{4Z*aWZ6oj>ZR{ z<<`7YomDnZ1oT_clVy{|LIUHzz%t3|g?Fj9-;SRu1)Cp_{ogy?H78Qn#Pv;KPdW7q zBE+X)%6>&mDhk6K!!}XgRzp)a%%O%+c60vif3H>$9B=-0MDm0&R>>F`iC0R$E(Ipo$(^ed7?@DPW&%0@V^ z)vRfULU@5xgA19z^GbS{II$O=G!FC3OPeAavX0pm5INcJn873V5^6VE@a>ASZemeT z{THEBqG1*9?P9P0omdZ5H56KiBnnvx#I$JpkQZs*n&*x;ob}Ew2Z3gYfy1uK9Nw$ICDVvev{fg-1RSQ1-0wSSV}MiPi4^l%VB zDu+T_;8Vlvu39!72u}*g4x9jGCcMJZ3NG$<0t;a-0`ig7GO@X%#>XR+QAU@ta7IV3 zB)Ij+YU}q_XXB=U`}A%o`&3U~i#T5e7SP1SslA>xOhW$Om(^(7(O!0OTMn-iV=twZ}R&<#?#2w9fp z$7>&(4j$7t^?j}c{*@bF^;k?Navcan&CAKX&WAZSQtd}hBR&(=B^@r$Eyka;gbUp5 zUbr%8)X*>{{@$r?G&D>FylK-n?WPN7P}9V5u-=H^v&RwuDsLO~*K_MQ4l~REa(r(9 z5E{;dRBbdo;hDZs_o3)vv7O(dIB4?InfgZTssHVd8FJ(?az3q@X`IS2fch^OZ(pkC(qStRBLQ($9+ zFFChVDo~S8a>G4|*FdqS!8lA&AfD2bU3Q?uW4Gr_>C;(5rn9w{)BIKgcp(?&xL<=} zvG2mffZ4UjerCtCFC{hAUQ;3yQCk9&qoXT!kOmQPD~zy=Kfr8dh0SSG^Vk*C&=Btm zgKXl?4T&6|w1z+bkh~ok9&*bzjD~w3HSU-#esthH7dPIYX-1skdDzBZbh%wETaB-g z`Rx?~utOSm(lP{ydA(kuKEt9)JI6jlO3rbaI`8eb*QRGzO}38q?365|XYOaJWY`{? zCyw`y(fEEoH=j~1*$pxt-Wex9%sMQd?}t`8E!aP|;N-Tp8!UF#wQ*hg)4rl2(RT~z zdhRVF)%}PWAvUHK8Riw^Ec(>I{{gcSznDRcMkSQQ%FzU*9)mLCJO)1t1t-1UY zjkO+g;H&cFVU>x@B`NZnsu95GaGA8v@0Icoev1>kDvKJW)o}Q388+7~9yJ5;M^A-b z*Qwy@y#Nvtl6+g+%U+KydKcSm@4Pg+FV9|nH@h2hCq5+UL3+Xgd)(}DOc>&}O{-6D zGp$#@qUWo-90Ym87t=PPomvAg@ccmM6Hc+Pq@5w2?c1A~qg$)rx0h8y=FB>rwQp{p z{#pyhh5J?G&S_5dsO1(8=-5at<|uv1dHa5$r>;kSw(FFAI+*4372`2C~L5y;t#C~i6plTi(AB>nli{WQ!veW8cnqyvXwf~o;D*bt9}h6F$()y1Z#b)u`a z*a$pbCAdctA^L2fPF%9HFX~yi3%}?mki|-CxyIgpm#K9f7RE~Gb%XA*8|7W(J>H~9 zSh3nh#&`Tjb|P{%aI83P|CtosD}b0s8^OTv8@2%EFCLq*PbE67Z#b7+Fs&Na#gu2K z3f@iajM37#dWTu!EwcBQd&cB*m`q$%9Bv4R({_<1CJ_(HIEV%179P7@J>oLz{9b*y zs&BYUHdm$qBHkFA74GWCyK4Zz3MjV|!5`PU&?-HkQa>c`MYG%=FTHyPfb#W5qqjjh z|Mef%Ucww#`P>!H*=09kU7kG}zMD0lo6Q(Gg}OEjNXC<3w2ogqJ3YoU&_dm6PiKx0 zR%A*i8SLALKOe67(^y=KD<-pVNIs*(R}0=A_X}P9m835BuZxn-dt5NxNz(+#;RIi; zTn_4kmyTmHd;p|tEtFdd|r%(xXi8xwXzWzbw06>Ps6aGOHcmB_$6G}q;?`<7gDd%msraD!;Ml*S4e z>|Ln?J}lV%s0q+a-yyJ)y01i4C%n`4f7k6{l_2=5H3#}W&KL`9Q=2e&J_6KY(@WD=GQ z1?=Og_3NvuUUCCz@i>O==>`^0IL^NmL4fhUJ6(+1cHK&{Hm#})O?N-^<2`B+<^?8U zKJFe=pSCzWrF%cE0(lkjpCD>)Z35qlP1V)0PigabZr4X)090CV4#-7Mq0C2PR!V6t1C*mj-P=Y;j`stUsUq(>XQ=*@cQW}tISp*#Ib0J^8KE#UKP_@ z73dor?&(z=iK7=ym1?9NDt|uD$Xj}3`OzmYBlr+N{vF-QGENUv&n%_p|8q&&E3KG8-DMh$)& zJd~h&SAM*}$|sl(;WdtS)!{wnGtAk!^I;!7yZ&iE!cP*x_YmnlwGiRBdn57WUy;gW z9d8JLK-;WmbLk(;j+!>EYJP6U_o5!X-S;$LX}ce}0W=-uh)&}SB9w$=@B$2vM=Yw_ z!K>1q>i#Kk?ftSguJIeqaGErGX!zljk8&Or2yTO;0Pq7>n3gdIg921hk#vG)v zF<)%^fyqrB?lcUN;W%g>h*m+#D?!QUguGa#6q z_A)m&2SAeUYfY=#5VY1~6B{EJ=ekj8cT*?ojm@B|C0_GI0-cQ(|Jzh5D6uFVR6R^9 zVWTHZ^%+n;-Up#K85{5HvL|C1y9LO@e(Y@S_R(AO1o_la1GM&U7Zcy0e(ylUG)wah zw&8(dXXI|qRE`PUaKYt-3tBhYMA~=Uo{8B>Tgi2!0&1TQXF`oLrm@V;%ubiiM>n3W z8eUw6*-lMyticAE#2p>ObgiseIlS3A7`StDyVDj6p!7= zqIks3*p^&aXg}P>VF)oGEXuVFOvCL$h?SC-$4(ZKW82Y^Hn&#Rb50em*e5HkOzCDSDwfoiH=~=BXpdjR)_}MbqX^E+ElP&c!r`q z0su1CqQ;x9U9g2!LL|S=R;@N47sd zyD*v_^}4giwzlxmalQPOhBLUI-Wg{q;q%)jP>DrT><707-1i5)8lq0lOr_}uxuIL} zmH7UkwQ24Cm?x~@p-Fz;(K?GiKVLMQk2Kp1me!l8Aq~0O@8})ORnn2smRYym;#iI< ziy&KQ()KteTN~ueNQ0e3_Jb^QC?X2)4?+S+Twfb*ZP73s6U8SH9{T`3xZ;;zp3@It8`Q z;`FQssu+tAHsdqcS1hFwdFBK*ULQ3-s-P-}OYCpsw61D$LtyU(@+%~rA zGeZ1h?np%SR{InfZ2RRklqrIiLA%xZz%A z8VU1y<6B4#o|oRJmf@avrRk#=u{UT8oW$EJf(3G1i-DMZD*`7q&`Yo&p7*FwR50~ZMUBRLmdVP^XJXL2)_AB-}>QNusJcbfZM!lbu zHh_fAyB9z>4`KqzF#*h%@K{ALl~Jok0%0kD#51(q`_R1U``Dk(6<|sw>C;Z=@%lgT ze^6)`x_^2-+Ai7Ze*48!;Y}(fB|VRoC09;pDXvnYMQbVay48+cg6f8@=ns1x_`yUX zfcI*sS&u4zy+My)w^o68;^-C@OTRmj_O-dqjqusw$koEG3ecln0?N0O83c;PPJ86|ReOVk zscIGeHb>S(2+yO^U#n%w-Kf5Evm5P z3dQF34tcpMagq7H{5REz7Lix@(!mwaUhdx^{RR};?Ohb6AWrvVxB(5)u*Wgl1h z!@XXEo3&OqJ>(E*KJJ5I zCqj$ZI^GlMC)*eqraNZKZq<^ni^FNy5|iHvHR^P!r+eg*s6NgxE|NEn+_r51Vnr{* z?vulFCC{tQpH98a`2xPTj)|VfF}@`}x2uYxf8X2b7ZMf7seirfB!gNcpZ84%_(UewYinS4wi2zP2* zL@wSL5hnGxQWun2ZJE>h?I>Vpu_I<#57KNk9&U#|_>}Z`uY@0OTyiK*ypWxpp7<*ISznoqraod@xo>tX0D_=Zg^0>7;I%Oo7 zDKIhY4f`EyTG2Ha&Vc(}Pat&XItC?Yv9eHbx$I172QwbM@hV#j7y_KlN&5bGa2p_4 z^5|;1mux}`7MBfvXTbX*icy!He3nU(>;h&Ie{z=f7cZj3ZR-5qj)o^^*wEJc9(dRp*&ow*{>{XA#V@|5U;je!dS?E}t{)*< zoC+q;eR=h)5$TC;?>4*QY#smp*kj*BNG04MSA>SD>H{`9o?JJJ-jKY<3p3#B%o z(f&lDb>cH=a|E#9GfkVbRIPCAvL|S>zWnHgO6w?rA)|0FGOBsB%?qx(laEZ{5;kst zq%jwzysjWASuFV*tUN-$wOz!FNm%@oM_I^M6=-dD4$0tA{ykiMe3Ye$wgsG8EAIXz zR4>zR`Ae%bu+K1oF_=m!i!3`Y2?oMZih@=uV25Wr;MH+M(Z3>Q5PehVa`sV3<&bpG z;cTGk+a=jLPibk}*puT7=E#?=EXs~Bz5iMm7MU$c*drZ+DOiFeuAAtuoT|9%1_KTF zQat9y_F_WhIk6#je_GVR!A3|jl3$?aWdL}lPA21JBHU~N#vq##?|1pfuGwBzLI6e1 zcJ$m5Q}C&Z@c z#jQHxMbPIgT`TsxJ};dj;@c>SGy5(waF>p;*ig_^{3fkHEAF-u!g&(C(|Z~fM^>zP z)l)h#+tjpS)e#X8vF9yH3bi~fn6f-o3;x;;vp^aRRuLF~`|71lbLau;FfKeaoA7;

60h?V9 zmmC}u+Z9U;1}%~UgJ;qjD=zu$QW`1r+DM*=#aN{Mlb2}U8IaAwu-+&u^$Do~FQXpoml&&*!hpkVx*WC2 zw~9O1IObRIch}zZ6QtxFIl*`zvg8nqQ_pNHEiKX6tx?udobf&`vOW)mc$|!f$J?#I z5O-m|D4cXt?|H?aXAj>JrMR#wU?Uf;=idc%@V1Yqlbna_>IHC}(?^yUtw&p$;yeq{ zO1%X==wqsC2-(v!h`ZQz7DmsFZduVQogWH zr`!P_=!YzLq!&AwhiEbdf*P20iC$?J&JYNpz}eS5pfNaYaksps3&iLqQbvzA_WCL4i{5U{@NMl3)Ikt@Sec%miKNDIL~Xn>)p-BfkwJ60x_Rg2~#V z(<7qK&G&7+GczDWG)4X>FMNN>N8w!lN#9H35QBjdF;M9_=7~vJdQU*-OiKDA&zH{p z4TLK`3MU>bX)*_M#&rIvez{TPL&T|?kRx~F=f1Bi=7G(iM zVHq7AbkmmnvegY(j!;9<)daREo&5b3e5=_F=J4mw3zxG;48qoD7c8S!e%!R(FvQ9R z>TkJ8h?1H)a>#vINMyRW@-Ul(jI8aST+@MP9lifFNP91z#lXfE&AxhR{32RD?|iF` zu(NLM=$laf`!vIJ6zRS^+*FD*Zu1^YnF+L!!Le@hg8{K|l6hTRf|RWr>#pwWh^<>c z3FPXGd?64L@p^*Jh&{`fZy7RrF6&L1y&?Ql(o#8#nJkXBY)BgjCy}3YXuPS(P3|4& z#&D=pXYa&9{yjOo()l}pEgo1wzJ9GZM@lxBJIU=dWTVY7$%2x@-#|0p;zwUG=^ND+ zLJbyV3R&A-ew%GwgLu0ALBFtq$t3^y7K_U;;id0$=L2=`!fVOuc#PAer-U<2ic^R3 zD1APBXz5XizTIfLJDEwB2?%<4lO5z zeEs{DIdEOiIcEQhavT>R@o4$bEcbDT z#1(b{rIh8`w?QwNC<6smhOL_!VTJ`8f^Ktu&x_2sko*jP9WZO-cUWn2 za()7ffxLsQp^c|@+`)cxifj7bN^XQO7bk9baj?CHgHlX=5m%Qj!FJI$tnAoi`>TS7 zV9gZ423yN4c#xYdJT}6LaN6-@{F4Ui@mK&X(bR3DLgRWRzzdgwI^v_M)8$;6cu_w+ zu6WcfK684AstPj+k)9F0zD$PI$_B~GDrQ3XOiHnM-n0;YQ`N!Yy%oVtk@jC_#6z`T zGYM{X1BSFn*aS%kJ#FsKJjXmYuA3#VXgid}4}Npt50<85aX9&lea`U=mL6dJAuss+ zuE5%)+nAE}K(GxBHoP)~!W2ZoOIMOi>qet5vN?7pS~6W)-cyx#uAo?ju^*g}(_lht zCT%YNO(AsP3`4n$SxDOvLI08?kSwUE%5hhfOSxN4c_LCKDK?+r`Ycl-t|l$f-0-lG z)q;T2I9@x7g&iYt6XxMhIHtbW&GWi3Q`&Q zkk)%`2<1MnB7c;mP`@4gwy;?_+t;!DIa~Ap@%C0xajahy=S>2^A-F>V!9BPKhu{vu zA-HSfB)B%g9fE6cOXJdbAh^@GL*p(}x%WRaYu1{19Ul6T>Z<;#zEk_`^V@1eoeaNK zu}c&<2Q}v#TAks)Oa|xV>E0i&)2(TCe&VlZy;<8&-m;u;&aw9QTD)8g?VH~I*D0`@ z`cu>;9slw;T;4JePO>$OF+g{oZ11+oMO-db(WoFmGr^%gNBrek`sq(y6Ft)1n5$$h zKdFTD(P0=jdOjTx0~@s%ohc$L8d2B5M^gH|o}n~2{o(;CITN9SP5wjtE#8p0p$96B zZOU5yt^CQ9*(LH84fc?tX{^C(v!UP@R-c?TFvB-D^BP4$BOXa>+H)~|j{UyBkEiSV zBDE_=Dt)>^eh}8A*?Ki;&l4VMl2IrV*=Pxw-h8ZgmmzE80ee~d3na>&OTLql+++Qn z7qF7;e4&2%BfL|Ck>Mp571bCe3jQQWsJtF9*!X((s>+QKfvpDvxbM{QY+A~Rz1M`l zlt15gDfeAVvdGBrlk9KxHye7p6^CyLmS)6{$n5JXEJIrhS|8fR4YZZmu!@Q(KRcyE zzWf2}`E)gYAT$5h;+=2ScsF2;3nv&(2JLtuEnOmi8e-(|R0&vyBco2Cs7f2Wq z??K4o^Ag`-j_hT)kL>gsp#b&};PYgLmj(Bx@W?N)qPF2BWo_od5el6>RULP4x0j|{ zt8Kd2e|Fm((DT>Zr6Gk7!NSTWO{7%znJnJ7wxemfc?xYS_Qy!xvRWm}i>yWo@n7pu zv0BTfGyakKQYHnZVtly~j|`*EB99p0KNFsyGN!?x#U;3wO@td<23vnf6Bm!(s8onm z4_rq6F$E!%Mjfs_xA^BV^>qi%7#ofGnKXu1P<#L`pE#=I`=2HL+H&L=N#_Z0rD1t& zCi5+yO5*JGJFbzCC%6Y5{SbjE=`4jsxL|o|_8iPYCFRAFjhcu}3s*GvY^m0fl+(MOT z%48s1|BDpqcdN4gb@NLq$XCO*9{OFqFcH6R;`3LdvDB*C--;yj!!wzcA4-tVKEL1Y zVUd9gIVW0EZB9LGjIe(`{z#O(a-Hy;XY!cSD^^>P^A7K1s5K&K0NXXCsQ4tk+iSM~? z^xR$TuNqB6+Wozo-JyNU;^IK2D-ACRF7-_)zVvBrB26a#G%0TD3+J)6 z>(yY~_M(?rR^-Ej-tP3YJIiXthHYo}wj5)Q8KlED78apZ{(I~XhmlbW?qhD8Ky$Ok zt~_#5hdI;-{)_a|9q2%onm?UX#LnjK&dm{1#17F*3B<3wrHeoHuH6FF7mIx{~S}A0Wfz$*zz&51(KPpRXur9z+L@% zNb6GU*5-$)yCc`MIklm(Gf6^Xn<_8cV=@l|z3-A1CGU?KeKEA)^96dN#Md#_ch7t- zsraV^ET|Dbm_F-8KeyjFlGR^3=xC~b(>zeuF<6Q2Sh^36Y_7eGp{lrF{nl^TTgEM? zp+)C>$rca_AR=h&js3j%0SuF<@m}|bL@nM8ZS7}b202lhTi=ZgI^*7wE}dWP=(bEu z)s;mgNlBV&4#rD!HEPKgi4{x)oUgn3LxNpt8k{mTX%Z6lB%fj@zSsuV6D-hI124$yzVZN6r^ zHvTJ0>H2YQ2dKrGACLg-ici>0olC#Yr4X>*aI_-es}Zj34?T!vvM0gilopO!Ada>d zi&uRah!z$WtybTZMIQdCdH`9FUa!`qrOksa_5N14E3P{%IuK9n*BE49H9nN0B_UW> zO;)#m!O&uP!js==54+n(%>whd{cy87+s9VYFx!i?@oi=Qwq^U(-1b}HM6SN-QpMPa zix~K7;$if9v^!sUOrvER^c*%k`uuLi>mbIX$6ygb=@n{x>{Cds?6yxQI4|pk-YmEWRU`e6K6-2*3P0C=RSCtZj3xyLRG&L@Y7&8^} zHW{^6Nyv4Fc-?Vi*rAyV`-+rX0}SVD3iAYOJ<=Lig*2L7a;lQJv5hlS`is}aUe>O! zWvRxaC2QsE59e}kj(I!4+*@iq*x?iLd8*wrpa4s*Ni9)=1S7)Y|tU(wSbz zu_t$=RZ%Ux1|d;6^2b(*k)I-+r|0hB5DcTc2^2nftNi8{D%nqded+1WM~(sToE%@- zvhl-`CKc>O?Q7*>Ca*{x;q76gzTODjlbnEOy@PM-0wgi}$@VTnaUUfl#9?~F=Lx$j zc-jo=^qJkA-N4M{K5xyJJ*raB>OK=|SLAfL3eyhu;Ar=sF8-V2Jxk-QGSkDRXN?hq zS_FXqi^cA?t1>utpCP`+L|k+LW1?(Y@p8jA!$?m{8@zlwdj!>fdKvKaShd)U6#IK* z#6xJ2ah;1rA%!(=H0c7Tkg(e_bx9DJ{HzHQqnV6vvNeS7c@x)PSXZkrNcMPdDHrwu zT(Rk`kxXE68h@!%S41Ht#Zh6f7)(_oz2{zImY9~EqB?vUEGM|Z8__8H=n>k^~ghTAjGiK+m_{nHMn$ zy#_dV!|OJX^&EoY+UE;VO29(;S&K!iwpTd1`9`YNwSdKZxlTxN0Bj-8PcNz4(krha z<)w~uF!QqqE8s*T^ES(|RA&=IDpDPsSF5=FsYjpi>$-+ad?6-3w{~F7Tb;H_tp)h& zi(~b#vqk}k#lG?_dZ2aPbp@eweKUL2kxu%LQXkS6CoKFQ5b37+~_`835U-)BH zW_v9y>^8PB*D+gI2o}Y~<@cL5319WW;B9qDEsI8tUpV?M#*`Lq*~S#^)6&u|^%vLI zx#$(-;<4O;obU9kpHU_Vr_!XK_5A$WI&KiHla(Uf(l_~d^#tVNh;T5bbsB1MhP9_n zrqiV>3>U-AfhtLl^7?qhvS3F5QLL$EgU*Iun^`Zf|Jip}#P>XydiuEe*4ytHhEJGP zm|xC{*(3DWOAX9avHCl2N&Q?3a^CB!&sqd2iO^<^m9urEdSDfqSXj)|xFb~A`t>th zOYJ$m_(7{`i6^3~t2%{QD%q8N!0s{f&jqnYRHp0;#>fp>EpBSI?3lv^qGVR)t|hE; zj-BPgo0Fq09gz;419>STo~=(U8$aKc=jSu}(vv~I4Ev!{jx9MyaR5o|F{jW}aB9)c z)gIf)KGGh0%)WN#LP0ZLmS3llL zyy?1mF;DVb-3AhuSR(x;HRMB%Zlu`r^Ziy*%HGfn=?jc}*w=5($3=^OJuOrn+L-AX zH$#LdfKumc5L5s7h_smpDI)mwOO=bp%q5TG0-nWWZrxcG;DXrhy`)_O&|(f7?~kpb zr^`#W2Fghz3U@E}X-m=gPJb;GB*r<|cZ4Nxtb*2vJEDwrfX&q2K6uf{0Q9Qz?i5jn zQJiacbc5}%1BQJHlOL-5OOr3!eA$InowW}xreXH9I(jy4N# zqlB+cU~yRqQAjzSVlki-SOACzEWAdVdcLwqk~}#N3}Lby)?ACQIGf+!F+D^3DM#h{ zh0mAd3nY>{b&GQ{J?^0mvm4oh4ijA2K6lO!PoaX-kNdDEBM7kaEy(p`>T!z6))K3; zlefyM=Vdi8q18!9W&>qx5v$Cdt1t4aXEj#;NVuFNQQxo1hlQ|PsBwozhv&mr8+HY) zSo)N#B;n$3<8YkQhb9h^t<`S4(WvEo-byzaOF;OyvvSzfUImuQ;o(UUA`*nmJNO(% z+(sqmRkTV|6`bS`SM_DO%jvuJ7;W(d2L`_EUB_rXdI~VP+J9ek7{Hh9bH$&StZ_dX z{>@0=4}$=IcI~I8+{5a6PCkEJXMO2pwNsbN)U4c52$haja_3?>Nt~c(X82@k^1JtY z2R`a`)U{h9gxHgnn7zt$u;5xZjq?IWUtHTL`IBQoO3zqlCz87G$%Cg8I)zkrY`?m@ z^*!RTAI&91zX$m$pP&BLf(WIeRIyZCo4X1IYH)iuC)mDc1l5#QwISj zMvf3c%T1L`wU4fa#>xE+&*aPO$RvpSSJhWTrWTFV=?~f)Pq3$3vM29Z7Hg1$HeiXf zeRATIj?G8~_n2L^ECJ<#?pQqwqf!d1LF8Zp-Nvwy2(7V^bd@2Zq09)@&Yw~F&^YX2 ztj?#gN4!@v3S#tR;@IMq$Jb%Zg)?!nNO`}`yU>zx1g!#Pc~Cip6ZJW zMg7r>kh*+smnotO-8LMo6%enI;HgzZ(~2h|)K=T<`4!fe*o`?n^Te({wJ32(&>^Cy z)or0Xo2K9>?JGe3MaG|YkEb)jmpDaroKhK0n)Lg%s=|dspt}+sAo76h06DeL(A2W_ zDeM*|OZwULR+W>GH{N^RJxAiC3#m?JR)xVdQ{6IS(^u+yC{31?MhKHTvSqT+0@HWUwVuZ=8;{-Y$0eWZr<;{B4=`$treUK!rqd#CRLWjpOOdsbT1 z28$Bw#?fD;H&U+n+$#!QkKoSP?)&fED14`8gxby;pL}1l23aP6778`JuZ2$7+(n<` zbJoEfB9V?c7v}osb@Gb<(VElNmK@u0bVBOuTv@Yqn?7aOdi}R`4X|tXylkH-GB;g~ zi!<@-i=(LSrEm1eSQ7g6dgJ}(I_(7nHA|``V-(7}fz*9#+cM@Sv zh^}K>WbhPL4&jz-LF+rB(NS^nh31mTg*WSpc*URDf8s`}Q*gFb$nuz;zTYP`omioa z0bt7i{PkSUq*TqG7kh4TEyYi~-n`xqS$KWxAW0^3c2AX@6n1%uB6)r<+errOLWX=> zf-tCazaQc)Vp~mR1-2jB{rU){VfYge3^08%rX@RywDy`IgHEaKL&JlGP9=fK{ z=@sWp7*L#mvR=mqfF|3TPqCgeJScf=nEl>>gjSpE&_Gbw)*8wgC^7Igc*On$j-;qUp zH>Ak!LfC$^<}G9dGIu9cg%NYP0nmdxET?(?9n-x?eAyo)9qsF6hupsiuZSqRXFEK< zM@l7IJ`FWA--N-ShCyfVj|}HPl8*W=+aS*ztY2PjCo6|d9IcKB_vm9?1zr3)fP70e zP8LDh*C}=zE|*nVRUyu|9-+fZ=Kds=vO1me6cpJ0c=^DGI)ZrW#zDuQ(;x*s3wsAZ zD?;~onV(skT`jz|jm}9kUG_m7{vTN}$r55wB+#7io_(=^ydtaSP@Q~a-GOU?PougB z4G#$7`rFzQj_R}aBe(9G9qx)x8EI(|ajU1hHMljy$3Df&UcPYZu{C+5!@#VtFXgAH z$6cPlqeys6oYP{&N@Vl9#Dykv!QgE9#P9K=okBSQ+Px9CvhExMeehxh@8!%{%%0<%D@&A*p=kj%~-c%;l8?@~Y4PyB;nOJfVC9 zV%?Nxg)FMWM4$Jtj1gyJGx5O*QYqrdU>+`A_h$0^`&EK@+)F8bf+0|Mc!;>KNFv&( zGl_%#I-O)SFrshg=aEq58nL+CckE3@qb`Q>A^nzvY4%NNyP^7+&S*nrG6EX2-Et zsAuECLP%_*_l8TBF`loy-2bN(&#Htw;krrr#iRD(lw+^?P2?m;e&~V!cV(E5F5%7U zE&~HAYhS9I&yRo(@x6=QKPpD0`R}Hur%OtI$~=qZv%78beUa}U2GB?Sk(#!P_{DUT z?Bcy8;gr_3-Hb|Yi1D7x3wXB4Y|;jr3?(~!>&aOuv4eu}z}g8aE-2}rIhCkTh=4U> ze*8zCGqgL?n}Hgt;}Qc&-_SZq1ZV8G6y{W{M|ROVZMOIUW;Jo|vSr&p)p_v5EmS*jT0BQEIN1{qn8UFuJ9}$B%c~v*wzR zR==nLk`mQ?c^imiXl{vumG1Genf>?Kc0R?8xalZo>s;7QicNx98 z6R}uP-~2@%a;l-@_l`fuDb;=SCf?!0yPfZUobVv50l$?e^L+pydbW;7H7m`JqJy}V zd4E~IzkS5eaSlCTAM-xEaGFXaCqAl2#w*U3!I*q}n^b5EFmYdMXjjf|i1kRDEcF_E zFJY6Y5RwJ72T?xb;$fG|rw)!fDu56XeLq1q$-=MA-{lM>^H# z(utz9#!m@v()OPz-rO9DXHD3FBW_|FSg%~iU!BL~Tqq(PA;;{jwZq(6SzkUI{!8f^ z=U7w$f_=nltuVtUSoCFx9m9h|-wf>_w6*kYVAm{1{(-Zx5k0A-6l zQA&y388-M{L^+*6`TdVCt;_Yw!-i4ndR(!Jy~<-r-GYcIn4*to`_GMOEv_E-3o|y= z$#@JhdxK`7o98(f*Xws(5sRnGlLfE%TK{>_sB$y+;rmv)l`ByV#(#cj{eo~8c^di^ zjDX7)GsCXm8KW8~_JFRpU(WKg+tF6-DCs|(Q9m%_D+lD}XvXA)6k?-d(3zTi~*Ae6w($;+Gl=aP# z=`jdpsU^NPK+#CUYX++ktabP4HqDttYH=^FdF<3L2V8eVdTz}x*F9e>?UvH1{vv!+ ze3bQhf%7qUZEE_KU*F#}TUq|sK>#WzYff`3<@N&PU-o8m)y=L-!1lz7DAl{lK=s6QP6xgz<0`@IyIh`MTOp;>g` zD+3{C$ZR6Vjgu7jimp!d-5os%2^Ddm1lZSLLOd!6HT8l%%N0xd4MjSw_$u)%^iQquvaM<;9rf|443*8W{*$fR2?I0 z(f=U)Z%1~)3^4gVnJJ6aI*|vK?F%F(YMb=_5nC)w0EWQ{WzwVL<1g<%rM`H)zX7wX zC+Yf2t(y0EYEkbHGZxO0gL+}_!%fT1Rax(R#ERB{H_>ZFX#9>Mx|`4yPcpb7DvYlRK>t9tpaBFjvbf!xXfzK481}{0(KXCtx#>f|LjNo(6dhNFzQHB0@=wBglJ+Vq# zwP1|$@amu){>Lz?haf`w-9Dn7+*kO%0&V=AK)KbFtHxS^4@K7_OH9#`WoJw>7m@D3=e$0f%Hgj%^MJw@evRHmWYEoPRk?&-LbIE6(!r2#5uq2^{_0T zAH85#^O7Um!&P7v-@oiKprx6`XRkCE3h&*BS_if$p4cCJ)3cxN@(K;adMp%|4s2{y zjEurE4@>wWBsgJhgNWZ+5x6RSoqFTOx+Z@)c8EJ#I1282*xHaQE{=7wwfpb#d}P-T ztH&M7HD%BGCSx(D)!!8~;=4Hb#Z1aJCHl+`m9^t{bi3m2kojL2cywhaaNn~6KV~$G zm`bKcauSoa>3psEQyfxAiO-HT*Hi%zR+?wDGZJ2wm=3u1O;gu*#s?NNTa+aXb;=bssO&7v2`uw>}@86Y;Znij14YihV z=dk&dQleR@7hOB;TH`$!rt>gw=gYIh-Fi9X>MsjK=np9zT0`=ypU!DdP(N;eFkBn(2?|nG12TiH!IY!bp8|y)J9_98~ojj9J zfnC#cVe%2wRJ`z~?_u|5Y-nfzsB3D}nT;8u>@OrqzCCy|8>xm=Y$M!ly?8vAAks|@ z!G5()(g;jI69Ue(YM7LPQB z*Uvf-ht`;ln?bGLi!zY^5hyq-SAnz>FU5k7mb z13lP6WKv%Afe4L%V(@jUn@Mt5WOEDNe@n8()zM6pJhfqspK1WOUtGYfvlR=W{dk_# z&)!WSU@iG7gVPdxrwBks3^1H__iBVO1L`h0!1b*@qC2?n5eR-W55vkkf_aX zQ2TjS{o5^ni+*^ro`YO}+wFFS<{yA5V~17QerLlCT(7s*&O@5+K}-jbjWOHBNDRe| zp9k0OT&8bUygKm4+N&|kwPtT>7S0BOt~V@2+XqC?WNC5vjy5+I4lQe~)_gNPm*Q;x zLv)RMyQ=^bY~;XToE3>t)Snkn#_qgvdPZB)xEx9eM*T2PKkjX|%I;dt7<$8*l5V%- zAykYE+4m0`jiPu7cuASvEgTe{tKaHx{tjZHYLe0bwu^Eg@r+L)OQ4~rF@|?xi5l(d z=9|eO-$kl*8)8hFXM$k3v(oYZz(V>Ws2iOsY6qMgvmOKi;4Ag*a%^1i;Y6$l<0_B)O=F3@QRQq1;`y+uWI27{Im+0K=|tGC6CF=_Ne}HwlOZLf7d&uUA*#@aRAwmmVn1Dgerh-pFS8lLgOFG9mmxdc!j{Mi@HBfGX7Qp1dw9Hu0yA4}v__oa3Lb0%mW3p`vu zV_tIIc)#Y|@060Un*w;8m8g_*$gJSr9aYZa`?I+Pj-K6Hx5X7}b#+t;q*s2fHgA*? zP3=`VwtdxNensIxsH!rCT092@nDwg(xVhcu+{gT!rnK9^fXr}PTK{p}bHF6*US_VM zv~9DNsY(rd5L-P`IdaDDT9p3rfnoB?!kQBS5YW`#wIhGKw3t54=&peqUgO*RfJJ4|S)2xy_BBXY9AcGk2w z%cJ||bc4fXQ}&CcWpNJ6RwB#*w2Y5L?)JUi(y==jWq$?V*fKhc=USgZMx6iC0>w_I zD_9AJ5vi+mMANnB3{YcWP@F1qd04>#g#`JH4SFKUAs54&PAe_`<5*fnek0I zOJ95;jZSMl$*?w0QSliCWT%+#@?@61BB$w(oQw+BsPEeC#l?ifjZBj;L^u3JO9@GJq7V7OYLU#sUVunH)6}#IG zM^41Y@%4Ikp(}FnY1c8hmx4wFAX85B=-O)^klC%rz}9bSJ?5>MthKHB0;c8 zU_ROfR^MQ-_^dQFP+cWgD-PkM+eHQ1<1f<89-BAX0wse!0ua@5yZ;EYb|ynlUSl^#pr@v zc0|Hi%N~muk9U{yi}lu%Q(0M=t*t_Sm5IPSY{}vK@#X(GLv#LiDw&N<5KHYEPn?pU zRbpnE+_edXyGdmq&2I&KKLlW`JbUsJFzW>E-!b~$t@+Ti8O%D6jPey;SN9Y(IqzI7 zjz;oFjzFUbiewDot(UJKu3}lr#}t<>MTKsG3`^_gE@)Kq#|a>XPGfnw`;*%aXI09> zjb;3CpxYdHrDg#e?>8%}k-O{FE#bXL=(w=8^Z;y;T_Ow<3e4nY^N93FdaQU^HUMcX zgkcokB_zdX6F?>Rx0pMUvFeK^{vAf+)7z)0Gz!Vxv?mc&~bo)_wRcd zk#K^;{YYs(Bu_HL8t6!~`qnxaaIAQ5m>c|4$kd6g4p65pMHEy2L(ctukyCD>PjCY1Ot^|mSHdit9RL%WeJYnIX8 zjl}35zq?Jzz?Bjr?i0B`tTOqJ`4nv*RLTYvkV4bbNjie z@}|6?_<-LQdKl6w=0lZSN1C2-`?N{!GxJ|OTHjS?Z>b59a6I4=!o$ZejZ;D1&=(1&cCXLbe@Qh!tIZ>*16u(Z8IkT)oYCbNW24$wYgLDOsCb8 z15?Cv18#O~2iz#bJNq=}LOw5r*!;0b19y)0zrsMYS z$xHEr(dtUU^DH-Ro#U%YdC0Y-r(qXN|KtwYu$X)rC7=!fC;!J*9;`JVJ{bjqZX)Qi z6RAbaNV<2iO*W-%zJ{WX80mw@2>MhtCW5zY)pUNn)&bb^?--P%8a!TkDn${nh`ZJ$ zrc1OF11Xr(Pb=V8f_@c**)8QMKvCN+A6_^b*%H$Q-UkZb&=y+86MAZ}jlQJG;sTf`xM1&g>%E6NO?IG&d8` z(3k^I7kMh)Zxt2H7st!dfe%FDr>GiO=`q%nM9eaUV=Fg{S=Ku-u%9hj4S6Hk6LYx-F-;IKwL%Z2y&c{Syq6-|W z++E2=yXgNuyOfWFdTc-6}AN=qylo}q*`^ocs1p9%-MO3|-q!0Y@ znw0-1L-+Bc4ZFQ0a-CsT1PJB_kS{RWivf*9#=wAFe1j2N#ERQdo|+^EFd<-j{bC4~ zzzCn!HtWhm1p=+YG|Lan7sI87nd&*e%f5g7TO{XpVdJmJfwD+I3d3aX{CB&+RW8oh ztCfJCSve*Kndedt%LOC{ZLcGsKw9>EqA4?n`q>@0zVV4V1ev3Rq5$Nfrg~x;^lnd9 zjP#zQp4%2*po)65NT%8C-*|hRYNEpfOgP(XgGR|JF?W-_vZFVgPRUs*EHO^{Bz>%L zL+@MjzFNC!Ac=Wa9{X}0uy{I%fzkz)Q?LewjQWZxW7e!#{e1vn(B#kHk3P*e^~Sd! zhDU4bQ-FY2B9TcpPu5=Y$(xo{cu%2Xpmnq7(g%u1t6-Qr`|@#jv-8G&)n5T{ z+?UkHt;l0^e1$Q$oUG@9*GsN`vjjRaWO2L5$uv5aLUglTbd_WmX6=V>TB?PrjFBdi zLI^7E!K+r}2SHw=>D=;@0>B{ug!P~0X>8}Mk=Cw{YkT{_?)~Gg*(t+0YiT?O{fg9I zh*BESn%=#D>CTmUY>ib=b_?AKpZk&@`Gqm7v;SPJmjRRfaw7)Assxc{un{r$c0q)} zumm(1#Y6k8aI*`$UkahKxg}9@RsMsgVWxw8hw(B9p#!aG(2Xbz#uSjkia~PF-{o4E zQ?4Bf;w^`ewzBFNrFD=~v^3J_Af>HAsE>J}@EBOzecSo9C6P2QPO*ak{O7gsH&Kxf zXmB>2puv{IZ&{%1z@;U9Q4PJPi+kJCnZu?B>R1_yRxD-V)9`?Lb2$JyeGypawC*fZ zw*0r)SMF#2%t!eb=WTx_$`&i+8Bl!28=XD$M^n9KvZdInzsM2xlB_Y{1?F9U{b-s!#|EFr(#QZ zvPFb=alu&(9u;$gF4aLtXBIol?&%EZfs+gjd2@rb(LI=?fM~pW%Z`C`@Qq!RmxUF1 znRA#Z*xcFrjkZz>=A@hHcXwHnwE?`gF1H(Dm0m|wyfkK}gYSJ{-h%<`2M1mRz^VAEw|g1|#|2J5}D6?ln`&p(Q78T$*-A%*ZBu&e7gU6W4)T91!C(&~6*Q?4a%Vfn+4 z$pr6~5pzqhk~xqk(Tl`BbZBdPpz0?thy2d;AkK84e8_S{eX!^2T9=Fxgs*}YaaTcO zdpBY?!iWcPCw!iDKU&t>l?}_gNO^>0o_?DMH^Ud$J-$H3zUPZ(fpV}-MvPj?;Qp;d z_%SXob1Pj@@sfcoI4-5fD`HR6K81$m>m^bq?fU0_C;0>hyAH2~J-+Mi;RouTxtdi< zAK*<2uznBXq26D1X^Q3q=NNDhh~Dpc>N}f@X5KGbWL{0b_PsCX=DVCj^}PntAvC7) zlygM<84ZH21oFDDp>N4Tejo}qEWH-I2qr)LLA0PT=VgJ^mOuJb^pQghyYoYB54?y$ zEgAtTZfTqbkw;3V3hGd|?7}=K`hKgoE8DE{4+0{G6t3XVQOpMi*#Y-t7LN3t(U1;| z2)dAI^ zAO#^{Cv83T)*T^0rpv_v`Finq^yC`nq3slu&A&X`;4B<5atP?*QEuHZ1r zQ%@Y*89cMIO$H)ChnIgNr!x=f)7ABpnuz`G@jmT1Xp?!aicK&G5#iD*2$n~F`sbgw z&vKGt8Yeh=FRRbHNBIQD2o2m+KYP|B^eMHFBIXawX~ao&4PWS!j1&v!*1n^6N$u;C zL=M3gG-PG-SPhz#Pis0bZaJSLGwJk35$TblR!G?C^UV|-Zu^y=gg3!T4tPx`M=%@9 zCr4BTvaudL>%MKRfe4r_EqjqSPK#dVem4!v+JQdkcCf}6lYduyG+Zoa0tFS+HN$6< za;bGZl;+*MYL>cMcPa78k3lu19iVRD0q?`gwo>8bp5P^n&@rp{PRFqe#(%!%#V1Pl zIYLkda(=fB|G@W(>c-BEcErqeXg+BbH0bSG5Aw590%$@e8ONisjlVkhdv@jiZ)OGU z%vG!mK_fixEqA%7G(25Or)^VR=x%}z!U(UHrAhCn0ISM8Ag{Gk7fce%=vot}%kQiY zJc6JA)AwPH!gu>(bi-G8*U-p5eXMipjwmk430gm?0>QwrrqAmKdLC!(< zc%jT;!%RBhNhJ}A0LW>hR(@@oIdY%nQfq7L1((rXQcBW3$2DcZ#XCjE%@U60hrBv> zn-Aywk5g5}!*)al-zLsJ9SWP*2TXBrT8>J(H(aALtevmY<@kOe7;;ww+5nN4TP2mH z;~pXF?(4mS0-sHYNPAec>e>W`l)gHYt#UPrEZ()`elP4?S;}Dkt0=^<3cGyP)(g89 zxzot;S+m+3@N17$ftw7F3Q@?*lUCd9eMr=t$;+!i_EOy~r{Y1ZJQMW2ankpi4*|3> zAnxQOrDG|Bf+O?tj*0$ri}YilDaSzbDK0S4f%9C#0+q6LKHU<%jQ#poQmXgE`hz_R z)@ie$Ildn@upi<$xYRxkp#~pbxS4ni$}SXq?NWE91mrO=}YSi93NFXz0fUO8{l1VEef$9f!m zj)M9YK2`WV>niLme$B_6Ck%Rxac0)Y4&*Q-Rv7G2Hf)_SRdv6@5?!(Q%$7s$9z`;~ zfLkDz`F-*G+!EOW6H>@=cwGL&8$B%4X;GLjVLND>pAl^TxoSL%NWhIAQ}p4a{*;)u z7MP|iJE|M==iB_=GleOz`zCADmS`DKN%_cHoh(K%jJk*i0}#HlC4sG?VGy~tkD@HU zFh~X-?3Lu@X$u584-c!hwIlc;p?3jT$?5|oT(>X5=a-zsTy}UAz9*DV*ww~sFNJ_Y ze9m>@sU7W2jO1xm@$*l0U~*WeGVrRjpZ7?U6VC+?8~{09&>D*ux%&gVOzpl56@459 z9($_}hs4uy`O+JM{d(EN?oN;+(c@>^V(k|e^RKap7e48`kig%Cksnjq6M@e}?l#YV zN`D4kfju=DHC*z4+OGRBSy$U;zi7|86xxKf-$mCwso!sa_wKTm26Fmb`|so$uw43*3x-+4 zHPp!a7l&=wOWp>m7zRvn(N08BvfQuI;1O(^R%P`W#~RS)S65drt4@x|s}mZH%&~h& z3bee9|L?zyx9!&Mm$Pf5YB#);PiF2qn}(KDM&&nhl;#(z_hCSr!1phUC|d)H)Y6$k5Usa z&(B$Q2*uyezZyusrRhH4L7`A)o(Ug{Jmb+)Ro$MyQ){?9kgslUMbOkt@>lpz9Wm20 zp)Mxv1VohlgBpJ7Vp}bio(XdnCWo*;(SIWd2o~GkbT18TQN#!Q;#ciWFgdJK9zH1g zdl2B8{*3+qP4DQ;Z2PeQh3GpP`p7G3{Fgmw{2fid z7Q-h2iQ}VDp_I=ll+aH*cG0mz_^AI;fhhYl2=ECKAyN8P15eg0j3!}|+ofB}Y)j>@ zJ5YEo_06M)+f($;gTNidUUr(uaZm&xz?XK5)~DvDqY&{ePeT1T&!egOi! z$0+~KjfgNMT`SNu+rPM_40t#-5NCGRTCzv??`T@~Af;8x+-<23=|Fm7^?Z8BYWCH| zN}yHzH2b?kw+_fX`9}V@+8}m-N*>@ZdW4b?;|%k=-g9gd#Cb3{Ms7Zc(=!a}eY{$7 zbOyo|#?8bs`=T@k4vF(mRt0%L%r%IeU5Yq1O)Z$9lK zJq4OMt0np1GlL)Zq&P0iF@Rs%IEa_*MsOA0mBkrAcignLZz&Tj9!~x^Vw*1rYjuXz z-21oS;!Q7W>I6^(9&tM+o@}R4-{@`n7a4O$lYeudQL-)nq^en~|Fhnc=93l+FiYgh z0iWc*IeBb4Sr~pkl>l_Ne06Q@us_Y8g0VjTUYrP*&M&F7mNaxgT~m3r4m2#POI|X~ zPMJ*ad(ZQj0;3K`=HcDW#I#2am!+^zUmZHuq$_U#9eM=Nw0*VDxfK%IA>L0IU479$R) z=z1gAtDhdD{iE zuKs_BAx@hYtxQqXi|?lA&QD%u-ewq_&fmRKg*`j#|=5LaswCJ4!0m>O-n* zkyw!!9-ro|H}E)kg%c*z<_Fy;KNCMibB?NX{QgGnoucHEPd1VBj8a6{#N z3z%+LX;;Z?es4QCF=%IBl2qd(iEa-= z+)ca;yD$rw(0+1G;_`p)zcbE$s7xj3AWV6^Y(S2!JvyQ)?B7wTqyx%a89sNpZ8>q+ ze>?Wg++3&I6(KQ+rHMakmvO*U4?&g#_KRl7v8aH^Km0)S1_hoJYvXS0|N z!e55DU9_Ne!v{kgv1af)khC$2C?5@|Pi9A$lIi0&AigV^p$o#sQt(HWgYaDLV8iyCh3=1`Ti%tK89T|Od#4DB zn0p^On)I)_F>2h#?<}J#`9E=k{xkhLFJh!Za+15OS$~H6rg3`Kx2?i(Q(x_livAxb z=JSE;dwEf;XV_H(Qao+ju0_>?TACCE#g^)Xn zM|R4*4ucIqy?!~ZT0y*ap5Rs`U9964o@nwkpq~8ena~D26KqGZX;@!2ezioMhRGYr zI81KnRDS{1^h-t?l800vy>9m;Ryc=qYh60x3n~E2T`kK|?jEZoipqI(6RK>kr5t^9 z;8eP|dDZ?nO_J$thuH38N6yG-GhVDrDVkI%=0mRP;Tc38FzdYdXF%mmC|YE$Vn~*y z#~)tpIfUHQAIQc#8RY)FigBjz=?Mg04Nn;eRO1mVeVhm+pHY0r2T{;T5p$O3*herd z8aNKeK>0OVOCx>0Z$&*K$n1(G^U z+z3691aKn$&7@H_Ia*M=I9{Y|^SPEWG^7M9{s72fT8H{L*NNin{Qlh-u+uFrD;L^! zGWZ|Py_t2+9Y6*HU6j$$@`Fx@6M7G(GA%mLygWp9t}m}6_up3LfU15Sbt|H04xA(n z+H(1ywt=UemRHWnZn%9Rx(zjpOjyOU{C|@+9N7_u=ZQZ!GM+4X8j`s?Uk-2l;4|mf zH#oa@&(|2qFgNzIoG>II53$GM9cr#&_!)dT1|NyjW!1LO?iV6V{#j@4-28u3cHYr& zZG9gXHzAd1i7w&MB03qO%oA-S7~F{{Jw^rQ_mY~JUeB&3p2^jVa_00 z?KM=YXk-EcVq-qZ)o@r|Eqn0gbilKN6eM(KZXNAUf~Wi=X~bW}oIob~MQ6PsNuP)h zLKwkjktH4FGw*$m_rYIbvgQW+D||=cZ@ZK(Jj46rcE;s|^d>lfH_}G%p0C+4pogZB zQtMe{ZF5u(no2#%DHVQ``8w#L2#pNS&32Nsw=PKw4nQvIE*&K3{th|HQ~8bjlQ3zo z4c2fT(5Xfss08Z4iWe>D7!9xWJD=rNA;zG*c5RWBH~bunkmnosQ$t>s$mA4cnt}Pqj<^9+L`r*y`yeW(Z%ncRW&lW<{CKt z=$mFd6J1{5l&qOtgPfOBXKPjISd!AiyVqBG&kd+34HZCTA&Z`>o3nVjxYw^_OuD*4 znOfXn@uHuoTvJ}s0Rxi6Hf4eZyqX-p+BrJD+4kuRc1gq$QmM=lpkDNydl%*PIPUGy zo#G|`tE;FI(Y2k9J!h|V+u+=o&gJV=KxX2~@kxD6xiBH;O48ohE+9{p_9RF};YE?g zuOun9?2-YB&C(rtQ zcKjQHZZgX+u{^_rboM50Z4_MY-(_WOaNpdey{dApS4`Tq@5AO1I;_Lu zwvcwjD)5XEBvQFdNVBM2DMipvUl1d?mh2<&{l7Dm5Q8 zBxdPcnVq3@^|{K{StLiIxvD8BQpzG}#G3r(0WPeRXkp=4TsYt zs|K@6SzOkNb*6W-hVJ2_6k%g{roHm^=7mIK zgPX`1Eh~5}_%?Z_%;cyJd~^jM5oA_SQ}wTB^g$CZ*I9&SLLQL^T`A!pbafZ%^lJ=Wob{w;)BmM1 z9OZxipDF_jhV@k=eXzlYN2lc2GPASKJ|pDUj|Jng{N#h?>+k!8iX9E5uMiLsfWiD7 zOH!rw8biN!Uspf8e~ZC*omky6oTU^IAMgoSHT@6_X<+giwQSI?5a+j}>c1WBX_g zPlOI?rZ`cFWXFevzl4S)jd&JJyA3m&;3X`T=~_c+@q?g6Z(pfGW|@jz_1x`ORq3LY-?|qeAB&5xt8B$NzmI9vwVuB~zz{!Po|nZW&?>gAF$n-8 zB0C!X5GasuN?Gib&1E=`Jg-ZSx#+ejU&=5NxV1q_B0I?U{*_U8f^QT{-x7gVJzOa- zpTB>xIFasOVh+(#Z*&az^s};xzKNOoACn$A z11Ofm9I%IQ@oni3o-NJsJ(87;h=~F}Oyd}Tr|_+Blp=xEy{h24X!uSh4SX<}UrClk zWsQq+rc`=d;6Gz&o?O1%aD2jDj&H5hh4G(7M9j_rX_L?Ib^cA5yt`C;&(^1CA!ayK zm?c!c<%@A^6X%yhPcsCXVB}Gya*%BekVk`FSJN%oM?<=5@3s7;x->4ByDPdZY0C>n zhxS{;d(Pi9lj3WH=zYzWX6erTNHgt>qX5Z=-%UO!01!OTWFf)53JK-uXA=}*vK%o$ zyl!al7ZEcJ9DY_4RMN`~4*K2P%CiBLAfAzJ>&IJ9J^WOXE7c-Z8#eT|ZqXjL78mT)}D3*Y`=?O9lTy8W3uYDw=oQAtv0K&CMdBqIVuYXG@H^#4hK0GbD;5Dmj@OY%|Codv6-3`rD{qfTh## z{P3nV)&EqkasIu1xPQ;ENtIOs@3YYDCU+z|*ph$32U#A_*DxEU`pG{MS5R|aIN38S zU~@N}ssfl(2Lcv*(~y~p004pgJNA5m8?K+MRmvpJ9<;RN{hpOAv!vuao6++j>tg|F z+c9WcM;P^b^_9=}S;F29Sk?W;Ffi+^5YAHPlC%2kf{CO~{7nbJ7ouT6oG!!m`0+J> zfcg1QWIpK?G}c%I`QNZIJtHD6);#j(vH{#YBvxlW9gXc}oLvG0TKL0EiEk%rp^4KEmY`m)rp(JYzKFfV^Fc{0CTX3` zZe)p8dbjwGwdsb9kAq94N~wm*we#C}=4{qTg7PlAQ{|RZO4u?w^LK-}`S~2K{Pgte z;tL{83p)S_YrXlwWodru{jkbTD%uKnPA>A}(PE2|yMs7I5pc8bw_(c?7$^ea0c+`q z?$7l%F9a_F8$1=BZ3qcIc8~hl6`(NhVKfySyvNQ7??Liii0=s0Bh$p~L&oD=BQqJ& zctw8{@r5FMFm|@)twduuCbgSlu?vSkhF-Px=JQ+gzs-x|VqdJIh+8=KfSQA2~#^ zUvm1RC}gUXn)lc3H- zIF+_RsDq+@*szYILN091x#$3y7El~;nkfTvjW;Tbu+^3sbyq)d0tja=vfY}GdhzpP zlaQV-i>@=9rEG47hTyY$TM-HyT*#Skld4hDh(kfE;B(wkN7r;GDGIuy6e-;aYsT=A z=llaU`2cvPG#!XFHu`8Q z*dB<)M&p8Gw4yj>_sfE5B}^hC#BaGD4C=Q4D^N}*`i@INdr6j#l*icVW4p%6&+Qoh z{fpv_08RatZ2fb34Jm#MOb+gky;Sari5bF;LJrKo6k*e^=5R5el?PpaAFK8>o0$!t z6)G>!&+$YpPx|F9TiSGyp|FJ!#S9#KLMBf*U~fQJt6r^45VyDBHHPY88lW7=9i5jI zqHDXjDQ(ea1jM<|rK!yjTL)~u+TDUzkuttb+BF-!ogNS)C98&}b~{JMZqX8_`z0!7 zl~WW<0@0g?`|(^yW1f!M^eBhPk&;tYJ$NJaCBCa`(OK??tpF(gJn<63Ks7*?8w%|W zbFn5h8K)zP=@cEVyiAN}pSB+Y`Th$XQupF>kNUeLk+0Eybs?IuWNR}ZgIe-zTI{!M zOcJNhTo&mh>OG5ARKaNL+icW;J;t51IdJMX`m9+S3I9G`K$cMe*Ud1Sp$_p&t&5Fj zd2QmMO+9*`r&OR8jJ>>T$6~(Iolk(NI6zY3AY@e+lVlRE5?azt{$argumD9=<+x{%*M>J5B|MB>+knS&gXh`DZQrF(bi?_C>`G@?` z>)Hnrx~wmEU5T^4et$Js#UtreUHlQJ;kW6b>yxsUSdPk_9A+rtkQh-hO!=r4-}( Date: Fri, 7 May 2021 09:26:07 +0530 Subject: [PATCH 028/415] Up --- .../client-management/mdm/policy-csp-deviceinstallation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ac14df7d98..a116c0b8dc 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -94,10 +94,10 @@ ms.localizationpriority: medium -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. +This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. > [!TIP] -> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. From 50e97e88a9b9bf5347ffa18cdaceeefd05ac04a5 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 7 May 2021 09:25:49 -0400 Subject: [PATCH 029/415] Removed locale from links --- windows/client-management/mdm/surfacehub-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 745f408e3b..9755457f60 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -573,7 +573,7 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).

The data type is string. Supported operation is Get and Replace. From 1afb27049feb753e6f137b00a05964f9ec70caa8 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 7 May 2021 11:48:38 -0700 Subject: [PATCH 030/415] Created new page for Audit and Enforce WDAC Merged Audit Events and Enforce WDAC policy pages, as well as updated the TOC2. --- .../TOC2.yml | 12 +- ...s-defender-application-control-policies.md | 163 ++++++++++++++++++ 2 files changed, 169 insertions(+), 6 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml index e8a04d9f6b..6643f8980b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -37,7 +37,9 @@ landingContent: - text: Merging Policies url: wdac-wizard-merging-policies.md - text: Recommended blocks - url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually. + url: microsoft-recommended-block-rules.md + - text: Recommended driver blocks + url: microsoft-recommended-driver-block-rules.md - text: Example policies url: example-wdac-base-policies.md - text: LOB Win32 apps on S Mode @@ -83,7 +85,7 @@ landingContent: - text: Signed policies url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md - text: Audit and enforce policies - url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md) + url: audit-and-enforce-windows-defender-application-control-policies.md - text: Disabling WDAC policies url: disable-windows-defender-application-control-policies.md - linkListType: tutorial @@ -101,13 +103,11 @@ landingContent: links: - text: Event logs (tags, IDs) url: event-id-explanations.md #(merge with event-tag-explanations.md) - - text: Advanced hunting - url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below - linkListType: how-to-guide links: - text: Querying using advanced hunting url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above - linkListType: tutorial links: - - text: Creating a policy from event logs - url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above \ No newline at end of file + - text: Creating a policy from event logs (video) + url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md new file mode 100644 index 0000000000..c10855446f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -0,0 +1,163 @@ +--- +title: Use audit events to create then enforce WDAC policy rules (Windows 10) +description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: jogeurte +ms.reviewer: v-kikl +ms.author: dansimp +manager: dansimp +ms.date: 05/03/2021 +ms.technology: mde +--- + +# Use audit events to create WDAC policy rules + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. + +While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. + +## Overview of the process to create WDAC policy to allow apps using audit events + +> [!Note] +> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). + +To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. + +1. Install and run an application not allowed by the WDAC policy but that you want to allow. + +2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). + + **Figure 1. Exceptions to the deployed WDAC policy** + ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + +3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. + + ```powershell + $PolicyName= "Lamna_FullyManagedClients_Audit" + $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml" + $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" + ``` + +4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. + + ```powershell + New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings + ``` + + > [!NOTE] + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). + +5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). + +6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. + + > [!NOTE] + > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. + +7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. + + For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). + +8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. + + + +## Convert WDAC **base** policy from audit to enforced + +As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. + +**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. + +Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. + +1. Initialize the variables that will be used and create the enforced policy by copying the audit version. + + ```powershell + $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced" + $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml" + $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml" + cp $AuditPolicyXML $EnforcedPolicyXML + ``` + +2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step. + + ```powershell + $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID + $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) + ``` + + > [!NOTE] + > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. + +3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. + + ```powershell + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9 + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10 + ``` + +4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement: + + ```powershell + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete + ``` + +5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary: + + > [!NOTE] + > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. + + ```powershell + $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" + ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary + ``` + +## Make copies of any needed **supplemental** policies to use with the enforced base policy + +Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure. + +1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used. + + ```powershell + $SupplementalPolicyName = "Lamna_Supplemental1" + $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml" + $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml" + ``` + +2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement. + + ```powershell + $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID + $SupplementalPolicyID = $SupplementalPolicyID.Substring(11) + ``` + + > [!NOTE] + > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. + +3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary: + + ```powershell + $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" + ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary + ``` +4. Repeat the steps above if you have other supplemental policies to update. + +## Deploy your enforced policy and supplemental policies + +Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). + From df848b4a876125d0b560e676d1739adf749062ac Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 7 May 2021 12:27:19 -0700 Subject: [PATCH 031/415] first draft --- windows/sv/TOC.yml | 2 +- windows/sv/index.md | 1 - windows/sv/index.yml | 66 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 2 deletions(-) delete mode 100644 windows/sv/index.md create mode 100644 windows/sv/index.yml diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index b5ef71ac32..2b84fa1b4a 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,2 @@ - name: Index - href: index.md \ No newline at end of file + href: index.yml \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md deleted file mode 100644 index 8f7cbe8630..0000000000 --- a/windows/sv/index.md +++ /dev/null @@ -1 +0,0 @@ -# Welcome to SV! \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/sv/index.yml new file mode 100644 index 0000000000..5b07303233 --- /dev/null +++ b/windows/sv/index.yml @@ -0,0 +1,66 @@ +### YamlMime:Landing + +title: Windows NAME # < 60 chars +summary: Find out about Windows NAME. # < 160 chars + +metadata: + title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/07/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Card 1 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md + + + # Card (optional) + - title: Card 2 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md + + + # Card (optional) + - title: Card 3 + linkLists: + - linkListType: overview + links: + - text: Link 1 + url: placeholder.md + - text: Link 2 + url: placeholder.md + - text: Link 3 + url: placeholder.md + - text: Link 4 + url: placeholder.md From 81811f42433ef6ed174d79984619bc82955acb6c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 7 May 2021 12:35:49 -0700 Subject: [PATCH 032/415] 2 --- windows/sv/TOC.yml | 2 +- windows/sv/breadcrumb/toc.yml | 3 --- windows/sv/index.yml | 4 ++-- windows/sv/placeholder.md | 22 ++++++++++++++++++++++ 4 files changed, 25 insertions(+), 6 deletions(-) delete mode 100644 windows/sv/breadcrumb/toc.yml create mode 100644 windows/sv/placeholder.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 2b84fa1b4a..459e198125 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,2 @@ -- name: Index +- name: Windows SV href: index.yml \ No newline at end of file diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml deleted file mode 100644 index 61d8fca61e..0000000000 --- a/windows/sv/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 5b07303233..0f8c82e9f2 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing -title: Windows NAME # < 60 chars -summary: Find out about Windows NAME. # < 160 chars +title: Windows SV # < 60 chars +summary: Find out about Windows SV. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. diff --git a/windows/sv/placeholder.md b/windows/sv/placeholder.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/placeholder.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + From 113706b774ed4a89e25fe73ccd329188bd9ee15f Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 11 May 2021 11:38:00 +0530 Subject: [PATCH 033/415] updated --- windows/client-management/mdm/policy-csp-deviceinstallation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index a116c0b8dc..79e777d78e 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -99,7 +99,8 @@ This policy setting allows you to specify a list of plug-and-play hardware IDs a > [!TIP] > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. -If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: + If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. From 5fa1ea84d48db26ba375704f49a5763c6c706995 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 11 May 2021 09:47:30 -0700 Subject: [PATCH 034/415] Event ID and Tags explanation Merged event IDs and tag explanations into one file. Updated TOC with new link. --- .../TOC2.yml | 2 +- .../event-id-and-tag-explanations.md | 153 ++++++++++++++++++ 2 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml index 6643f8980b..3db9e8ccd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -102,7 +102,7 @@ landingContent: - linkListType: overview links: - text: Event logs (tags, IDs) - url: event-id-explanations.md #(merge with event-tag-explanations.md) + url: event-id-and-tag-explanations.md - linkListType: how-to-guide links: - text: Querying using advanced hunting diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md new file mode 100644 index 0000000000..81c7794f17 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md @@ -0,0 +1,153 @@ +--- +title: Understanding Application Control event IDs and tags (Windows 10) +description: Learn what different Windows Defender Application Control event IDs and tags signify. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: jogeurte +ms.reviewer: v-kikl +ms.author: dansimp +manager: dansimp +ms.date: 5/7/2021 +ms.technology: mde +--- + +# Understanding Application Control event IDs and tags + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means. + +These events are generated under two locations: + + - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational + + - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## Microsoft Windows CodeIntegrity Operational log event IDs + +| Event ID | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3076 | Audit executable/dll file | +| 3077 | Block executable/dll file | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | +| 3099 | Indicates that a policy has been loaded | + +## Microsoft Windows Applocker MSI and Script log event IDs + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +| 8029 | Block script/MSI file | +| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | + +## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events + +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3090 | Allow executable/dll file | +| 3091 | Audit executable/dll file | +| 3092 | Block executable/dll file | + +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. + +### SmartLocker template + +Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. + +| Name | Explanation | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | +| ManagedInstallerEnabled | Policy trusts a MI | +| PassesManagedInstaller | File originated from a trusted MI | +| SmartlockerEnabled | Policy trusts the ISG | +| PassesSmartlocker | File had positive reputation | +| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | + +### Enabling ISG and MI diagnostic events + +In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: + +```powershell +reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 +``` + +In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: + +```powershell +reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 +``` + +
+ +## Event Tags + +Below, we have documented the values and meanings for a few useful event tags. + +## SignatureType + +Represents the type of signature which verified the image. + +| SignatureType Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Unsigned or verification has not been attempted | +| 1 | Embedded signature | +| 2 | Cached signature; presence of CI EA shows that file had been previously verified | +| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | +| 5 | Successfully verified using an EA that informs CI which catalog to try first | +|6 | AppX / MSIX package catalog verified | +| 7 | File was verified | + +## ValidatedSigningLevel + +Represents the signature level at which the code was verified. + +| ValidatedSigningLevel Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Signing level has not yet been checked | +| 1 | File is unsigned | +| 2 | Trusted by WDAC policy | +| 3 | Developer signed code | +| 4 | Authenticode signed | +| 5 | Microsoft Store signed app PPL (Protected Process Light) | +| 6 | Microsoft Store-signed | +| 7 | Signed by an Antimalware vendor whose product is using AMPPL | +| 8 | Microsoft signed | +| 11 | Only used for signing of the .NET NGEN compiler | +| 12 | Windows signed | +| 14 | Windows Trusted Computing Base signed | + +## VerificationError + +Represents why verification failed, or if it succeeded. + +| VerificationError Value | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | Successfully verified signature | +| 2 | File contains shared writable sections | +| 4 | Revoked signature | +| 5 | Expired signature | +| 7 | Invalid root certificate | +| 8 | Signature was unable to be validated; generic error | +| 9 | Signing time not trusted | +| 12 | Not valid for a PPL (Protected Process Light) | +| 13 | Not valid for a PP (Protected Process) | +| 15 | Failed WHQL check | +| 16 | Default policy signing level not met | +| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | +| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI | +| 19 | Binary is revoked by file hash | +| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy | +| 21 | Failed to pass WDAC policy | +| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | +| 23 | Invalid image hash | +| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | +| 26 | Explicitly denied by WADC policy | +| 28 | Resource page hash mismatch | From b5117aba312c9bedb7d7ea142f6d6abd6cb252d4 Mon Sep 17 00:00:00 2001 From: Denis Gundarev Date: Thu, 13 May 2021 15:22:03 -0700 Subject: [PATCH 035/415] updated reference to IDD documentation --- windows/deployment/planning/windows-10-deprecated-features.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 9bb45ca3af..d3cf97f165 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | -| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 | +| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | | Windows To Go | Windows To Go is no longer being developed.

The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | @@ -67,4 +67,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| \ No newline at end of file +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| From ecf67c7cab2e9f64e737f616419f6d2ec482b8ab Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 14 May 2021 19:16:52 +0530 Subject: [PATCH 036/415] removed link as per user report #9518, so i removed security boundary link --- .../applocker/applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index b7dcbcddd8..427198ae92 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used: - In addition to other measures, you need to control the access to sensitive data through app usage. > [!NOTE] -> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. +> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. From d2ac95dd42b02c1051e2fe8e938afc1675a10bb3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 15 May 2021 12:54:39 +0530 Subject: [PATCH 037/415] Update windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../applocker/applocker-overview.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 427198ae92..0a97c8aeb0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used: - In addition to other measures, you need to control the access to sensitive data through app usage. > [!NOTE] -> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. +> AppLocker is a defense-in-depth security feature and not a security boundary. [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. @@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base | [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. | | [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. | | [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. | - From 216136c019ef0914ac7a8dd7d50be130f2b80bfc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 16 May 2021 23:10:53 +0530 Subject: [PATCH 038/415] Update policy-csp-deviceinstallation.md --- .../mdm/policy-csp-deviceinstallation.md | 166 +++++++++++++++++- 1 file changed, 161 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 79e777d78e..60a04ba2ad 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -100,8 +100,18 @@ This policy setting allows you to specify a list of plug-and-play hardware IDs a > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -395,6 +405,142 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and

+ +## DeviceInstallation/EnableInstallationPolicyLayering + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark5
Businesscheck mark5
Enterprisecheck mark5
Educationcheck mark5
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +Added in Windows 10, Version 2106 +
+ + + +This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: + +Device instance IDs > Device IDs > Device setup class > Removable devices + +**Device instance IDs** +- Prevent installation of devices using drivers that match these device instance IDs. +- Allow installation of devices using drivers that match these device instance IDs. + +**Device IDs** +- Prevent installation of devices using drivers that match these device IDs. +- Allow installation of devices using drivers that match these device IDs. + +**Device setup class** +- Prevent installation of devices using drivers that match these device setup classes. +- Allow installation of devices using drivers that match these device setup classes. + +**Removable devices** +- Prevent installation of removable devices. + +> [!NOTE] +> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. + +If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria* +- GP name: *DeviceInstall_Allow_Deny_Layered* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + +To enable this policy, use the following SyncML. This example applies a layered order of evaluation for Allow and Prevent device installation policies across all device match criteria: + +- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} +- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} +- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} + +Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. + + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering + + + string + + ; + + + + +``` + +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. + +:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image"::: + + + + + + +
+ ## DeviceInstallation/PreventDeviceMetadataFromNetwork @@ -520,9 +666,12 @@ ADMX Info: This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. -If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. +> [!NOTE] +> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. -If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. +If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. + +If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. > [!TIP] @@ -630,7 +779,10 @@ You can also block installation by using a custom profile in Intune. -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. + +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -874,12 +1026,16 @@ with -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. + +If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. From bc126a70555eb8aadbe4239c226d6c5cf75aacb6 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 16 May 2021 23:11:03 +0530 Subject: [PATCH 039/415] Create edit-row.png --- .../client-management/mdm/images/edit-row.png | Bin 0 -> 14669 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/client-management/mdm/images/edit-row.png diff --git a/windows/client-management/mdm/images/edit-row.png b/windows/client-management/mdm/images/edit-row.png new file mode 100644 index 0000000000000000000000000000000000000000..95be3d8a0d845d1de4c69d74a40c07e21f0c9769 GIT binary patch literal 14669 zcmeHuc|4Tu|L>H_BS}$OBqc^<$u>eLLSxU)SduZq466ATa2Z`Fm{HqjHQxg zn4#?Bwj^8jY-1hHc)s7)InVi?-|w8?@0|1BIe&PWYwl(4>$|4V?TIZJ;|@8N6BUcQ@(Ze1Q2(sD+0WhiHM>tVR}e?)O*?cqbgpN0(?HpCEWR*eLI; z-^e6x3^m#){dUJw5^pKfdz}e9p!e_lMSvmib>%hs1sl!8S(}W?A}&J=swN-LIf609 z`JH+zgE)H9FLm0aGE`JCv1802xyLfb^~an z12rpzuOBNpB!JFz-whl+vyRp{>l|XbAEOtvJ;m8KbY+#L*XOA&A~4@R(md6<47uAi zLwmQgP`$X`l@YuiT*K4hJ2#owxO)R9o~R6YCb9*o+ph0I87x)}(~4w~iO(m1Oc&Wi z!cmZzNzEm$>w^ypkqVm~g06v8(prhPYH1q>H7PEBg!J91r(F=7NTSc1x{SIHuAO(E zHxZ1wiuv`@MaXxbdqw5fO(--%WK?K9qo4d84&ID)0^%4SyND5{7f~8u($8ZUGd!|D zbUdfgbbl#0wH?LFvp?FUm$BWKVtBA$vN`%~oLf8zHPe-z*ph1#xG*uD3O{Ik*Q(l? z)>pK)h4kn`r|ndcavK9Wh@MkZ3i}N|O^f!Qd?cz?ir73`bl}b033c2X39jBA5imC2 z&nnq7Yut71T6gV(jco?jXFNIKQA^!LO3nU0pZF?e>)4B^lrFqx4u|02g9N1i+Emvp z@@DYXOWyEgma%MvBY!or*tLfFnknOc&1fh9 z+3GD$4jTfR#Jrv0t6R$g9vzfXBrC7zkrz?0>G3!+a&0(ZjiS>9k!p|YK4`=T?++@+ zeIG_D1n*OD;z19`RDdO3s!x~nv~|3+=>^!RTtIJs+QF>ylKx20kC(ie##QWeoyzu4 z3OUxaexzwQFX);w>E~D2o3SH#`{9AoszZCLX+=gsYpbK1bAlY0Ow^9=8T#bIS@#QN zkWam9u_f5iCkG;=MEcm~eS2}`q>{k(vfZi^vVG(did7KM6!UBJ%NQrzH+&U=Sk(pjgpJ;;dgM#}9?+=&{^akoy-(MmpmJCYVd9)nfiS>n-fkDJQC zD^D^kwcLylk-0ySnW8ojMA}aRhCM=p({_n~>B3g~E$}D8=+bsZW1Te|HWA*P^v z(sAWFa`Y_0&9R;9iu`lWm!pA38hzVCPOjo1Azk?ZlleA?)-nbZbCKq30&Kr)1#7{9 zZCQr}WBmhv>gq{E%$335c`sh+8n5kTo6Qx*(ZgM!i2KxkwBG-1VQ`K`HC}9-x9hah+yBy^k(s_#5Hq$nmAsg?wtB$@YHV_A zGjQFGUAu2@Ttj0hT+1GY;AB;P{>jB)SWd#3OUsp)=-RIB@5kA~!QGzQUr(Q%pzMgB z0=+<(p$NFgYv0k4#ncF3sd|F8+mwyF>OU6^ELX3+4cl;D+Bh3L$Z6npklj zKRz-cxzTN=r!}U=*u6I%Me;-urlKcT8S9+>MGOSxbQk#YV#V@y9@5`wl?2zu+D-o+ ze|#SIT`TZOU%nuKhWJ9kT1{~|*9(A-1iv_^2}C2k8NRdSJMaPU#eZE!FT~(#<|72r zNi>d|7o?6n4z%>@Gk)s;a{YBY~R>hng5 z-d&mP>>A3n6!dN1@I;jQlAB;6uP-&Jy-ffwsvMtoqFmHc0Pkr2RR+rV*@8e_gY>WQ zMDuZv1L)+tXXuERZguBRXj^LwcaPd^8b14V^hO&*2DN#e=eB00d!xT+vn$_1kMlJE zy*QT~KPx4B{|M-;^x7uyWjukHJ}oI^<`l|4pZl7=d%~8G;?;+B#*0?^Nyg?c8Xiw{ zlkFyZPMf2(2`q|AhI@E^Xcu&n3G~q-1R0`l*WMhg#SS{dNhLtwpw{ybL4()Y2rZ#8 zO~)=gJOY}3^Iw5XD#o=T<*;>f;@`tDf1B6;bHKxPzzkxbqBs9hytGXp+YvnkQa7!V zEmar*>!kh6?x@D$htS=BAg>p-+A(zaZ>yM~pf%NVCv&K3(UrLGyru=TU(O)viC+8P zBQaMM{JJ|qPqB8&cjeZJF`{YCcZb^`@5M4*eShr<2Spw$<=aeX)Fm9zVVqhb4t4Jo zoSQK+C%)eMZ_S?OcPQmcayOehL607^5#|;i_&6VYpCbHBRnr-&DQg%B*Ddsp?@QTV zwOI1Cx6yE}$+3Itu2Y+)Fj$3p?rwYD%9w_N*|YaiRTXm#YBo40@CCDA{d6j9F7=(F z=?16w=ay9rzOme}a|Z$JJ#~QjFaN4bH=b_s-rz~aOF5(V6HTY)C%@4R_C(IySEPb@ z_YGhN+F7kPs02O^rd1_!;iF@JhLxlC?+qkU3a?< z2iBD7J2Q;75)0HPx$-&v=PbBOti7=X;mD|4*ICzZ;sf!$)6j*0Fy}o|JwIi$x!a@Kt17=cW zo35kF_o?2$w&M0F>6}Y;ya<^6W9OP)zUG+4?CE$;J9;v%odIKa3U?hf{BApkCXSX} zu-=)=S&rr7B%FNOV2?+Q|NcQ3Zza>N~ZVy&@M(bT&a1ny$ zT;a)GKPgr*tw9_Lyw?vlH_H-hr>Y_!$V)^aEbUnME2U~1G+YbR*lzV1n0q$=ei_&4 zt@tg0OUhpscOs|1b7g|o>d=_vX?+Puj7Ry2;+gipyr+hT*byx{L_-YcCgH_bG%+9A z6TUW5*B&R+-dW{aeK$0n^RyERbT7uW6BTL?ILr(2xb1a(t*4`~05JJW zK0jGAKeR`+XYS9FM087~>ZjZi;tCb!XI;0O;h^LmUvxCpm5MAl<(YS{yG9`QxS>#Z zNE${v8|UF;E{=v^G?lvHYH~U4*>W`<)f5EUA`dI|;b$t&W31tNk9MaXYTNHE;KNBy@2xvtMM^ZXOBT`a^1+XPeX1))EGTTPeGTxYEdn91wN?@r>c(o{`cIHTkD@F-U6_?x90eI5k? z6RS%tp=I?W?Dy3}M0zaqE?V$?6%NP(`SljKZVNCr4-Bd2byRZ!}xt;@fWn zdmD;|CvrQt``(fZV=DvLHC-OmXpZouByxH#ishJ`dT3YaI2NwZ!Jt(#C2AkPU_0b4 z*kN;OKHY4#T!BFVC)2o`8fyPo?SOg|g7a27DrLa_H5IGzh+tjsRokV8F9P3L+!7ZD zR(-m{hHFT4;+|>M3?b)w-1Jzu)lRvq;+N+z$lzCD{9=AVu|*craO{+q+_QFj%$2^N z-YF)=Gs3EH3=%DX*U=4LoYvp8e`pggJ@H~g55?CBE_)t`$r!O`vYf~Hlk*~gp(WWv~X z`j|N$$;t6(HKYHl*<27zCnEp z^+r(Ye&8FH2u`VVqf~sO;s~${120Gw{GyX;#=x8~Kd*|{LiV*q;=np9G-G;GQ5=oJ zjp#2BR&VI|5r>yEh+_z>f*;Y}_`u1mu4BZjN72I2PjA85XA=ncK^=v+TaG7CQv0q% zQ~`5;K+4*Y#GSc<0ZCwzZLyJzz@#MQ-Kz9n0>)qtgcQevtnkLo6NM!L<)U?;5nCQr zaNv9sGdYnqdG>*#3pY35sx&D!xj-60V3tgD-&X>jl=Yf!#o;`537?yDJGToa*XK%( zKe^R7rG5XUE zu-dX9QS8ehHeTIvYqo_k=eed&hH+S*64$yX>YsLeJ492AU)P=4UJ_eL%jQvL!H9WZ zNFqV5FOGPiiI#0s2u$7NUgS%PKMXI!iTC~8E)p2kIq(^=Je~G zS}@F%chnCiL=4&VbXGQO0xzPPyEg%@31&B;S!Z-q*@fHO*XZFsH7{7tFc8xjIRJj9 zXFdq}I0vqsB-L_M>?Q+CseVNo%66ey-`%nm6Wxi5{1h66WP0*c1OQ1h6tgGSfEVxD zAlJe^`zZS@{DLYly-$gz|DOD|tfbDsWU`91_|HCyJKGfYM>i7?7v%b}>cMrX8i9ub z+&^?RYMCALAqhM8m*{30f9#(kT&fNR634)aD&|uMu1uiEO@AqMJ>S3I{|ied9{6yB zUa-xiIu{>q2>r6`!o<+<92i2STGL;jvGZuHHppXNDGls0_tjyKt{I_on)s+I&KlU< z{DLiJ7X{_tN6OjEGOi%;t;rB^K|slpJH>bjia&&9<6 zog_v_!R2g!zGU>94|s9$Z%tuOg0aJnxbvmd;>{`J69n&5rVFP^v10F${~$awTGQf9U0rpNry@G)i@liwlLp1n-zvsl`8Zgy!G_f zOLNO~QY1$zxbp#LNRm|V0jnzd#)j>?B0Itecm$2A{)EbA6be_20_ttFJcIXJSW&ju zJnV?%Ke{x2d>OxQ*wft~Y$Q9V6mXA2tE+a@vuYwSgrO^T&_=)en)hrhI}0;3F}L(l>g#S0`+CliobAhs7Jq?O5|P1clG7g>}8Fd|mgk zu{%+Agih8POEA?W*uF)TBDIc!FFi7L5Ugz%e$3y36p=HSz|VaBED?`_a_waIN=y&1 zEfwUnpp<}Y&apexr-Kn0h)>}=q8Jp~32_rqtPQ4ORoa-}Rn&df7KgaRpAV#WjO`HC z!M0gW>k_sDXveM4EQr?rX% zDJ)}4Mxk$U+@8INrv$Y5qSaGg#P!9WHGYQ*x^uG+s?6Y`E@=z!+EM1~`Z0dxI#|!N zyoYO4Feh(citW}P=KKJkZa6cOc+fI~7?>ymX>m`<11WAiwP?E&l3L`>IPLj?yPeE`9MY^<59#2v4 z#5uh~?f=Zyr>@C5A(JyveWuK=50zOA3~xl_s0Ym=<6p!TJuKKmde~x%M1VatT|>C% zI~J*OHcDw3qoD3pe`OPu&F}E#$nJawi{Uv3QF6Hfl=5vLFswz%eO7siF#z((_H+YS z8=LkFkfd@&1HI?fh))!$)47Vkr#?+VMB5*QAJ`I59C9O=5gid0bhGQz?LQJ;;OfVc z7$eL1PPofbWXc|s(bhPoPWbR>!vPbkA9p>P1YyB64wt>!MU@xVMqzU)bOUXVkE(+d#? zy%79Ca+3t@L3~F7!*bqkjgFV1|Io=qSY@JAuuU%K%h?J_KO%cR+u?O6$Gf1lv7Ev) z-7-lL>Ox@Tm&?5Fx7s06R=a805n{Ny@fPObSXmcNaQ$$9ri7xncJPR0!K55inzVy} ziOiZE{Rxu<#BOp#roj9@wJ=NxiF0584!SVT{_IG>14h&G8x^}$HX9YWBm9w=&w_k> zfkArbi|!2Yzhph~H_p4s#@>0A_28TG3q+jV;=X@)zHvF*)AE!XJshr*ep&iADPr!0 zJSiFZJIZHD-TxQ7|39mc<*^<#zEz1ZF*!H@yc?DS;oPNn_m?4OD02tP-U9;3v8Ye0 zlMYaYZdi! zr0xaw3my_%*~BnxCza|2QSR=OdRDj6LurxrDRl*YPpWJLc+vEIYMl3~wTpAx8&E}4 zNzorjq?f1hcHgxZ0Yc!`?=Qj`bvCN=jCoCsSfYqdp@kWAGJvhsBoeBJnii4N1woiWOxZG)@Q9bxd&C?DM%|#Vv$k7g3t!9Oi$|YQC9Pz#GE-a1dFR?Ia zhd82ZLWm4y;d^!wW2q3ma`n`jNFq!=){jVR(&k8fS+v>^PKC%4oCkiq=*YiYThLsN z%9f(O_H>bw6bD+y4#vY}eeMQL`DeGiCJ!C|Cx zb_HzANgKKO9vT4sqVWOH`p3W<$zXOmY)>wNorhorZ z;A%&49_&!{=x@Thy`PY+^{q*_UC&NrIYm~tXzHlmGHn`OMR}5maw79D$Kcp3P8;jK@kU*84=G*$CQOZm zla^Fl@x+qt&z4%iRs6?U_}uTu1y>yxQ}u7P2kpE}ezOe@Ic+aU`Pi^RYBh9ySk9D! zud2`JC?TYstu$c(npYN)(Vz|F@8^}fTP^lW@4 z@Kx(|&o>pj0w%$*Cis74gsh7Ue!i0!4Rz@$;pBaMf16+$%txb8mmQ9 zAh?x~Qe24LPVCAe$`xUCfy2q-OOs7f#Uee-sL1*ehl)euTWv+u6V*-v%+jJeB@kJ9-w{6~@U5G~)aT4UWz)|~`|-=t}} zI~6Q5B}xZ(>%QSl;MG8y*0#v9;)|+`MzK&rEz&t?t$({Ga@ zjYdkptX8Gci;Z~w0@=H)e_KiddvpSMq+tm8uWChUS}k6bj88+xsJUV5k|e0w;MwC$RNmY{-|@a{SINTb*wv&OK_cPbHS#8eLDCdA#DFr`}gYcM_g46DHFidzalT0%dE8O_K8=$s)wg&(7O zn>*(QFjVGUYbt`3bb41e;3?_#vI#!osr;t-yGvD2S3lqUXHAfw)s(PE%x}3#7nNhw zq|-&W*9_*kt4MRu{%L#eZ>92h(Jgo+qu0+cX~9#25*Kg*aXl3-C48cnwsCFWkATDP z?KovvWQ#lQJaM(RhYba|pG8-FJl3LO{llI~h6Kqpiv*sa2%$pGdbkEjvyM!PqT|HX z+tBoOCK)Q22Rw_`e6Xgi0V%WG9YPkcu{3g{p`_6;7#Z;{e&|;7F({))o+JukUEvHF zt57n6;#OIuj9Ai^!}g;KTDA8wwnS@@7>3ZN^IBOpull5N*`neN$uJl{U@3iKUiNX; zn5)z*A5QA73{Pk3srZ(CO1Y~!%1rokv$~Fnrv#T}{He`wWK(Ls6tKtcW&r`n)Pua* z_Q?_$_T8g&lClgh9Ck<3aIz-@svydJw^k1)Cqd|VptT>Fe~^aMdJ9-`Qy*AO5Z1#2 z2r0DlRmwF~uC&im4&LGz)a-=}e3EpY$MCeXN_p)4dAyO-#u)WE!`#kkf_31X5M(?;QFJM} zZ&E64Gs?Le;m|c&KjM!Pyq{h3;Y~hdlVRiPekS!NkRNJ2BAWK=i4gsWPpT0?1RP87 zq7inH4som#swn~2r?gB5{-#bVNCXf_x|$-1i=5IV-X#YStp+wMXyF3r(UIO zq8S+Aie3`MIDY_(jG>zicL^9B5$ANg&bwjBoE*_Vk<0iv`j94?TKH0$aIG`cL}Bjzv5< zuUfPIN~NW@jMoVt11gvLD?*!v{3v>)Kgt=eBh$Nr*!=pomjC+R^I}Al#kXMG2IqL> z^s9{8gj~}{K)wP%u9*F-ESOR&pHE_C32sD{qAx$+j*9eaUDySWSTDJoZZR$mhL!c$ z{w^Y;XED@SpwhO}_LZHqsAk6yHK9&38+nRT_^d$Om|($R_9#d{(Q_}5fU z#kSaP`$XBr;jKq`s=dz2*pJMPc0x3q-gDVU)$n)s4oW<4FUvcWA>=a!?w`f^o6eoE zU48h_XuMfH*ckttvE>AVw@3U|G zMjLeggJFRQc>MTFIQi#RwA|dyLlHxfc9~(Rd6BMo9olBiSN++p121af(efulyBD6s z)Q2&kvz4R<&*9n2TCG*ZT9CV>w);ZfC-U^B^I$sLRWn!VLsp&VR{)58;~ z5al7NiCE>9q;&n`Ne<7* zuTG64~DVUVId!O%Nx?l2u*G6D)0TCj&3aph&h)M zYfc22=}zadMn#vo25eT^V5rHN2gPp~N=v(%bpyS~!TKO3(?PgtHELjAbtp{^#hx~F z*uO$Y0!u^{B^`@!K_*`!S5`1kc$65vNrBViFGRo1q|{iPFpi72i-)(n`pzptjw~sV~ADRySe-?aH3R{BS~y`_^XR z0Bo-@uykPfbnh9|?-wL)+_R9H-fEN!veDc$>}lnp=fFR==cbP}K9Cm*41sgrubz(H z%V=0?ad4gWU0L$a*lyDyoXk_5&eKXB$e@SSpPSWk8ph(=W&gnI99@XGA>926VZ^Hx<#w{>=OLG_ z45hWbT$lI~1OCy;0xOV+phs^Xm(<>>oDm}oP%0wjB9+)se|hbA*1Z$~;N}Gv2?<)3 zsST-Dgd1tFP&N>YeFJFwLGNtOM{ZNOEORXVhNoo{UR%lo0dGPtNaZA0gg`zC!=r1P zBQ@`&Yu}YWmY~!C-QKrv{0v8^=u`lVt_Ah7B0hJ zxJg(D>3u0;7$I5W-TOyj1o=_bbKga(hVh#sF!1FWET1jZ-Ij~fRlI(S-pU)8-T65F zuSsD~fPV6HCFq5|9ysB#T(y1f92(Z~7BG6ZxHx*N8Pa3dPzvL8%m+B^WD4uak1lXQ zZ}|I@PY;+RqWlW4@c1igW?e0Kl)fc6Roy;f;pfQ`ULuxMKqZHJMzQJ zp=X%o&o)h`Bn=#Z>CUo{T^)94J@5dfSb8}nOU$abhj*u}rFSBF`gB^bZuuw@e}v?L zPKc@>v@5yJ(CPE`((ej*G%^S|;}VJozb7<8JqqmH6duN zC58M_ExeyMn@05bVfDeT2cS-Rmi=Nbk^ao>hXV&jQo!$3jVXo!e60G{bYuW z!4No>YG&5{nHjjzW7y}^cQxo1Lk;nY3qjEaB@T7yNi*WX=m#gS&z&V#7^U<-q2|`! zE-#W-_-?$U>@;(EJw7hPVByr6fm%4`%AJuSx`uPc>*9s^UkaWdi)XS5r0DLyihi2U z36S4zEEapnCLPKUTFbw1sp$!ReFqi`{$8}$x_Bv8V_#KTQY|>T5) zXa#aYDVObmy_dzJML9|3w?YhEOQw&5Co$c%ri-I~zo`%(w<_(rz~@hQ>*HCSS6Iy7 zZjcE>{P7jsshw1eG2(x$$A9MBrV`wqKLy-dD_)@j{sYFlRw2*VB72jw|B;(e12Eo(g?mYUnF_CtktH-st;{$=LR^|)|2@BDu3Y##i>$}r-j6gZa2 zLEY5e!uyn7Y7)b9s@yZE(s6uTd%0M95z6TGpGpcHMkCi{mAe&x_{Un!IX)84t@p{6 zBy?bt)23t-$y^&9ai^a8l-PH@Da4>+`DXf2E;9nJ%jx1Z;l5M^$FFSP9ITi!;CUyd zey;TF`RrtCdAK?P;;$PTD2%N#hZ$0Pe{aYCcSpEdE%Y zop%YKC1qS#ZkS1l8HN|U_;Zd7+2-%qe)4oKEq%bjS8lsKfh9j{4xat<^RdKy5udqI z7WTB$Ud01ifm%I@5z?6`)^O&Hbm97>f`p2-4+4n-i3xt{K7+&_!UgvXl<2&(4}nk1 zM4b50WKx9s@zs5uxj?CTP35MZx$H}IS1OBj8q_X7hZ1V`y|m7|=LZ`ufBb%qJH;2S zM!#H;(pE?!Y%{Gg48Fcm&6Yez^A7DcVWts9?8}A5)97p4X>Mwq5Qe4ytx_%Ynk0JGMJKQ_vab*3BI4;)vPd_mD`k7$~lc{Tjo^ zY3C9@n^u7!&}(bs~yuRa#Vzm!KinpS(MSx_0%02io4%7i_h?F?0S{s ziZg>-{N@aD&1pIA)D1POxqaz0=ZpriZ$I;o0e8B1`HC05lZqV`;c>j*hO;9dJU4bF zSS9T}m>xI^iO#|6gz9T)`E%GMU16OrM~h2lGja--b5a6MatmhFUIXC$Z)(3FSv8~< z>u=;vo?#VN38N-;*1VV#yfR9XGi~wUQH7E(rrc&l#4D~OTlY}0C!i@OGSXmygcOge z5_X6ApC3C4C-HY>0Y(%7%~`8=LE)LEO@x;XDtii!VH2M1w;GjJvwBHpyDN3FH*Q*0 zjOur9s4B5<%3Nrg&*7pYwxIOwxxhY&^HyjSstC#?6p~ow?5fv}^qZJ>9l`4;jm^1# zouQ_*H?}rj&Ze9Ada&oVmpf8}2jAav+2}M=zX7 z&89kxX-AF*2jcS^o?)~L+Hl%zr*NB^*ySSaMdPu{<_Q!?UlFlAS?aeWkWYg2#YB>C zkc4FlwCpnVK1a?7ZZ4m46$p!}bF(5r6r@kRW_w+yen}rOR7l+Df+WInI!BjWJRV6@ zdtg7_!k|`lypqMH?j`DFq|iiPzI8m_g>LiBZyqr~&+6p-pkdG$lsp7^60uZ8-L>7> zbE$QwV!yNqeiYOSRB5Z=jU97R_ zh<;i#M!0z1^s_iqp7|PQ4`Wea1Qp`IYFyN37<8e4vRXSc)buEK^T~2iopcIp@1n|7 zY(A+5j8j*}rpURi`)X9)y+i1*EHH8~!$)>Nq!yW_KM%H9gVwvCnx@l!)56;?A8n;& zmkf9JjE(h)&OjZ7UiXAFH*%X}0j33sAFz8kDfExjI#ywKjC!_T2!_h6R_qXEx zSMYxx@=R6*VDk05gL5qX8qLaTK5#gUO~p#3x9fee=P!FP(IG}0;tvKJ z`!`~V|B_NXY?kgIJNDWkF9Z&c;1&ZGN($`{&?W+OJrubF>9F5Y_QSNM?DJvFky{xc zk5ym3`}}yP%9 z-(CyDI!Q#m0mvpvodkGNY?Hbg!)y_WL(#^1svXy6_GVgWnCIxr^ch-m7bN1!W(la5 zR{@fUkVZ&$C;ZOr>}`j`GCZ%C^fg{EtJS-vboiq6IP?E1#4=!oU zSdM+DIq?%gMZ)sv;x2xo&~HP*>L&{?93C*civnjFscZ$)_{}Rx(N*N&TUJVdrN1G$ zanu^eND!9gKIGSdF>-w4%F0ar?1!VnFg3N}1c!q&_1M15U9AdD%((O@G^Hxv8SN`O z$iHYYU(>|=;Lte|Nk@TGXp74-N8-MkEzt=-yi-LIzoY4{LrY_*k`~5<@XdSR4eW_8 z8@rq{^Egx)B&pbVlJX-yMrbod@M_7$%Y%jnaY-z9*Vt1P!UP55VVh=M+}0oC+EaJb&%bE z%tywNZ^syK@-XK5zmuH(H>T*{a<%_|>)%tx|Ids@kt9%DGtGEO?yo8KH>0*GuqotU zqBL;sZ*WEcM_?4buFfExR+DB5l8VMfCX3@$|LQxBZ~jN4<$ooC{x{y)`#)o*mhL2h oLnToEV%5L#wjj}GdH>*eH8Yc0#MMs5E07?ln(l*QmB+9C3z7T%#{d8T literal 0 HcmV?d00001 From 5747f729ecdd653c691a89a2158363319878d75d Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 17 May 2021 11:30:47 +0530 Subject: [PATCH 040/415] Update policy-csp-deviceinstallation.md --- windows/client-management/mdm/policy-csp-deviceinstallation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 60a04ba2ad..7212d2497c 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -30,6 +30,9 @@ ms.localizationpriority: medium
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+ DeviceInstallation/EnableInstallationPolicyLayering +
DeviceInstallation/PreventDeviceMetadataFromNetwork
From 3686a52369a093a6146e752564bfaa3ff5d5b6be Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 17 May 2021 10:15:43 +0300 Subject: [PATCH 041/415] Add info about UPN matching Azure AD domain name https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9386 --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index d867b494ec..298d1d7986 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). +> [!NOTE] +> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues). + > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. @@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration, 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) From 344f5bb97ccd5ddc8e2c13fab30d4bacf8e7a2d2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 17 May 2021 10:00:09 -0700 Subject: [PATCH 042/415] Update windows/deployment/planning/windows-10-deprecated-features.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/planning/windows-10-deprecated-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index d3cf97f165..492f0d70e7 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | -| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | +| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | | Windows To Go | Windows To Go is no longer being developed.

The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | From c04791063c19a5a607c355d9c9b38f4218006af0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 17 May 2021 17:56:14 -0700 Subject: [PATCH 043/415] Updated existing pages and merged others 1. Added missing event tags from event-tag-explanations. 2. Corrected MD errors in event-tags and event-id files. 3. Added missing event tag to combined event-id-and-tag file and ensured there are no MD errors. 4. Edited WDAC and AppLocker overview file for grammar. 5. Combined audit WDAC policies file with enforce WDAC policies file. 6. Updated TOC2, which will replace the main TOC. --- .../TOC2.yml | 4 ++-- ...s-defender-application-control-policies.md | 6 ++--- .../event-id-and-tag-explanations.md | 23 +++++++++++------- .../event-id-explanations.md | 12 +++++----- .../event-tag-explanations.md | 13 ++++++++-- .../wdac-and-applocker-overview.md | 24 +++++++++---------- 6 files changed, 48 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml index 3db9e8ccd7..474b426029 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -106,8 +106,8 @@ landingContent: - linkListType: how-to-guide links: - text: Querying using advanced hunting - url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above + url: querying-application-control-events-centrally-using-advanced-hunting.md - linkListType: tutorial links: - text: Creating a policy from event logs (video) - url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this \ No newline at end of file + url: #Jordan will create a video for this \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index c10855446f..31f6314425 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -19,7 +19,7 @@ ms.date: 05/03/2021 ms.technology: mde --- -# Use audit events to create WDAC policy rules +## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced **Applies to:** @@ -75,8 +75,6 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. - - ## Convert WDAC **base** policy from audit to enforced As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. @@ -155,9 +153,9 @@ Since the enforced policy was given a unique PolicyID in the previous procedure, $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary ``` + 4. Repeat the steps above if you have other supplemental policies to update. ## Deploy your enforced policy and supplemental policies Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). - diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md index 81c7794f17..9b21c840e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md @@ -19,15 +19,15 @@ ms.date: 5/7/2021 ms.technology: mde --- -# Understanding Application Control event IDs and tags +## Understanding Application Control event IDs and tags A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means. These events are generated under two locations: - - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational - - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script ## Microsoft Windows CodeIntegrity Operational log event IDs @@ -35,7 +35,7 @@ These events are generated under two locations: |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3099 | Indicates that a policy has been loaded | ## Microsoft Windows Applocker MSI and Script log event IDs @@ -48,7 +48,7 @@ These events are generated under two locations: ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | |----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -84,9 +84,7 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` - -
- + ## Event Tags Below, we have documented the values and meanings for a few useful event tags. @@ -100,6 +98,7 @@ Represents the type of signature which verified the image. | 0 | Unsigned or verification has not been attempted | | 1 | Embedded signature | | 2 | Cached signature; presence of CI EA shows that file had been previously verified | +| 3 | Cached catalog verified via Catalog Database or searching catalog directly | | 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | | 5 | Successfully verified using an EA that informs CI which catalog to try first | |6 | AppX / MSIX package catalog verified | @@ -131,14 +130,20 @@ Represents why verification failed, or if it succeeded. | VerificationError Value | Explanation | |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 0 | Successfully verified signature | +| 1 | File has an invalid hash | | 2 | File contains shared writable sections | +| 3 | File is not signed| | 4 | Revoked signature | | 5 | Expired signature | +| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy | | 7 | Invalid root certificate | | 8 | Signature was unable to be validated; generic error | | 9 | Signing time not trusted | +| 10 | The file must be signed using page hashes for this scenario | +| 11 | Page hash mismatch | | 12 | Not valid for a PPL (Protected Process Light) | | 13 | Not valid for a PP (Protected Process) | +| 14 | The signature is missing the required ARM EKU | | 15 | Failed WHQL check | | 16 | Default policy signing level not met | | 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | @@ -149,5 +154,7 @@ Represents why verification failed, or if it succeeded. | 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | | 23 | Invalid image hash | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | +| 25 | Anti-cheat policy violation | | 26 | Explicitly denied by WADC policy | +| 27 | The signing chain appears to be tampered/invalid | | 28 | Resource page hash mismatch | diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b464707f61..8aab0d3c1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -18,13 +18,13 @@ ms.date: 3/17/2020 ms.technology: mde --- -# Understanding Application Control events +## Understanding Application Control events A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational - - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script ## Microsoft Windows CodeIntegrity Operational log event IDs @@ -32,7 +32,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3099 | Indicates that a policy has been loaded | ## Microsoft Windows Applocker MSI and Script log event IDs @@ -45,7 +45,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | |----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -75,7 +75,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 ``` - + In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: ```powershell diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 6ee1d70486..e4a1e510ea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -18,7 +18,7 @@ ms.date: 8/27/2020 ms.technology: mde --- -# Understanding Application Control event tags +## Understanding Application Control event tags Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags. @@ -31,9 +31,10 @@ Represents the type of signature which verified the image. | 0 | Unsigned or verification has not been attempted | | 1 | Embedded signature | | 2 | Cached signature; presence of CI EA shows that file had been previously verified | +| 3 | Cached catalog verified via Catalog Database or searching catalog directly | | 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | | 5 | Successfully verified using an EA that informs CI which catalog to try first | -|6 | AppX / MSIX package catalog verified | +| 6 | AppX / MSIX package catalog verified | | 7 | File was verified | ## ValidatedSigningLevel @@ -62,14 +63,20 @@ Represents why verification failed, or if it succeeded. | VerificationError Value | Explanation | |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 0 | Successfully verified signature | +| 1 | File has an invalid hash | | 2 | File contains shared writable sections | +| 3 | File is not signed| | 4 | Revoked signature | | 5 | Expired signature | +| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy | | 7 | Invalid root certificate | | 8 | Signature was unable to be validated; generic error | | 9 | Signing time not trusted | +| 10 | The file must be signed using page hashes for this scenario | +| 11 | Page hash mismatch | | 12 | Not valid for a PPL (Protected Process Light) | | 13 | Not valid for a PP (Protected Process) | +| 14 | The signature is missing the required ARM EKU | | 15 | Failed WHQL check | | 16 | Default policy signing level not met | | 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | @@ -80,5 +87,7 @@ Represents why verification failed, or if it succeeded. | 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | | 23 | Invalid image hash | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | +| 25 | Anti-cheat policy violation | | 26 | Explicitly denied by WADC policy | +| 27 | The signing chain appears to be tampered/invalid | | 28 | Resource page hash mismatch | diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 03f0eb6f0d..0897007f32 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -19,18 +19,18 @@ ms.custom: asr ms.technology: mde --- -# Windows Defender Application Control and AppLocker Overview +## Windows Defender Application Control and AppLocker Overview **Applies to:** - Windows 10 - Windows Server 2016 and above -Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. +Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. ## Windows Defender Application Control -WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). +WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: @@ -41,21 +41,21 @@ WDAC policies apply to the managed computer as a whole and affects all users of - The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary -Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. +Note that prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard." ### WDAC System Requirements -WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above. +WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above. -WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. -For more information on which individual WDAC features are available on which WDAC builds, see [WDAC feature availability](feature-availability.md). +For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). ## AppLocker -AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. +AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but does not meet the servicing criteria for being a security feature. -AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: +AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file @@ -68,13 +68,13 @@ AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. +Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. -In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: +However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. - You do not want to enforce application control on application files such as DLLs or drivers. -AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps. +AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. From 06e5b4213d600ad1af6bf167737003e6ad30e557 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 18 May 2021 09:23:53 +0300 Subject: [PATCH 044/415] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 298d1d7986..28ff8d49c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -75,7 +75,7 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). > [!NOTE] -> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues). +> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues). > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. From 878d041fad0a101b7a29a7470d2e752ec06c76f8 Mon Sep 17 00:00:00 2001 From: "jogeurte@microsoft.com" Date: Tue, 18 May 2021 15:23:52 -0700 Subject: [PATCH 045/415] updated guidance for signed policy deployment in the script md file. #9495 --- .../deployment/deploy-wdac-policies-with-script.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 3aed014401..a0308dfadc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p & $RefreshPolicyTool ``` +### Deploying signed policies + +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically. + +1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: +```powershell +mountvol J: /S +J: +mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active +``` + +2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active +3. Reboot the system. + ## Script-based deployment process for Windows 10 versions earlier than 1903 1. Initialize the variables to be used by the script. From 8d499af45ea8eaac46d881b2511d7eef6c9fc775 Mon Sep 17 00:00:00 2001 From: "jogeurte@microsoft.com" Date: Tue, 18 May 2021 15:37:48 -0700 Subject: [PATCH 046/415] Updated the enforcement doc which has the binary in xml Additionally, removed a note which is directly under the instructions on how to get the PolicyID. --- .../enforce-windows-defender-application-control-policies.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 784baf06c2..6c3b04eb5a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -52,8 +52,6 @@ Alice previously created and deployed a policy for the organization's [fully man $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) ``` - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. 3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. @@ -74,7 +72,7 @@ Alice previously created and deployed a policy for the organization's [fully man > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. ```powershell - $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" + $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyID+".cip" ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary ``` From 5e1be4d679c6dc264b91e186d0a62361400eced1 Mon Sep 17 00:00:00 2001 From: "jogeurte@microsoft.com" Date: Tue, 18 May 2021 16:02:45 -0700 Subject: [PATCH 047/415] Updated steps for a signed wdac policy and noted the nuance for uefi lock --- ...r-application-control-against-tampering.md | 46 +++++++++++++------ 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index a654d57870..be2010c6e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options To sign a WDAC policy with SignTool.exe, you need the following components: -- SignTool.exe, found in the Windows SDK (Windows 7 or later) +- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later) - The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created @@ -47,26 +47,29 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 1. Initialize the variables that will be used: - `$CIPolicyPath=$env:userprofile+"\Desktop\"` - - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + ```powershell + $CIPolicyPath=$env:userprofile+"\Desktop\" + $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" + ``` > [!NOTE] - > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information. 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. 4. Navigate to your desktop as the working directory: - - `cd $env:USERPROFILE\Desktop` + + ```powershell + cd $env:USERPROFILE\Desktop + ``` 5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + ```powershell + Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update + ``` > [!NOTE] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. @@ -74,17 +77,30 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + ```powershell + Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete + ``` -7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: +7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + ```powershell + $PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID + $PolicyID = $PolicyID.Substring(11) + $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip" + ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin + ``` 8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ```powershell + sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin + ``` > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). \ No newline at end of file +9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). + + +> [!NOTE] + > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. \ No newline at end of file From 1a5cbd6c594ef58a03da6744c434c1727661105e Mon Sep 17 00:00:00 2001 From: "jogeurte@microsoft.com" Date: Tue, 18 May 2021 16:05:43 -0700 Subject: [PATCH 048/415] Small edit of the final binary filename/extension --- ...ct-windows-defender-application-control-against-tampering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index be2010c6e5..7b136fa662 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -99,7 +99,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). +9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). > [!NOTE] From f8c73443282198524fa19649560e103b2e301e40 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 19 May 2021 14:01:42 +0530 Subject: [PATCH 049/415] Create bitlocker-deployment-comparison.md created new topic per task 5120578 --- .../bitlocker-deployment-comparison.md | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md new file mode 100644 index 0000000000..9918e7eea1 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -0,0 +1,91 @@ +--- +title: BitLocker deployment comparison (Windows 10) +description: This article for the IT professional explains how +BitLocker features can be used to protect your data through drive +encryption. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: v-lsaldanha +ms.author: lovina-saldanha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 +ms.custom: bitlocker +--- + +# Bitlocker deployment comparison + +**Applies to** + +- Windows 10 + +This article for the IT professional explains how BitLocker +features can be used to protect your data through drive encryption. + +## Bitlocker deployment comparison chart + + + +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | +|---------|---------|---------|---------| +|**Requirements**|||| +|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | +|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|Minimum Windows 10 version |1909** | None | None | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|Cloud or on premises | Cloud | On premises | On premises | +|Server components required? | | | | +|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | +|Administrative plane | Microsoft Endpoint Manager +admin center | Configuration Manager console | Group Policy Management Console +and MBAM sites | +|Administrative portal installation required | | | | +|Compliance reporting capabilities | | | | +|Force encryption | | | | +|Encryption for storage cards (mobile) | | | | +|Allow recovery password | | | | +|Manage startup authentication | | | | +|Select cipher strength and algorithms for fixed +drives | | | | +|Select cipher strength and algorithms for +removable drives | | | | +|Select cipher strength and algorithms for operating +environment drives | | | | +|Standard recovery password storage location | Azure AD or +Active Directory | Configuration Manager site database | MBAM database | +|Store recovery password for operating system and +fixed drives to Azure AD or Active Directory | Yes (Active Directory and +Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Customize preboot message and recovery link | | | | +|Allow/deny key file creation | | | | +|Deny Write permission to unprotected drives | | | | +|Can be administered outside company network | | | | +|Support for organization unique IDs | | | | +|Self-service recovery | Yes (through Azure AD or +Company Portal app) | | | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | | | +|Allow or deny Data Recovery Agent | | | | +|Unlock a volume using certificate with custom object identifier | | | | +|Prevent memory overwrite on restart | | | | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | +|Manage auto-unlock functionality | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | + From cc7ad8b42c92e4f747d51b9cfb1ba2550762ae6f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 14:04:36 +0530 Subject: [PATCH 050/415] new-img-5120578 Added newly per 5120578 task --- .../bitlocker/images/dot.png | Bin 0 -> 674 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png new file mode 100644 index 0000000000000000000000000000000000000000..8dc160da790bb40082cb31ae078125c8dd9bcb14 GIT binary patch literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A literal 0 HcmV?d00001 From 42430085302dd9383967037dedde47ecaffa4fb4 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 16:02:43 +0530 Subject: [PATCH 051/415] new-image-5120578 added new image per 5120578 --- .../bitlocker/images/dot1.png | Bin 0 -> 739 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot1.png diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png new file mode 100644 index 0000000000000000000000000000000000000000..c9ec7c52ab41b4f5c567d7a8db90e7b679d47928 GIT binary patch literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b> Date: Wed, 19 May 2021 16:20:57 +0530 Subject: [PATCH 052/415] Update bitlocker-deployment-comparison.md added dot image --- .../bitlocker/bitlocker-deployment-comparison.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 9918e7eea1..ad4b1b82b8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -46,9 +46,9 @@ features can be used to protect your data through drive encryption. admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | | | -|Compliance reporting capabilities | | | | -|Force encryption | | | | -|Encryption for storage cards (mobile) | | | | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | |Allow recovery password | | | | |Manage startup authentication | | | | |Select cipher strength and algorithms for fixed From 315eb8726f7b7a8d5348921730f7f0d1f7dc6ac2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 19 May 2021 16:33:06 +0500 Subject: [PATCH 053/415] Addition of note As this tool PCPTool is a visual studio solution so users need to build it before running the tool. Updated this informaiton. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9425 --- .../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 6424a91e8b..fc64b1cfee 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file. ## Use PCPTool to decode Measured Boot logs +> [!NOTE] +> PCPTool is a visual studio solution and need to build the executeable before using this tool. + PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. @@ -111,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) \ No newline at end of file +![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) From a3cf1338c7557c7f026dfa4570a534ea434fe356 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 19 May 2021 19:59:50 +0530 Subject: [PATCH 054/415] Update policy-csp-deviceinstallation.md --- windows/client-management/mdm/policy-csp-deviceinstallation.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 7212d2497c..6bb69b6346 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -103,11 +103,9 @@ This policy setting allows you to specify a list of plug-and-play hardware IDs a > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -- Prevent installation of devices for these device classes - Prevent installation of devices that match these device IDs - Prevent installation of devices that match any of these device instance IDs - If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] > The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. From e01060927aa57cfe7feedd1b4d6fa1210a835b4e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 19 May 2021 20:13:07 +0530 Subject: [PATCH 055/415] Update policy-csp-deviceinstallation.md --- .../mdm/policy-csp-deviceinstallation.md | 42 +++++++++++++++---- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 6bb69b6346..9a9ca55915 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -113,6 +113,7 @@ If the "Apply layered order of evaluation for Allow and Prevent device installat Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -215,17 +216,31 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and > [!div class = "checklist"] > * Device - +Added in Windows 10, version 1903. Also available in Windows 10, version 1809.
-Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. -If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!TIP] +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -327,20 +342,30 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. > [!TIP] -> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. -If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID. +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. - > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -1036,7 +1061,6 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. From 8eb663502c57c6ed3a5a3d7db50d904f07d0809f Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Wed, 19 May 2021 08:43:49 -0700 Subject: [PATCH 056/415] Update windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...-windows-defender-application-control-against-tampering.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 7b136fa662..e2566ae779 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options To sign a WDAC policy with SignTool.exe, you need the following components: -- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later) +- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) - The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created @@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign > [!NOTE] - > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. \ No newline at end of file + > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. From cd644020c1802336d263881896eda53d04437d85 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Wed, 19 May 2021 09:15:56 -0700 Subject: [PATCH 057/415] Update windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...ct-windows-defender-application-control-against-tampering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index e2566ae779..498c736696 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign > [!NOTE] - > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. From 4d86080190cda85fa0532af5f4eb69e95ad2c561 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 19 May 2021 21:47:56 +0500 Subject: [PATCH 058/415] Update windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index fc64b1cfee..bab9c21e3e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -95,7 +95,7 @@ To find the PCR information, go to the end of the file. ## Use PCPTool to decode Measured Boot logs > [!NOTE] -> PCPTool is a visual studio solution and need to build the executeable before using this tool. +> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool. PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. From 44a1e12b9d5208b4b18861fc3b064e0e59653abf Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Wed, 19 May 2021 17:32:36 -0500 Subject: [PATCH 059/415] Update security-compliance-toolkit-10.md Updating versions supported. --- .../security-compliance-toolkit-10.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 3662667af2..2a578d07ab 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines - - Windows 10 Version 20H2 (October 2020 Update) - - Windows 10 Version 2004 (May 2020 Update) - - Windows 10 Version 1909 (November 2019 Update) - - Windows 10 Version 1809 (October 2018 Update) - - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1607 (Anniversary Update) - - Windows 10 Version 1507 + - Windows 10, Version 21H1 (May 2021 Update) + - Windows 10, Version 20H2 (October 2020 Update) + - Windows 10, Version 2004 (May 2020 Update) + - Windows 10, Version 1909 (November 2019 Update) + - Windows 10, Version 1809 (October 2018 Update) + - Windows 10, Version 1607 (Anniversary Update) + - Windows 10, Version 1507 - Windows Server security baselines - Windows Server 2019 @@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of: - Windows Server 2012 R2 - Microsoft Office security baseline - - Microsoft 365 Apps for enterprise (Sept 2019) + - Microsoft 365 Apps for enterprise, Version 2104 - Microsoft Edge security baseline - Version 88 From fdad2a91e3dd95bdea16f8528a7b9b96ac3fff7e Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:46:05 +0530 Subject: [PATCH 060/415] Update bitlocker-deployment-comparison.md Created newly for task 5120578 - Bitlocker Comparison Chart --- .../bitlocker-deployment-comparison.md | 79 +++++++------------ 1 file changed, 28 insertions(+), 51 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index ad4b1b82b8..749082dd5f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,8 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article for the IT professional explains how -BitLocker features can be used to protect your data through drive -encryption. +description: This article shows the Bitlocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -14,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 05/20/2021 ms.custom: bitlocker --- @@ -24,13 +22,10 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional explains how BitLocker -features can be used to protect your data through drive encryption. +This article for the IT professional depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart - - | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| |**Requirements**|||| @@ -40,52 +35,34 @@ features can be used to protect your data through drive encryption. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | | | +|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | -|Administrative plane | Microsoft Endpoint Manager -admin center | Configuration Manager console | Group Policy Management Console -and MBAM sites | -|Administrative portal installation required | | | | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | -|Allow recovery password | | | | -|Manage startup authentication | | | | -|Select cipher strength and algorithms for fixed -drives | | | | -|Select cipher strength and algorithms for -removable drives | | | | -|Select cipher strength and algorithms for operating -environment drives | | | | +|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | | | | -|Allow/deny key file creation | | | | -|Deny Write permission to unprotected drives | | | | -|Can be administered outside company network | | | | -|Support for organization unique IDs | | | | -|Self-service recovery | Yes (through Azure AD or -Company Portal app) | | | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | | | -|Allow or deny Data Recovery Agent | | | | -|Unlock a volume using certificate with custom object identifier | | | | -|Prevent memory overwrite on restart | | | | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | -|Manage auto-unlock functionality | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | - +|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From f4006bb298f1047b8b2c162d2ba97caafed7ffac Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:57:10 +0530 Subject: [PATCH 061/415] Update bitlocker-deployment-comparison.md To fix build issues --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 749082dd5f..e01dbd312c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -6,8 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: v-lsaldanha -ms.author: lovina-saldanha +author: lovina-saldanha +ms.author: v-lsaldanha manager: dansimp audience: ITPro ms.collection: M365-security-compliance From e67a850344a65aa8473a0cf9ee44550c909ec43d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 12:19:06 +0530 Subject: [PATCH 062/415] Update bitlocker-deployment-comparison.md updated --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index e01dbd312c..6ba03dc4d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -22,7 +22,7 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional depicts the BitLocker deployment comparison chart. +This article depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart From 366544ec62a2b665fef59b2330af2d0ca4be9ae7 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 13:56:05 +0530 Subject: [PATCH 063/415] Update TOC.yml updated toc per task 5120578 --- windows/security/information-protection/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml index 9965f322db..bcaa9d74d7 100644 --- a/windows/security/information-protection/TOC.yml +++ b/windows/security/information-protection/TOC.yml @@ -29,6 +29,8 @@ href: bitlocker\bitlocker-using-with-other-programs-faq.yml - name: "Prepare your organization for BitLocker: Planning and policies" href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: bitlocker\bitlocker-deployment-comparison.md - name: BitLocker basic deployment href: bitlocker\bitlocker-basic-deployment.md - name: "BitLocker: How to deploy on Windows Server 2012 and later" From 64ce542cb728735a9c83b76cf9f84ddc6e01b5f9 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 20 May 2021 14:49:46 +0530 Subject: [PATCH 064/415] Update policy-ddf-file.md --- .../client-management/mdm/policy-ddf-file.md | 84516 ---------------- 1 file changed, 84516 deletions(-) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index de9a8618a9..dde8b3089c 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -32,84519 +32,3 @@ You can view various Policy DDF files by clicking the following links: - [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). - -The XML below is the DDF for Windows 10, version 20H2. - -```xml - -]> - - 1.2 - - Policy - ./User/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - Config - - - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Desktop - - - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Display - - - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - - Education - - - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - - - - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - - - DefaultPrinterName - - - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - - - - PreventAddingNewPrinters - - - - - - - - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - - - PrinterNames - - - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthAuthority - - - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthClientId - - - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - - - - CloudPrintResourceId - - - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - - - - DiscoveryMaxPrinterLimit - - - - - - - - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - - - MopriaDiscoveryResourceId - - - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnActionCenter - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - - - - - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - Multitasking - - - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - - - - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowTileNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HidePeopleBar - - - - - - - - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_MarkZoneOnSavedAtttachments - LastWrite - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_RemoveZoneInfo - LastWrite - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_CallIOfficeAntiVirus - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - - Desktop - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - text/plain - - phone - desktop.admx - desktop~AT~Desktop - DisablePersonalDirChange - LastWrite - - - - - Display - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - - Education - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - 1 - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - Programs.admx - Programs~AT~WindowsComponents~Calculator - AllowGraphingCalculator - LowestValueMostSecure - - - - DefaultPrinterName - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - LastWrite - - - - PreventAddingNewPrinters - - - - - 0 - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - Printing.admx - Printing~AT~ControlPanel~CplPrinters - NoAddPrinter - HighestValueMostSecure - - - - PrinterNames - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - LastWrite - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthAuthority - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthClientId - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintResourceId - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - DiscoveryMaxPrinterLimit - - - - - 20 - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - LastWrite - - - - MopriaDiscoveryResourceId - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableTailoredExperiencesWithDiagnosticData - LowestValueMostSecure - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableThirdPartySuggestions - LowestValueMostSecure - - - - AllowWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightFeatures - LowestValueMostSecure - - - - AllowWindowsSpotlightOnActionCenter - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnActionCenter - LowestValueMostSecure - - - - AllowWindowsSpotlightOnSettings - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnSettings - LowestValueMostSecure - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightWindowsWelcomeExperience - LowestValueMostSecure - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - ConfigureWindowsSpotlight - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictFormSuggestPW - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VersionListAutomaticDownloadDisable - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictHomePage - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Multitasking - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - 1 - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - phone - multitasking.admx - AltTabFilterDropdown - multitasking~AT~WindowsComponents~MULTITASKING - MultiTaskingAltTabFilter - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoNotificationMirroring - LowestValueMostSecure - - - - DisallowTileNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoTileNotification - LowestValueMostSecure - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - 0 - - - - - - - - - - - - text/plain - - - Taskbar.admx - Taskbar~AT~StartMenu~TPMCategory - ConfigureTaskbarCalendar - LastWrite - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - Start - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HidePeopleBar - - - - - 0 - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HidePeopleBar - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - System - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - - - Policy - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - ConfigOperations - - - - - - - Policy CSP ConfigOperations - - - - - - - - - - - - - - - ADMXInstall - - - - - - - Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Win32 App Name - - - - - - - - - - - - - - - Properties - - - - - - - Properties of Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - Version - - - - - - - - Version of ADMX file - - - - - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - - - - - - Config - - - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaAboveLock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Accounts - - - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountSignInAssistant - - - - - - - - - - - - - - - - - - - text/plain - - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableAppUriHandlers - - - - - - - - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAppStoreAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeveloperUnlock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowGameDVR - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharedUserAppData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStore - - - - - - - - - - - - - - - - - - - text/plain - - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockNonAdminUserInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableStoreOriginatedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - LaunchAppAfterLogOn - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - - - - MSIAllowUserControlOverInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppDataToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowReportingServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - - - text/plain - - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Audit - - - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - - - - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - - - - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditAccountLockout - - - - - - - - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditGroupMembership - - - - - - - - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogoff - - - - - - - - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogon - - - - - - - - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - - - - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - - - - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - - - - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - - - - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditApplicationGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditComputerAccountManagement - - - - - - - - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditDistributionGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - - - - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditSecurityGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditUserAccountManagement - - - - - - - - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditDPAPIActivity - - - - - - - - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditPNPActivity - - - - - - - - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessCreation - - - - - - - - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessTermination - - - - - - - - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditRPCEvents - - - - - - - - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - - - - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceAccess - - - - - - - - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceChanges - - - - - - - - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditApplicationGenerated - - - - - - - - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - - - - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCertificationServices - - - - - - - - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditDetailedFileShare - - - - - - - - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileShare - - - - - - - - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileSystem - - - - - - - - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - - - - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - - - - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditHandleManipulation - - - - - - - - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditKernelObject - - - - - - - - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - - - - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRegistry - - - - - - - - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRemovableStorage - - - - - - - - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditSAM - - - - - - - - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - - - - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditPolicyChange - - - - - - - - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - - - - Not used. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - - - System_AuditIPsecDriver - - - - - - - - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - - - System_AuditOtherSystemEvents - - - - - - - - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - - - System_AuditSecurityStateChange - - - - - - - - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - - - System_AuditSecuritySystemExtension - - - - - - - - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - - - System_AuditSystemIntegrity - - - - - - - - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - - - - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - - - AllowFastReconnect - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSecondaryAuthenticationDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWebcamAccessDomainNames - - - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - - - - EnableFastFirstSignIn - - - - - - - - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - - - EnableWebSignIn - - - - - - - - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - - - PreferredAadTenantDomainName - - - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - - - - - - - - - - - - - - - text/plain - - - - - - BITS - - - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingTransferRate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorBackgroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorForegroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - JobInactivityTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDiscoverableMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPrepairing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPromptedProximalConnections - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMinimumEncryptionKeySize - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - Camera - - - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cellular - - - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - - - - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Connectivity - - - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularDataRoaming - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConnectedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNFC - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPhonePCLinking - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUSBConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNRoamingOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNetworkConnectivityActiveTests - - - - - - - - - - - - - - - - - - - text/plain - - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - - - - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAutomaticReDeploymentCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cryptography - - - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataProtection - - - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataUsage - - - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetCost4G - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Defender - - - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBehaviorMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCloudProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEmailScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanOnMappedNetworkDrives - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanRemovableDriveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntrusionPreventionSystem - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIOAVProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnAccessProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRealtimeMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScanningNetworkFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScriptScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserUIAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - - - text/plain - - - - - AvgCPULoadFactor - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckForSignaturesBeforeRunningScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudBlockLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudExtendedTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - DaysToRetainCleanedMalware - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupFullScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupQuickScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableControlledFolderAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableLowCPUPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableNetworkProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PUAProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RealTimeScanDirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScanParameter - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleQuickScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - SubmitSamplesConsent - - - - - - - - - - - - - - - - - - - text/plain - - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOAllowVPNPeerCaching - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHost - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHostSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayBackgroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackBackground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackForeground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayForegroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODownloadMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupIdSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheAge - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBackgroundQos - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBatteryPercentageAllowedToUpload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinDiskSizeAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinFileSizeToCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinRAMAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOModifyCacheDrive - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMonthlyUploadDataCap - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxBackgroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxForegroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DORestrictPeerSelectionBy - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - - - - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - - - EnableVirtualizationBasedSecurity - - - - - - - - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - - - LsaCfgFlags - - - - - - - - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - - - RequirePlatformSecurityFeatures - - - - - - - - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - - - - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringScope - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - - - - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - - - AllowSimpleDevicePassword - - - - - - - - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - - - AlphanumericDevicePasswordRequired - - - - - - - - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - - - DevicePasswordEnabled - - - - - - - - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - - - DevicePasswordExpiration - - - - - - - - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - - - DevicePasswordHistory - - - - - - - - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxDevicePasswordFailedAttempts - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLock - - - - - - - - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - - - - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordComplexCharacters - - - - - - - - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordLength - - - - - - - - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - - - MinimumPasswordAge - - - - - - - - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - - - text/plain - - - - - Display - - - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpiForApps - - - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - TurnOffGdiDPIScalingForApps - - - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - TurnOnGdiDPIScalingForApps - - - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - EventLogService - - - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - - - - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - - - AllowCopyPaste - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortana - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceDiscovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFindMyDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualMDMUnenrollment - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSaveAsOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScreenCapture - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharingOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSyncMySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTaskSwitcher - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVoiceRecording - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsConsumerFeatures - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCloudOptimizedContent - - - - - - - - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - - - DoNotShowFeedbackNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSyncBrowserSettings - - - - - - - - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - - - - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - - - ShowLockOnUserTile - - - - - - - - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - - - text/plain - - - - - OEMVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UserToSignIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Games - - - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - - - - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - - - - Handwriting - - - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - - - - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Kerberos - - - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - UPNNameHints - - - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Licensing - - - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowKMSClientOnlineAVSValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - - - - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - - - Accounts_EnableAdministratorAccountStatus - - - - - - - - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - Accounts_EnableGuestAccountStatus - - - - - - - - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - - - - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - - - Accounts_RenameAdministratorAccount - - - - - - - - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - - - - Accounts_RenameGuestAccount - - - - - - - - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - - - - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - - - - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - - - - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - - - - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - - - - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - - - - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - - - - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - - - - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MachineInactivityLimit - - - - - - - - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - - - - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - - - - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - - - - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - - - - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - - - - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - - - - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - - - - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - - - - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - - - - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - - - - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - - - - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - - - - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - - - - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - - - - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - - - - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - - - - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - - - - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - - - - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - - - - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - - - - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - - - UserAccountControl_UseAdminApprovalMode - - - - - - - - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - - - - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - - - Configure - - - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - - - - - LockDown - - - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Maps - - - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableOfflineMapsAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Messaging - - - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - - - - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - - - AllowMMS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - - - AllowRCS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - - - - MixedReality - - - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - BrightnessButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - FallbackDiagnostics - - - - - - - - - - - - - - - - - - - text/plain - - - - - MicrophoneDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - VolumeButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRangesAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServersAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - NeutralResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Power - - - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdOnBattery - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdPluggedIn - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepOnBattery - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepPluggedIn - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutOnBattery - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutPluggedIn - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishPrinters - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCrossDeviceClipboard - - - - - - - - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - - - AllowInputPersonalization - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdvertisingId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - EnableActivityFeed - - - - - - - - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo - - - - - - - - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception - - - - - - - - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar - - - - - - - - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory - - - - - - - - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera - - - - - - - - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts - - - - - - - - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail - - - - - - - - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput - - - - - - - - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation - - - - - - - - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging - - - - - - - - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone - - - - - - - - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion - - - - - - - - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications - - - - - - - - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone - - - - - - - - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios - - - - - - - - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks - - - - - - - - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices - - - - - - - - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoice - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoiceAboveLock - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo - - - - - - - - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground - - - - - - - - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices - - - - - - - - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - PublishUserActivities - - - - - - - - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - - - UploadUserActivities - - - - - - - - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - - - text/plain - - - - - SessionLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - - - text/plain - - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedHosts - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - - - text/plain - - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - - - - - Search - - - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaInAAD - - - - - - - - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - - - AllowFindMyFiles - - - - - - - - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - - - AllowIndexingEncryptedStoresOrItems - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSearchToUseLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStoringImagesFromVisionSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUsingDiacritics - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsIndexer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AlwaysUseAutoLangDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBackoff - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableRemovableDriveIndexing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotUseWebResults - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventIndexingLowDiskSpaceMB - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventRemoteQueries - - - - - - - - - - - - - - - - - - - text/plain - - - - - SafeSearchPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualRootCertificateInstallation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoveProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AntiTheftMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClearTPMIfNotReady - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsPasswords - - - - - - - - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - RequireDeviceEncryption - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireProvisioningPackageSignature - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireRetrieveHealthCertificateOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDataSense - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDateTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEditDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnlineTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPowerSleep - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRegion - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSignInOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPN - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWorkplace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowYourAccount - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableSmartScreenInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventOverrideForFilesInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Speech - - - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - - - - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderDownloads - - - - - - - - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderFileExplorer - - - - - - - - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderHomeGroup - - - - - - - - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderMusic - - - - - - - - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderNetwork - - - - - - - - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPersonalFolder - - - - - - - - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPictures - - - - - - - - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderSettings - - - - - - - - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderVideos - - - - - - - - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideChangeAccountSettings - - - - - - - - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideHibernate - - - - - - - - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideLock - - - - - - - - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HidePowerButton - - - - - - - - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRestart - - - - - - - - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideShutDown - - - - - - - - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSignOut - - - - - - - - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideSleep - - - - - - - - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSwitchAccount - - - - - - - - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideUserTile - - - - - - - - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - ImportEdgeAssets - - - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - - - - NoPinningToTaskbar - - - - - - - - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Storage - - - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseGlobalCadence - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemovableDiskDenyWriteAccess - - - - - - - - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCommercialDataPipeline - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceNameInDiagnosticData - - - - - - - - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - - - AllowEmbeddedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowExperimentation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFontProviders - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageCard - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserToResetPhone - - - - - - - - - - - - - - - - - - - text/plain - - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInChangeNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInSettingsUx - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceDelete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDiagnosticDataViewer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDirectXDatabaseUpdate - - - - - - - - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - - - DisableEnterpriseAuthProxy - - - - - - - - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - - - DisableOneDriveFileSync - - - - - - - - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - - - text/plain - - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - - - - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - - - - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - - - TelemetryProxy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffFileHistory - - - - - - - - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - - - - SystemServices - - - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - - TaskManager - - - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - - - - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - - - - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - - - - TextInput - - - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMELogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMENetworkAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInputPanel - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIVSCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseUserDictionary - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguageFeaturesUninstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLinguisticDataCollection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureJapaneseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureSimplifiedChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureTraditionalChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - - - - - - - - - - - - - - - text/plain - - - - - ForceTouchKeyboardDockedState - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardDictationButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardEmojiButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardFullModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardHandwritingModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardNarrowModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardSplitModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardWideModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTimeZone - - - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - - - - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - - - - Update - - - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursMaxRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursStart - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMUUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNonMicrosoftSignedUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutomaticMaintenanceWakeUp - - - - - - - - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartNotificationSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartRequiredNotificationDismissal - - - - - - - - - - - - - - - - - - - text/plain - - - - - BranchReadinessLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineGracePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineNoAutoReboot - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - - - - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - - - DeferFeatureUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferQualityUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpdatePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpgradePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DetectionFrequency - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDualScan - - - - - - - - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - - - DisableWUfBSafeguards - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadline - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeWUDriversInQualityUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - FillEmptyContentUrls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOAppDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOUpdateDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagePreviewBuilds - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseDeferrals - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PhoneUpdateRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireDeferUpgrade - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireUpdateApproval - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallEveryWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFirstWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFourthWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallSecondWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallThirdWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleImminentRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetAutoRestartNotificationDisable - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisablePauseUXAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisableUXWUAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetEDURestart - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetProxyBehaviorForUpdateDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateNotificationLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - UserRights - - - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - - - - AccessFromNetwork - - - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - - - - ActAsPartOfTheOperatingSystem - - - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - AllowLocalLogOn - - - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - - - - BackupFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - - - - ChangeSystemTime - - - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - - - - CreateGlobalObjects - - - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - - - - CreatePageFile - - - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - - - - CreatePermanentSharedObjects - - - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - - - - CreateSymbolicLinks - - - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - - - - CreateToken - - - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - DebugPrograms - - - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - DenyAccessFromNetwork - - - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - - - - DenyLocalLogOn - - - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - - - - DenyRemoteDesktopServicesLogOn - - - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - - - - EnableDelegation - - - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - - - - GenerateSecurityAudits - - - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - - - - ImpersonateClient - - - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - - - - IncreaseSchedulingPriority - - - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - - - - LoadUnloadDeviceDrivers - - - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - LockMemory - - - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - - - - ManageAuditingAndSecurityLog - - - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - - - - ManageVolume - - - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - - - - ModifyFirmwareEnvironment - - - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - - - - ModifyObjectLabel - - - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - - - - ProfileSingleProcess - - - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - - - - RemoteShutdown - - - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - - - - RestoreFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - TakeOwnership - - - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - - Wifi - - - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetSharing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualWiFiConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFi - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFiDirect - - - - - - - - - - - - - - - - - - - text/plain - - - - - WLANScanMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAccountProtectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAppBrowserUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableClearTpmButton - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceSecurityUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnhancedNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFamilyUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHealthUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNetworkUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableTpmFirmwareUpdateWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableVirusUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowExploitProtectionOverride - - - - - - - - - - - - - - - - - - - text/plain - - - - - Email - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableCustomizedToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableInAppCustomization - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideRansomwareDataRecovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideSecureBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideTPMTroubleshooting - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideWindowsSecurityNotificationAreaControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - Phone - - - - - - - - - - - - - - - - - - - text/plain - - - - - URL - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableFirstLogonAnimation - - - - - - - - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideFastUserSwitching - - - - - - - - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - - - - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowMdnsDiscovery - - - - - - - - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPC - - - - - - - - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPCOverInfrastructure - - - - - - - - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPC - - - - - - - - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPCOverInfrastructure - - - - - - - - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePinForPairing - - - - - - - - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortanaAboveLock - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaAboveLock - LowestValueMostSecure - - - - AllowToasts - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Accounts - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountSignInAssistant - - - - - 1 - - - - - - - - - - - - text/plain - - - LastWrite - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - text/plain - - phone - ActiveXInstallService.admx - ActiveXInstallService~AT~WindowsComponents~AxInstSv - ApprovedActiveXInstallSites - LastWrite - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsExplorer.admx - DefaultAssociationsConfiguration_TextBox - WindowsExplorer~AT~WindowsComponents~WindowsExplorer - DefaultAssociationsConfiguration - LastWrite - - - - EnableAppUriHandlers - - - - - 1 - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~System~PolicyPolicies - EnableAppUriHandlers - HighestValueMostSecure - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AppxDeploymentAllowAllTrustedApps - LowestValueMostSecure - - - - AllowAppStoreAutoUpdate - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableAutoInstall - LowestValueMostSecure - - - - AllowDeveloperUnlock - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowDevelopmentWithoutDevLicense - LowestValueMostSecure - - - - AllowGameDVR - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - GameDVR.admx - GameDVR~AT~WindowsComponents~GAMEDVR - AllowGameDVR - LowestValueMostSecure - - - - AllowSharedUserAppData - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowSharedLocalAppData - LowestValueMostSecure - - - - AllowStore - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - BlockNonAdminUserInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - BlockNonAdminUserInstall - LowestValueMostSecure - - - - DisableStoreOriginatedApps - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableStoreApps - LowestValueMostSecure - - - - LaunchAppAfterLogOn - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - LastWrite - - - - MSIAllowUserControlOverInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - EnableUserControl - HighestValueMostSecure - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - RestrictAppDataToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - RestrictAppDataToSystemVolume - LowestValueMostSecure - - - - RestrictAppToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - DisableDeploymentToNonSystemVolumes - LowestValueMostSecure - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -]]> - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - text/plain - - phone - AppXRuntime.admx - AppXRuntime~AT~WindowsComponents~AppXRuntime - AppxRuntimeMicrosoftAccountsOptional - LastWrite - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV - EnableAppV - LastWrite - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVEnable - LastWrite - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_PackageManagement - PackageManagement_AutoCleanupEnable - LastWrite - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Scripting - Scripting_Enable_Package_Scripts - LastWrite - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Enable_Publishing_Refresh_UX - LastWrite - - - - AllowReportingServer - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Reporting - Reporting_Server_Policy - LastWrite - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_File_Exclusions - LastWrite - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_Registry_Exclusions - LastWrite - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Steaming_Autoload - LastWrite - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Client_Coexistence - Client_Coexistence_Enable_Migration_mode - LastWrite - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_User - LastWrite - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_Global - LastWrite - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server1_Policy - LastWrite - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server2_Policy - LastWrite - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server3_Policy - LastWrite - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server4_Policy - LastWrite - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server5_Policy - LastWrite - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Certificate_Filter_For_Client_SSL - LastWrite - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Allow_High_Cost_Launch - LastWrite - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Location_Provider - LastWrite - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Installation_Root - LastWrite - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Source_Root - LastWrite - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Interval - LastWrite - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Retries - LastWrite - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Shared_Content_Store_Mode - LastWrite - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Support_Branch_Cache - LastWrite - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Verify_Certificate_Revocation_List - LastWrite - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVAllowList - LastWrite - - - - - Audit - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - 0 - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Credential Validation - LastWrite - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Authentication Service - LastWrite - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Service Ticket Operations - LastWrite - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - 0 - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Other Account Logon Events - LastWrite - - - - AccountLogonLogoff_AuditAccountLockout - - - - - 1 - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Account Lockout - LastWrite - - - - AccountLogonLogoff_AuditGroupMembership - - - - - 0 - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Group Membership - LastWrite - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Extended Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Main Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Quick Mode - LastWrite - - - - AccountLogonLogoff_AuditLogoff - - - - - 1 - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logoff - LastWrite - - - - AccountLogonLogoff_AuditLogon - - - - - 1 - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logon - LastWrite - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - 3 - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Network Policy Server - LastWrite - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - 0 - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Other Logon Logoff Events - LastWrite - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - 1 - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Special Logon - LastWrite - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - 0 - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit User Device Claims - LastWrite - - - - AccountManagement_AuditApplicationGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Application Group Management - LastWrite - - - - AccountManagement_AuditComputerAccountManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Computer Account Management - LastWrite - - - - AccountManagement_AuditDistributionGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Distributio Group Management - LastWrite - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - 0 - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Other Account Management Events - LastWrite - - - - AccountManagement_AuditSecurityGroupManagement - - - - - 1 - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Security Group Management - LastWrite - - - - AccountManagement_AuditUserAccountManagement - - - - - 1 - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit User Account Management - LastWrite - - - - DetailedTracking_AuditDPAPIActivity - - - - - 0 - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit DPAPI Activity - LastWrite - - - - DetailedTracking_AuditPNPActivity - - - - - 0 - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit PNP Activity - LastWrite - - - - DetailedTracking_AuditProcessCreation - - - - - 0 - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Creation - LastWrite - - - - DetailedTracking_AuditProcessTermination - - - - - 0 - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Termination - LastWrite - - - - DetailedTracking_AuditRPCEvents - - - - - 0 - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit RPC Events - LastWrite - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - 0 - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Token Right Adjusted - LastWrite - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Detailed Directory Service Replication - LastWrite - - - - DSAccess_AuditDirectoryServiceAccess - - - - - 0 - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Access - LastWrite - - - - DSAccess_AuditDirectoryServiceChanges - - - - - 0 - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Changes - LastWrite - - - - DSAccess_AuditDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Replication - LastWrite - - - - ObjectAccess_AuditApplicationGenerated - - - - - 0 - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Application Generated - LastWrite - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - 0 - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Central Access Policy Staging - LastWrite - - - - ObjectAccess_AuditCertificationServices - - - - - 0 - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Certification Services - LastWrite - - - - ObjectAccess_AuditDetailedFileShare - - - - - 0 - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Detailed File Share - LastWrite - - - - ObjectAccess_AuditFileShare - - - - - 0 - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File Share - LastWrite - - - - ObjectAccess_AuditFileSystem - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File System - LastWrite - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - 0 - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Connection - LastWrite - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - 0 - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Packet Drop - LastWrite - - - - ObjectAccess_AuditHandleManipulation - - - - - 0 - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Handle Manipulation - LastWrite - - - - ObjectAccess_AuditKernelObject - - - - - 0 - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Kernel Object - LastWrite - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - 0 - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Other Object Access Events - LastWrite - - - - ObjectAccess_AuditRegistry - - - - - 0 - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Registry - LastWrite - - - - ObjectAccess_AuditRemovableStorage - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Removable Storage - LastWrite - - - - ObjectAccess_AuditSAM - - - - - 0 - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit SAM - LastWrite - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - 1 - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authentication Policy Change - LastWrite - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authorization Policy Change - LastWrite - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Filtering Platform Policy Change - LastWrite - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit MPSSVC Rule Level Policy Change - LastWrite - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - 0 - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Other Policy Change Events - LastWrite - - - - PolicyChange_AuditPolicyChange - - - - - 1 - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Policy Change - LastWrite - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Non Sensitive Privilege Use - LastWrite - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - 0 - Not used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Other Privilege Use Events - LastWrite - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Sensitive Privilege Use - LastWrite - - - - System_AuditIPsecDriver - - - - - 0 - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit IPsec Driver - LastWrite - - - - System_AuditOtherSystemEvents - - - - - 3 - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Other System Events - LastWrite - - - - System_AuditSecurityStateChange - - - - - 1 - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security State Change - LastWrite - - - - System_AuditSecuritySystemExtension - - - - - 0 - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security System Extension - LastWrite - - - - System_AuditSystemIntegrity - - - - - 3 - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit System Integrity - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - 0 - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowFastReconnect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSecondaryAuthenticationDevice - - - - - 0 - - - - - - - - - - - - text/plain - - - DeviceCredential.admx - DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory - MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice - LowestValueMostSecure - - - - ConfigureWebcamAccessDomainNames - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - EnableFastFirstSignIn - - - - - 0 - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableWebSignIn - - - - - 0 - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreferredAadTenantDomainName - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - LastWrite - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - 6 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - BITS - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - 17 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedTo - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingStartTime - - - - - 8 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedFrom - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingTransferRate - - - - - 1000 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_MaxTransferRateText - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - CostedNetworkBehaviorBackgroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyNormalPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - CostedNetworkBehaviorForegroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyForegroundPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - JobInactivityTimeout - - - - - 90 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_Job_Timeout_Time - Bits~AT~Network~BITS - BITS_Job_Timeout - LastWrite - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDiscoverableMode - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPrepairing - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPromptedProximalConnections - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LocalDeviceName - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - SetMinimumEncryptionKeySize - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - Camera - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - 1 - - - - - - - - - - - - text/plain - - - Camera.admx - Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory - L_AllowCamera - LowestValueMostSecure - - - - - Cellular - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - 0 - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - wwansvc.admx - LetAppsAccessCellularData_Enum - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - HighestValueMostSecure - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceAllowTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceDenyTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_UserInControlOfTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~UISettings_Category - ShowAppCellularAccessUI - LastWrite - - - - - Connectivity - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - 2 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularData - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularDataRoaming - - - - - 1 - - - - - - - - - - - - text/plain - - - WCM.admx - WCM~AT~Network~WCM_Category - WCM_DisableRoaming - LowestValueMostSecure - - - - AllowConnectedDevices - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowNFC - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowPhonePCLinking - - - - - 1 - - - - - - - - - - - - text/plain - - - grouppolicy.admx - grouppolicy~AT~System~PolicyPolicies - enableMMX - LowestValueMostSecure - - - - AllowUSBConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVPNOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowVPNRoamingOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableHTTPPrinting_2 - LastWrite - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableWebPnPDownload_2 - LastWrite - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - ShellPreventWPWDownload_2 - LastWrite - - - - DisallowNetworkConnectivityActiveTests - - - - - 0 - - - - - - - - - - - - text/plain - - - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - NoActiveProbe - HighestValueMostSecure - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - text/plain - - phone - networkprovider.admx - NetworkProvider~AT~Network~Cat_NetworkProvider - Pol_HardenedPaths - LastWrite - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - text/plain - - phone - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_AllowNetBridge_NLA - LastWrite - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - 0 - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - LastWrite - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - AllowDomainPINLogon - LastWrite - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - BlockDomainPicturePassword - LastWrite - - - - DisableAutomaticReDeploymentCredentials - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - CredSsp.admx - CredSsp~AT~System~CredentialsDelegation - AllowProtectedCreds - LastWrite - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - EnumerateAdministrators - LastWrite - - - - - Cryptography - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - 0 - - - - - - - - - - - - text/plain - - - Windows Settings~Security Settings~Local Policies~Security Options - System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing - LastWrite - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataProtection - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataUsage - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost3G - LastWrite - - - - SetCost4G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost4G - LastWrite - - - - - Defender - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableArchiveScanning - HighestValueMostSecure - - - - AllowBehaviorMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableBehaviorMonitoring - HighestValueMostSecure - - - - AllowCloudProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SpynetReporting - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SpynetReporting - HighestValueMostSecure - - - - AllowEmailScanning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableEmailScanning - HighestValueMostSecure - - - - AllowFullScanOnMappedNetworkDrives - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningMappedNetworkDrivesForFullScan - HighestValueMostSecure - - - - AllowFullScanRemovableDriveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableRemovableDriveScanning - HighestValueMostSecure - - - - AllowIntrusionPreventionSystem - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowIOAVProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableIOAVProtection - HighestValueMostSecure - - - - AllowOnAccessProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableOnAccessProtection - HighestValueMostSecure - - - - AllowRealtimeMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - DisableRealtimeMonitoring - HighestValueMostSecure - - - - AllowScanningNetworkFiles - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningNetworkFiles - HighestValueMostSecure - - - - AllowScriptScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowUserUIAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface - UX_Configuration_UILockdown - LastWrite - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_ASROnlyExclusions - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_ASROnlyExclusions - LastWrite - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_Rules - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_Rules - LastWrite - - - - AvgCPULoadFactor - - - - - 50 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_AvgCPULoadFactor - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_AvgCPULoadFactor - LastWrite - - - - CheckForSignaturesBeforeRunningScan - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - CheckForSignaturesBeforeRunningScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - CheckForSignaturesBeforeRunningScan - HighestValueMostSecure - - - - CloudBlockLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpCloudBlockLevel - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpCloudBlockLevel - LastWrite - - - - CloudExtendedTimeout - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpBafsExtendedTimeout - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpBafsExtendedTimeout - LastWrite - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_AllowedApplications - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_AllowedApplications - LastWrite - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_ProtectedFolders - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_ProtectedFolders - LastWrite - - - - DaysToRetainCleanedMalware - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Quarantine_PurgeItemsAfterDelay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine - Quarantine_PurgeItemsAfterDelay - LastWrite - - - - DisableCatchupFullScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupFullScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupFullScan - LastWrite - - - - DisableCatchupQuickScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupQuickScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupQuickScan - LastWrite - - - - EnableControlledFolderAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - LastWrite - - - - EnableLowCPUPriority - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_LowCpuPriority - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_LowCpuPriority - LastWrite - - - - EnableNetworkProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_EnableNetworkProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection - ExploitGuard_EnableNetworkProtection - LastWrite - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_PathsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Paths - LastWrite - - - - ExcludedPaths - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ExtensionsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Extensions - LastWrite - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ProcessesList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Processes - LastWrite - - - - PUAProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Root_PUAProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender - Root_PUAProtection - LastWrite - - - - RealTimeScanDirection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - RealtimeProtection_RealtimeScanDirection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_RealtimeScanDirection - LowestValueMostSecure - - - - ScanParameter - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScanParameters - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScanParameters - LastWrite - - - - ScheduleQuickScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleQuickScantime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleQuickScantime - LastWrite - - - - ScheduleScanDay - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleDay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleDay - LastWrite - - - - ScheduleScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleTime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleTime - LastWrite - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_SharedSignaturesLocation - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SharedSignaturesLocation - LastWrite - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_FallbackOrder - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_FallbackOrder - LastWrite - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_DefinitionUpdateFileSharesSources - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_DefinitionUpdateFileSharesSources - LastWrite - - - - SignatureUpdateInterval - - - - - 8 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SignatureUpdate_SignatureUpdateInterval - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SignatureUpdateInterval - LastWrite - - - - SubmitSamplesConsent - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SubmitSamplesConsent - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SubmitSamplesConsent - HighestValueMostSecure - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Threats_ThreatSeverityDefaultActionList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats - Threats_ThreatSeverityDefaultAction - LastWrite - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - 10 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AbsoluteMaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AbsoluteMaxCacheSize - LastWrite - - - - DOAllowVPNPeerCaching - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AllowVPNPeerCaching - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AllowVPNPeerCaching - LowestValueMostSecure - - - - DOCacheHost - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - CacheHost - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHost - LastWrite - - - - DOCacheHostSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - CacheHostSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHostSource - LastWrite - - - - DODelayBackgroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayBackgroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayBackgroundDownloadFromHttp - LastWrite - - - - DODelayCacheServerFallbackBackground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackBackground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackBackground - LastWrite - - - - DODelayCacheServerFallbackForeground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackForeground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackForeground - LastWrite - - - - DODelayForegroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayForegroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayForegroundDownloadFromHttp - LastWrite - - - - DODownloadMode - - - - - 1 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DownloadMode - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DownloadMode - LastWrite - - - - DOGroupId - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - GroupId - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupId - LastWrite - - - - DOGroupIdSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - GroupIdSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupIdSource - LastWrite - - - - DOMaxBackgroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxBackgroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxBackgroundDownloadBandwidth - LastWrite - - - - DOMaxCacheAge - - - - - 259200 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheAge - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheAge - LastWrite - - - - DOMaxCacheSize - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheSize - LastWrite - - - - DOMaxForegroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxForegroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxForegroundDownloadBandwidth - LastWrite - - - - DOMinBackgroundQos - - - - - 500 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBackgroundQos - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBackgroundQos - LastWrite - - - - DOMinBatteryPercentageAllowedToUpload - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBatteryPercentageAllowedToUpload - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBatteryPercentageAllowedToUpload - LastWrite - - - - DOMinDiskSizeAllowedToPeer - - - - - 32 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinDiskSizeAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinDiskSizeAllowedToPeer - LastWrite - - - - DOMinFileSizeToCache - - - - - 100 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinFileSizeToCache - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinFileSizeToCache - LastWrite - - - - DOMinRAMAllowedToPeer - - - - - 4 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinRAMAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinRAMAllowedToPeer - LastWrite - - - - DOModifyCacheDrive - - - - - %SystemDrive% - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - ModifyCacheDrive - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - ModifyCacheDrive - LastWrite - - - - DOMonthlyUploadDataCap - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MonthlyUploadDataCap - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MonthlyUploadDataCap - LastWrite - - - - DOPercentageMaxBackgroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxBackgroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxBackgroundBandwidth - LastWrite - - - - DOPercentageMaxForegroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxForegroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxForegroundBandwidth - LastWrite - - - - DORestrictPeerSelectionBy - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - RestrictPeerSelectionBy - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - RestrictPeerSelectionBy - LastWrite - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - 0 - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - SystemGuardDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - EnableVirtualizationBasedSecurity - - - - - 0 - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - LsaCfgFlags - - - - - 0 - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - CredentialIsolationDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - RequirePlatformSecurityFeatures - - - - - 1 - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - RequirePlatformSecurityFeaturesDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - 0 - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - LastWrite - - - - ConfigDeviceHealthMonitoringScope - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - LastWrite - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - LastWrite - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Allow - LastWrite - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - DeviceSetup.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceMetadata_PreventDeviceMetadataFromNetwork - LastWrite - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Unspecified_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Deny - LastWrite - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - 1 - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowSimpleDevicePassword - - - - - 1 - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlphanumericDevicePasswordRequired - - - - - 2 - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordEnabled - - - - - 1 - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordExpiration - - - - - 0 - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - DevicePasswordHistory - - - - - 0 - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - MaxDevicePasswordFailedAttempts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLock - - - - - 0 - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - 0 - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - MinDevicePasswordComplexCharacters - - - - - 1 - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - MinDevicePasswordLength - - - - - 4 - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - MinimumPasswordAge - - - - - 1 - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Account Policies~Password Policy - Minimum password age - HighestValueMostSecure - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenCamera - LastWrite - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenSlideshow - LastWrite - - - - Display - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayDisablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - EnablePerProcessDpiForApps - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayEnablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - TurnOffGdiDPIScalingForApps - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOffGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOffGdiDPIScaling - LastWrite - - - - TurnOnGdiDPIScalingForApps - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOnGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOnGdiDPIScaling - LastWrite - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - 1 - - - - - - - - - - - - text/plain - - - dmaguard.admx - dmaguard~AT~System~DmaGuard - DmaGuardEnumerationPolicy - LowestValueMostSecure - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerConsentCustomize_2 - LastWrite - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDisable_2 - LastWrite - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - PCH_ShowUI - LastWrite - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerNoSecondLevelData_2 - LastWrite - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDoNotShowUI - LastWrite - - - - - EventLogService - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_Log_Retention_1 - LastWrite - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_LogMaxSize_1 - LastWrite - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security - Channel_LogMaxSize_2 - LastWrite - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System - Channel_LogMaxSize_4 - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - 1 - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowClipboardHistory - LowestValueMostSecure - - - - AllowCopyPaste - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortana - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortana - LowestValueMostSecure - - - - AllowDeviceDiscovery - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFindMyDevice - - - - - 1 - - - - - - - - - - - - text/plain - - - FindMy.admx - FindMy~AT~WindowsComponents~FindMyDeviceCat - FindMy_AllowFindMyDeviceConfig - LowestValueMostSecure - - - - AllowManualMDMUnenrollment - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSaveAsOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowScreenCapture - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSharingOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - AllowSyncMySettings - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTaskSwitcher - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVoiceRecording - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowWindowsConsumerFeatures - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsConsumerFeatures - LowestValueMostSecure - - - - AllowWindowsTips - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableSoftLanding - LowestValueMostSecure - - - - DisableCloudOptimizedContent - - - - - 0 - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableCloudOptimizedContent - HighestValueMostSecure - - - - DoNotShowFeedbackNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - FeedbackNotifications.admx - FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DoNotShowFeedbackNotifications - HighestValueMostSecure - - - - DoNotSyncBrowserSettings - - - - - 0 - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - 1 - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - CheckBox_UserOverride - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - ShowLockOnUserTile - - - - - 1 - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - WindowsExplorer.admx - WindowsExplorer~AT~WindowsExplorer - ShowLockOption - HighestValueMostSecure - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - text/plain - - ExploitGuard.admx - ExploitProtection_Name - ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection - ExploitProtection_Name - LastWrite - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - OEMVersion - - - - - unset; partners can set via settings customization! - - - - - - - - - - - - text/plain - - LastWrite - - - - UserToSignIn - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoDataExecutionPrevention - LastWrite - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoHeapTerminationOnCorruption - LastWrite - - - - - Games - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - 1 - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Handwriting - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - 0 - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - phone - Handwriting.admx - Handwriting~AT~WindowsComponents~Handwriting - PanelDefaultModeDocked - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures - Advanced_EnableSSL3Fallback - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoUpdateCheck - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_zones_map_edit - LastWrite - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_options_edit - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_HKLM_only - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - Kerberos - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ForestSearch - LastWrite - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - EnableCbacAndArmor - LastWrite - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ClientRequireFast - LastWrite - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ValidateKDC - LastWrite - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - MaxTokenSize - LastWrite - - - - UPNNameHints - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - phone - LastWrite - 0xF000 - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - 0 - - - - - - - - - - - - text/plain - - - LanmanWorkstation.admx - LanmanWorkstation~AT~Network~Cat_LanmanWorkstation - Pol_EnableInsecureGuestLogons - LowestValueMostSecure - - - - - Licensing - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - AllowWindowsEntitlementReactivation - LowestValueMostSecure - - - - DisallowKMSClientOnlineAVSValidation - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - NoAcquireGT - LowestValueMostSecure - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - 0 - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Block Microsoft accounts - LastWrite - - - - Accounts_EnableAdministratorAccountStatus - - - - - 0 - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Administrator account status - LastWrite - - - - Accounts_EnableGuestAccountStatus - - - - - 0 - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Guest account status - LastWrite - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - 1 - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Limit local account use of blank passwords to console logon only - LastWrite - - - - Accounts_RenameAdministratorAccount - - - - - Administrator - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename administrator account - LastWrite - - - - Accounts_RenameGuestAccount - - - - - Guest - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename guest account - LastWrite - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - 0 - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allowed to format and eject removable media - LastWrite - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - 1 - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allow undock without having to log on - LastWrite - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - 0 - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Prevent users from installing printer drivers - LastWrite - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - 0 - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Restrict CD-ROM access to locally logged-on user only - LastWrite - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - 1 - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Display user information when the session is locked - LastWrite - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - 0 - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display last signed-in - LastWrite - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - 1 - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display username at sign-in - LastWrite - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - 1 - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Do not require CTRL+ALT+DEL - LastWrite - - - - InteractiveLogon_MachineInactivityLimit - - - - - 0 - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Machine inactivity limit - LastWrite - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message text for users attempting to log on - LastWrite - 0xF000 - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message title for users attempting to log on - LastWrite - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - 0 - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Smart card removal behavior - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - 1 - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (if server agrees) - LastWrite - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - 0 - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Send unencrypted password to third-party SMB servers - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - 0 - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (if client agrees) - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - 1 - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - 0 - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts and shares - LastWrite - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - 1 - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict anonymous access to Named Pipes and Shares - LastWrite - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict clients allowed to make remote calls to SAM - LastWrite - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - 1 - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow Local System to use computer identity for NTLM - LastWrite - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - 1 - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow PKU2U authentication requests to this computer to use online identities. - LastWrite - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - 1 - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Do not store LAN Manager hash value on next password change - LastWrite - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - 3 - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: LAN Manager authentication level - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - LastWrite - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Incoming NTLM traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - 0 - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - HighestValueMostSecure - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - 1 - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Allow system to be shut down without having to log on - LastWrite - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - 0 - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Clear virtual memory pagefile - LastWrite - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - 0 - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - 5 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - 3 - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for standard users - LastWrite - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - 1 - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Detect application installations and prompt for elevation - LastWrite - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - 0 - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate executables that are signed and validated - LastWrite - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - 1 - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate UIAccess applications that are installed in secure locations - LastWrite - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - 1 - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Run all administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - 1 - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Switch to the secure desktop when prompting for elevation - LastWrite - - - - UserAccountControl_UseAdminApprovalMode - - - - - 0 - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Admin Approval Mode for the Built-in Administrator account - LastWrite - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - 1 - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Virtualize file and registry write failures to per-user locations - LastWrite - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - Configure - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - - - - - - LockDown - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - EdgeUI.admx - EdgeUI~AT~WindowsComponents~EdgeUI - AllowEdgeSwipe - LowestValueMostSecure - - - - - Maps - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - 65535 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EnableOfflineMapsAutoUpdate - - - - - 65535 - - - - - - - - - - - - text/plain - - - WinMaps.admx - WinMaps~AT~WindowsComponents~Maps - TurnOffAutoUpdate - LastWrite - - - - - Messaging - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - 1 - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - messaging.admx - messaging~AT~WindowsComponents~Messaging_Category - AllowMessageSync - LowestValueMostSecure - - - - AllowMMS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRCS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - - MixedReality - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - BrightnessButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - FallbackDiagnostics - - - - - 2 - - - - - - - - - - - - text/plain - - - LastWrite - - - - MicrophoneDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - VolumeButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0201_LATFP - LastWrite - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0002_SMBv1_ClientDriver - LastWrite - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0001_SMBv1_Server - LastWrite - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0102_SEHOP - LastWrite - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0101_WDPUA - LastWrite - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0202_WDigestAuthn - LastWrite - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_EnableICMPRedirect - LastWrite - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_NoNameReleaseOnDemand - LastWrite - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRouting - LastWrite - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRoutingIPv6 - LastWrite - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_EnterpriseCloudResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_EnterpriseCloudResources - LastWrite - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Intranet_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Intranet_Proxies - LastWrite - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_PrivateSubnetBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_PrivateSubnet - LastWrite - - - - EnterpriseIPRangesAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Subnet - LastWrite - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Domain_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Domain_Proxies - LastWrite - - - - EnterpriseProxyServersAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Proxies - LastWrite - - - - NeutralResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_NeutralResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_NeutralResources - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoCloudNotification - LowestValueMostSecure - - - - - Power - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesDC_2 - LastWrite - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesAC_2 - LastWrite - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutDC_2 - LastWrite - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutAC_2 - LastWrite - - - - EnergySaverBatteryThresholdOnBattery - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdDC - LastWrite - - - - EnergySaverBatteryThresholdPluggedIn - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdAC - LastWrite - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCHibernateTimeOut_2 - LastWrite - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACHibernateTimeOut_2 - LastWrite - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCPromptForPasswordOnResume_2 - LastWrite - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACPromptForPasswordOnResume_2 - LastWrite - - - - SelectLidCloseActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSystemLidAction_2 - LastWrite - - - - SelectLidCloseActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSystemLidAction_2 - LastWrite - - - - SelectPowerButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCPowerButtonAction_2 - LastWrite - - - - SelectPowerButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACPowerButtonAction_2 - LastWrite - - - - SelectSleepButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSleepButtonAction_2 - LastWrite - - - - SelectSleepButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSleepButtonAction_2 - LastWrite - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyTimeOut_2 - LastWrite - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyTimeOut_2 - LastWrite - - - - TurnOffHybridSleepOnBattery - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyWithHiberfileEnable_2 - LastWrite - - - - TurnOffHybridSleepPluggedIn - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyWithHiberfileEnable_2 - LastWrite - - - - UnattendedSleepTimeoutOnBattery - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutDC - LastWrite - - - - UnattendedSleepTimeoutPluggedIn - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutAC - LastWrite - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions_Win7 - LastWrite - - - - PublishPrinters - - - - - - - - - - - - - - - - - text/plain - - phone - Printing2.admx - Printing2~AT~Printers - PublishPrinters - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCrossDeviceClipboard - - - - - 1 - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowCrossDeviceClipboard - LowestValueMostSecure - - - - AllowInputPersonalization - - - - - 1 - - - - - - - - - - - - text/plain - - - 10.0.10240 - Globalization.admx - Globalization~AT~ControlPanel~RegionalOptions - AllowInputPersonalization - LowestValueMostSecure - - - - DisableAdvertisingId - - - - - 65535 - - - - - - - - - - - - text/plain - - - UserProfiles.admx - UserProfiles~AT~System~UserProfiles - DisableAdvertisingId - LowestValueMostSecureZeroHasNoLimits - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - EnableActivityFeed - - - - - 1 - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - EnableActivityFeed - HighestValueMostSecure - - - - LetAppsAccessAccountInfo - - - - - 0 - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessAccountInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - HighestValueMostSecure - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception - - - - - 0 - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessCalendar - - - - - 0 - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCalendar_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - HighestValueMostSecure - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCallHistory - - - - - 0 - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCallHistory_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - HighestValueMostSecure - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCamera - - - - - 0 - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCamera_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - HighestValueMostSecure - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessContacts - - - - - 0 - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessContacts_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - HighestValueMostSecure - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessEmail - - - - - 0 - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessEmail_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - HighestValueMostSecure - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessGazeInput - - - - - 0 - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessLocation - - - - - 0 - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessLocation_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - HighestValueMostSecure - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessMessaging - - - - - 0 - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMessaging_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - HighestValueMostSecure - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMicrophone - - - - - 0 - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMicrophone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - HighestValueMostSecure - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMotion - - - - - 0 - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMotion_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - HighestValueMostSecure - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessNotifications - - - - - 0 - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessNotifications_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - HighestValueMostSecure - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessPhone - - - - - 0 - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessPhone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - HighestValueMostSecure - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessRadios - - - - - 0 - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessRadios_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - HighestValueMostSecure - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessTasks - - - - - 0 - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTasks_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - HighestValueMostSecure - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTrustedDevices - - - - - 0 - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTrustedDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - HighestValueMostSecure - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsActivateWithVoice - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoice_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoice - HighestValueMostSecure - - - - LetAppsActivateWithVoiceAboveLock - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoiceAboveLock_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoiceAboveLock - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo - - - - - 0 - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsRunInBackground - - - - - 0 - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsRunInBackground_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - HighestValueMostSecure - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsSyncWithDevices - - - - - 0 - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsSyncWithDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - HighestValueMostSecure - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - PublishUserActivities - - - - - 1 - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - PublishUserActivities - HighestValueMostSecure - - - - UploadUserActivities - - - - - 1 - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - UploadUserActivities - HighestValueMostSecure - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Options - LastWrite - - - - SessionLogging - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Logging - LastWrite - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Solicit - LastWrite - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Unsolicit - LastWrite - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS - TS_DISABLE_CONNECTIONS - LastWrite - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_ENCRYPTION_POLICY - LastWrite - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION - TS_CLIENT_DRIVE_M - LastWrite - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT - TS_CLIENT_DISABLE_PASSWORD_SAVING_2 - LastWrite - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_PASSWORD - LastWrite - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_RPC_ENCRYPTION - LastWrite - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowBasic_2 - LastWrite - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowBasic_1 - LastWrite - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRMClient - AllowCredSSP_2 - LastWrite - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowCredSSP_1 - LastWrite - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowAutoConfig - LastWrite - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowUnencrypted_2 - LastWrite - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowUnencrypted_1 - LastWrite - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowDigest - LastWrite - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowNegotiate_2 - LastWrite - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisallowNegotiate_1 - LastWrite - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisableRunAs - LastWrite - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - CBTHardeningLevel_1 - LastWrite - - - - TrustedHosts - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - TrustedHosts - LastWrite - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpCompatibilityListener - LastWrite - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpsCompatibilityListener - LastWrite - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcRestrictRemoteClients - LastWrite - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcEnableAuthEpResolution - LastWrite - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - AllowRemoteShellAccess - LastWrite - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxConcurrentUsers - LastWrite - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - IdleTimeout - LastWrite - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxMemoryPerShellMB - LastWrite - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxProcessesPerShell - LastWrite - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxShellsPerUser - LastWrite - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - ShellTimeOut - LastWrite - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Restricted Group Member - - - - - - - - - - - - - - - Restricted Group - - - - - - ]]> - - - - - Search - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - 2 - - - - - - - - - - - - text/plain - - - Search.admx - AllowCloudSearch_Dropdown - Search~AT~WindowsComponents~Search - AllowCloudSearch - LowestValueMostSecure - - - - AllowCortanaInAAD - - - - - 0 - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaInAAD - LowestValueMostSecure - - - - AllowFindMyFiles - - - - - 1 - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowFindMyFiles - LowestValueMostSecure - - - - AllowIndexingEncryptedStoresOrItems - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowIndexingEncryptedStoresOrItems - LowestValueMostSecure - - - - AllowSearchToUseLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowSearchToUseLocation - LowestValueMostSecure - - - - AllowStoringImagesFromVisionSearch - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUsingDiacritics - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowUsingDiacritics - HighestValueMostSecure - - - - AllowWindowsIndexer - - - - - 3 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlwaysUseAutoLangDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AlwaysUseAutoLangDetection - HighestValueMostSecure - - - - DisableBackoff - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableBackoff - HighestValueMostSecure - - - - DisableRemovableDriveIndexing - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableRemovableDriveIndexing - HighestValueMostSecure - - - - DoNotUseWebResults - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DoNotUseWebResults - LowestValueMostSecure - - - - PreventIndexingLowDiskSpaceMB - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - StopIndexingOnLimitedHardDriveSpace - HighestValueMostSecure - - - - PreventRemoteQueries - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - PreventRemoteQueries - HighestValueMostSecure - - - - SafeSearchPermissions - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - HighestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowManualRootCertificateInstallation - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRemoveProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AntiTheftMode - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ClearTPMIfNotReady - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - TPM.admx - TPM~AT~System~TPMCategory - ClearTPMIfNotReady_Name - HighestValueMostSecure - - - - ConfigureWindowsPasswords - - - - - 2 - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RequireDeviceEncryption - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireProvisioningPackageSignature - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireRetrieveHealthCertificateOnBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - text/plain - - phone - ServiceControlManager.admx - ServiceControlManager~AT~System~ServiceControlManagerCat~ServiceControlManagerSecurityCat - SvchostProcessMitigationEnable - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowDataSense - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDateTime - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowEditDeviceName - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguage - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowOnlineTips - - - - - 1 - - - - - - - - - - - - text/plain - - - ControlPanel.admx - CheckBox_AllowOnlineTips - ControlPanel~AT~ControlPanel - AllowOnlineTips - LowestValueMostSecure - - - - AllowPowerSleep - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowRegion - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowSignInOptions - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowVPN - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWorkplace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowYourAccount - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ConfigureAppInstallControl - LastWrite - - - - EnableSmartScreenInShell - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - PreventOverrideForFilesInShell - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - ShellConfigureSmartScreen_Dropdown - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - - Speech - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - Speech.admx - Speech~AT~WindowsComponents~Speech - AllowSpeechModelUpdate - LowestValueMostSecure - - - - - Start - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - 65535 - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderDownloads - - - - - 65535 - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderFileExplorer - - - - - 65535 - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderHomeGroup - - - - - 65535 - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderMusic - - - - - 65535 - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderNetwork - - - - - 65535 - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPersonalFolder - - - - - 65535 - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPictures - - - - - 65535 - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderSettings - - - - - 65535 - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderVideos - - - - - 65535 - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideChangeAccountSettings - - - - - 0 - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HideHibernate - - - - - 0 - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideLock - - - - - 0 - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HidePowerButton - - - - - 0 - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - HideRestart - - - - - 0 - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideShutDown - - - - - 0 - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSignOut - - - - - 0 - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSleep - - - - - 0 - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSwitchAccount - - - - - 0 - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideUserTile - - - - - 0 - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ImportEdgeAssets - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - NoPinningToTaskbar - - - - - 0 - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - Storage - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageHealth.admx - StorageHealth~AT~System~StorageHealth - SH_AllowDiskHealthModelUpdates - LastWrite - - - - AllowStorageSenseGlobal - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseGlobal - LastWrite - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseTemporaryFilesCleanup - LastWrite - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseCloudContentDehydrationThreshold - LastWrite - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseDownloadsCleanupThreshold - LastWrite - - - - ConfigStorageSenseGlobalCadence - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseGlobalCadence - LastWrite - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - 30 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseRecycleBinCleanupThreshold - LastWrite - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - text/plain - - phone - enhancedstorage.admx - EnhancedStorage~AT~System~EnStorDeviceAccess - TCGSecurityActivationDisabled - LastWrite - - - - RemovableDiskDenyWriteAccess - - - - - 0 - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - RemovableStorage.admx - RemovableDisks_DenyWrite_Access_2 - RemovableStorage~AT~System~DeviceAccess - RemovableDisks_DenyWrite_Access_2 - HighestValueMostSecure - - - - - System - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - 2 - - - - - - - - - - - - text/plain - - - AllowBuildPreview.admx - AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowBuildPreview - LowestValueMostSecure - - - - AllowCommercialDataPipeline - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowCommercialDataPipeline - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowCommercialDataPipeline - HighestValueMostSecure - - - - AllowDeviceNameInDiagnosticData - - - - - 0 - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowDeviceNameInDiagnosticData - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowDeviceNameInDiagnosticData - LowestValueMostSecure - - - - AllowEmbeddedMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowExperimentation - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFontProviders - - - - - 1 - - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~NetworkFonts - EnableFontProviders - LowestValueMostSecure - - - - AllowLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Sensors.admx - Sensors~AT~LocationAndSensors - DisableLocation_2 - LowestValueMostSecure - - - - AllowStorageCard - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - AllowUserToResetPhone - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - text/plain - - phone - earlylauncham.admx - EarlyLaunchAM~AT~System~ELAMCategory - POL_DriverLoadPolicy_Name - LastWrite - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - ConfigureMicrosoft365UploadEndpoint - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureMicrosoft365UploadEndpoint - LastWrite - - - - ConfigureTelemetryOptInChangeNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInChangeNotification - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInChangeNotification - HighestValueMostSecure - - - - ConfigureTelemetryOptInSettingsUx - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInSettingsUx - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInSettingsUx - HighestValueMostSecure - - - - DisableDeviceDelete - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDeviceDelete - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDeviceDelete - HighestValueMostSecure - - - - DisableDiagnosticDataViewer - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDiagnosticDataViewer - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDiagnosticDataViewer - HighestValueMostSecure - - - - DisableDirectXDatabaseUpdate - - - - - 0 - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~DirectXDatabase - DisableDirectXDatabaseUpdate - HighestValueMostSecure - - - - DisableEnterpriseAuthProxy - - - - - 0 - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableEnterpriseAuthProxy - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableEnterpriseAuthProxy - LastWrite - - - - DisableOneDriveFileSync - - - - - 0 - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - SkyDrive.admx - SkyDrive~AT~WindowsComponents~OneDrive - PreventOnedriveFileSync - HighestValueMostSecure - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - text/plain - - phone - systemrestore.admx - SystemRestore~AT~System~SR - SR_DisableSR - LastWrite - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - 0 - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - LastWrite - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - 0 - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - DataCollection.admx - LimitEnhancedDiagnosticDataWindowsAnalytics - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - LimitEnhancedDiagnosticDataWindowsAnalytics - LowestValueMostSecure - - - - TelemetryProxy - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - TelemetryProxyName - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - TelemetryProxy - LastWrite - - - - TurnOffFileHistory - - - - - 0 - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - FileHistory.admx - FileHistory~AT~WindowsComponents~FileHistory - DisableFileHistory - LowestValueMostSecure - - - - - SystemServices - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Listener - LastWrite - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Provider - LastWrite - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Accessory Management Service - LastWrite - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Auth Manager - LastWrite - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Game Save - LastWrite - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Networking Service - LastWrite - - - - - TaskManager - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - 1 - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - 0 - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - TextInput - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowIMELogging - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowIMENetworkAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowInputPanel - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowJapaneseIVSCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseUserDictionary - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguageFeaturesUninstall - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLanguageFeaturesUninstall - LowestValueMostSecure - - - - AllowLinguisticDataCollection - - - - - 1 - - - - - - - - - - - - text/plain - - - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLinguisticDataCollection - LowestValueMostSecure - - - - ConfigureJapaneseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureJapaneseImeVersion - LowestValueMostSecure - - - - ConfigureSimplifiedChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureSimplifiedChineseImeVersion - LowestValueMostSecure - - - - ConfigureTraditionalChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureTraditionalChineseImeVersion - LowestValueMostSecure - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ForceTouchKeyboardDockedState - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardDictationButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardEmojiButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardFullModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardHandwritingModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardNarrowModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardSplitModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardWideModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - 0 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ConfigureTimeZone - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - 1 - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - phone - MSDT.admx - MSDT~AT~System~Troubleshooting~WdiScenarioCategory - TroubleshootingAllowRecommendations - LowestValueMostSecure - - - - - Update - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - 17 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursEndTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - ActiveHoursMaxRange - - - - - 18 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursMaxRange - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHoursMaxRange - LastWrite - - - - ActiveHoursStart - - - - - 8 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursStartTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - AllowAutoUpdate - - - - - 6 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateMode - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - LastWrite - - - - AllowMUUpdateService - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsUpdate.admx - AllowMUUpdateServiceId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowNonMicrosoftSignedUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUpdateService - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LowestValueMostSecure - - - - AutomaticMaintenanceWakeUp - - - - - 1 - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - msched.admx - msched~AT~WindowsComponents~MaintenanceScheduler - WakeUpPolicy - HighestValueMostSecure - - - - AutoRestartDeadlinePeriodInDays - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartNotificationSchedule - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationConfig - LastWrite - - - - AutoRestartRequiredNotificationDismissal - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartRequiredNotificationDismissal - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartRequiredNotificationDismissal - LastWrite - - - - BranchReadinessLevel - - - - - 16 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - BranchReadinessLevelId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - ConfigureDeadlineForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForFeatureUpdates - LastWrite - - - - ConfigureDeadlineForQualityUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForQualityUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForQualityUpdates - LastWrite - - - - ConfigureDeadlineGracePeriod - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineGracePeriod - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineGracePeriod - LastWrite - - - - ConfigureDeadlineNoAutoReboot - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineNoAutoReboot - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineNoAutoReboot - HighestValueMostSecure - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - 10 - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - LastWrite - - - - DeferFeatureUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferFeatureUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - DeferQualityUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferQualityUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - DeferUpdatePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpdatePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DeferUpgradePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DetectionFrequency - - - - - 22 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DetectionFrequency_Hour2 - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DetectionFrequency_Title - LastWrite - - - - DisableDualScan - - - - - 0 - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DisableDualScan - LastWrite - - - - DisableWUfBSafeguards - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EngagedRestartDeadline - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeSchedule - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionSchedule - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - ExcludeWUDriversInQualityUpdate - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ExcludeWUDriversInQualityUpdate - LastWrite - - - - FillEmptyContentUrls - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - CorpWUFillEmptyContentUrls - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - IgnoreMOAppDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - IgnoreMOUpdateDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ManagePreviewBuilds - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ManagePreviewBuildsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ManagePreviewBuilds - LastWrite - - - - PauseDeferrals - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseDeferralsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - PauseFeatureUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseFeatureUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseFeatureUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseQualityUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseQualityUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseQualityUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PhoneUpdateRestrictions - - - - - 4 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequireDeferUpgrade - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - RequireUpdateApproval - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ScheduledInstallDay - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchDay - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallEveryWeek - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchEveryWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFirstWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchFirstWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFourthWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallFourthWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallSecondWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallSecondWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallThirdWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallThirdWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallTime - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduleImminentRestartWarning - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarn - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - ScheduleRestartWarning - - - - - 4 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarnRemind - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - SetAutoRestartNotificationDisable - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationDisable - LastWrite - - - - SetDisablePauseUXAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisablePauseUXAccess - LastWrite - - - - SetDisableUXWUAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisableUXWUAccess - LastWrite - - - - SetEDURestart - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetEDURestart - LastWrite - - - - SetProxyBehaviorForUpdateDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - SetProxyBehaviorForUpdateDetection - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - TargetReleaseVersionId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - TargetReleaseVersion - LastWrite - - - - UpdateNotificationLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - UpdateNotificationLevel - LastWrite - - - - UpdateServiceUrl - - - - - CorpWSUS - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - CorpWUURL_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsUpdate.admx - CorpWUContentHost_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - - UserRights - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access Credential Manager ase a trusted caller - LastWrite - 0xF000 - - - - AccessFromNetwork - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access this computer from the network - LastWrite - 0xF000 - - - - ActAsPartOfTheOperatingSystem - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Act as part of the operating system - LastWrite - 0xF000 - - - - AllowLocalLogOn - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Allow log on locally - LastWrite - 0xF000 - - - - BackupFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Back up files and directories - LastWrite - 0xF000 - - - - ChangeSystemTime - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Change the system time - LastWrite - 0xF000 - - - - CreateGlobalObjects - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create global objects - LastWrite - 0xF000 - - - - CreatePageFile - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a pagefile - LastWrite - 0xF000 - - - - CreatePermanentSharedObjects - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create permanent shared objects - LastWrite - 0xF000 - - - - CreateSymbolicLinks - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create symbolic links - LastWrite - 0xF000 - - - - CreateToken - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a token object - LastWrite - 0xF000 - - - - DebugPrograms - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Debug programs - LastWrite - 0xF000 - - - - DenyAccessFromNetwork - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny access to this computer from the network - LastWrite - 0xF000 - - - - DenyLocalLogOn - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on as a service - LastWrite - 0xF000 - - - - DenyRemoteDesktopServicesLogOn - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on through Remote Desktop Services - LastWrite - 0xF000 - - - - EnableDelegation - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Enable computer and user accounts to be trusted for delegation - LastWrite - 0xF000 - - - - GenerateSecurityAudits - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Generate security audits - LastWrite - 0xF000 - - - - ImpersonateClient - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Impersonate a client after authentication - LastWrite - 0xF000 - - - - IncreaseSchedulingPriority - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Increase scheduling priority - LastWrite - 0xF000 - - - - LoadUnloadDeviceDrivers - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Load and unload device drivers - LastWrite - 0xF000 - - - - LockMemory - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Lock pages in memory - LastWrite - 0xF000 - - - - ManageAuditingAndSecurityLog - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Manage auditing and security log - LastWrite - 0xF000 - - - - ManageVolume - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Perform volume maintenance tasks - LastWrite - 0xF000 - - - - ModifyFirmwareEnvironment - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify firmware environment values - LastWrite - 0xF000 - - - - ModifyObjectLabel - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify an object label - LastWrite - 0xF000 - - - - ProfileSingleProcess - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Profile single process - LastWrite - 0xF000 - - - - RemoteShutdown - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Force shutdown from a remote system - LastWrite - 0xF000 - - - - RestoreFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Restore files and directories - LastWrite - 0xF000 - - - - TakeOwnership - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Take ownership of files or other objects - LastWrite - 0xF000 - - - - - Wifi - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - 1 - - - - - - - - - - - - text/plain - - - wlansvc.admx - wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category - WiFiSense - LowestValueMostSecure - - - - AllowInternetSharing - - - - - 1 - - - - - - - - - - - - text/plain - - - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_ShowSharedAccessUI - LowestValueMostSecure - - - - AllowManualWiFiConfiguration - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFi - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFiDirect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - WLANScanMode - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - WCM.admx - WCM~AT~Network~WCM_Category - WCM_BlockNonDomain - LastWrite - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_CompanyName - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_CompanyName - LastWrite - - - - DisableAccountProtectionUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection - AccountProtection_UILockdown - LastWrite - - - - DisableAppBrowserUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_UILockdown - LastWrite - - - - DisableClearTpmButton - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableClearTpmButton - LastWrite - - - - DisableDeviceSecurityUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_UILockdown - LastWrite - - - - DisableEnhancedNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableEnhancedNotifications - LastWrite - - - - DisableFamilyUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions - FamilyOptions_UILockdown - LastWrite - - - - DisableHealthUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth - DevicePerformanceHealth_UILockdown - LastWrite - - - - DisableNetworkUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection - FirewallNetworkProtection_UILockdown - LastWrite - - - - DisableNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableNotifications - LastWrite - - - - DisableTpmFirmwareUpdateWarning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableTpmFirmwareUpdateWarning - LastWrite - - - - DisableVirusUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_UILockdown - LastWrite - - - - DisallowExploitProtectionOverride - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_DisallowExploitProtectionOverride - LastWrite - - - - Email - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Email - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Email - LastWrite - - - - EnableCustomizedToasts - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableCustomizedToasts - LastWrite - - - - EnableInAppCustomization - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableInAppCustomization - LastWrite - - - - HideRansomwareDataRecovery - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_HideRansomwareRecovery - LastWrite - - - - HideSecureBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideSecureBoot - LastWrite - - - - HideTPMTroubleshooting - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideTPMTroubleshooting - LastWrite - - - - HideWindowsSecurityNotificationAreaControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray - Systray_HideSystray - LastWrite - - - - Phone - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Phone - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Phone - LastWrite - - - - URL - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_URL - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_URL - LastWrite - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowSuggestedAppsInWindowsInkWorkspace - LowestValueMostSecure - - - - AllowWindowsInkWorkspace - - - - - 2 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - AllowWindowsInkWorkspaceDropdown - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowWindowsInkWorkspace - LowestValueMostSecure - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - AutomaticRestartSignOn - LastWrite - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - ConfigAutomaticRestartSignOn - LastWrite - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DisableLockScreenAppNotifications - LastWrite - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DontDisplayNetworkSelectionUI - LastWrite - - - - EnableFirstLogonAnimation - - - - - 1 - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - EnableFirstLogonAnimation - HighestValueMostSecure - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - EnumerateLocalUsers - LastWrite - - - - HideFastUserSwitching - - - - - 0 - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - HideFastUserSwitching - HighestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - 1 - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMdnsDiscovery - - - - - 1 - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPC - - - - - 1 - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPCOverInfrastructure - - - - - 1 - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionToPC - - - - - 1 - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - phone - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - AllowProjectionToPC - LowestValueMostSecure - - - - AllowProjectionToPCOverInfrastructure - - - - - 1 - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequirePinForPairing - - - - - 0 - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - RequirePinForPairing - LastWrite - - - - - - - -``` From d1f23943124836f6438ab53e6107ca774c4a861d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 20 May 2021 17:59:10 +0530 Subject: [PATCH 065/415] New-5120578 New image added --- .../bitlocker/images/dot_new.png | Bin 0 -> 734 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot_new.png b/windows/security/information-protection/bitlocker/images/dot_new.png new file mode 100644 index 0000000000000000000000000000000000000000..af2bab3c631974672dd255ab793f124a34b980e1 GIT binary patch literal 734 zcmV<40wMj0P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Thu, 20 May 2021 19:46:38 +0530 Subject: [PATCH 066/415] Update bitlocker-deployment-comparison.md image correction --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 6ba03dc4d8..dd32f174a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,7 +35,7 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From 37fbfbcde78be2867fa411c950656bd4b249e49b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 21:17:52 +0530 Subject: [PATCH 067/415] added Allow Update Compliance Processing as per user feedback issue #9540, so I added **Allow Update Compliance Processing** policy-related settings in this article, after looking at GPO in windows 10 pre release build 21h1 19043.985. --- .../mdm/policy-csp-system.md | 78 ++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..a9ccc9b578 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -49,6 +49,9 @@ manager: dansimp
System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing +
System/AllowUserToResetPhone
@@ -791,6 +794,77 @@ ADMX Info: +
+ + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark6
Businesscheck mark6
Enterprisecheck mark6
Educationcheck mark6
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. + +If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. + +If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. + + + +ADMX Info: +- GP English name: *Allow Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP element: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 - Disabled. +- 16 - Enabled. + + + +
@@ -1778,5 +1852,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. +- 10 - Available in Windows 10, version 21H1. - \ No newline at end of file + From 9a024df7b281dda143f89bd32ad6300ba49d2ce2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 22:43:25 +0530 Subject: [PATCH 068/415] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index a9ccc9b578..787fbbbb2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -50,7 +50,7 @@ manager: dansimp System/AllowTelemetry
- System/AllowUpdateComplianceProcessing + System/AllowUpdateComplianceProcessing
System/AllowUserToResetPhone From 6ae73515243ffa2be999d1be9c910e70fed145f2 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 20 May 2021 11:15:00 -0700 Subject: [PATCH 069/415] authorized apps merged configure managed installer 1. Created new page that merged "Authorize apps installed by a managed installer" with Configure a WDAC managed installer. 2. Updated TOC2 with merged file name. --- .../TOC2.yml | 2 +- ...-apps-deployed-with-a-managed-installer.md | 194 ++++++++++++++++++ 2 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml index 474b426029..bb66da245a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -74,7 +74,7 @@ landingContent: - linkListType: how-to-guide (written) links: - text: Allow managed installer and configure managed installer rules - url: use-windows-defender-application-control-with-managed-installer.md + url: configure-authorized-apps-deployed-with-a-managed-installer.md - text: Allow reputable apps with ISG url: use-windows-defender-application-control-with-intelligent-security-graph.md # Card diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md new file mode 100644 index 0000000000..3922be1e3b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -0,0 +1,194 @@ +--- +title: Configure authorized apps deployed with a WDAC managed installer (Windows 10) +description: Explains how to configure a custom Manged Installer. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 08/14/2020 +ms.technology: mde +--- + +## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control + +**Applies to:** + +- Windows 10 +- Windows Server 2019 + +Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. + +## How does a managed installer work? + +A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. + +Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin. + +You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer. + +## Security considerations with managed installer + +Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. +It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM). + +Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. + +If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. + +Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation. + +## Known limitations with managed installer + +- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. + +- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md). + +- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. + +- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. + +## Configuring the managed installer + +Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled. +There are three primary steps to keep in mind: + +- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy. +- Enable service enforcement in AppLocker policy. +- Enable the managed installer option in a WDAC policy. + +## Specify managed installers using the Managed Installer rule collection in AppLocker policy + +The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection. + +### Create Managed Installer rule collection + +Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. + +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. + + ```powershell + Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml + ``` + +2. Manually rename the rule collection to ManagedInstaller + + Change + + ```powershell + + ``` + + to + + ```powershell + + ``` + +An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. + +```xml + + + + + + + + + + + + + + + + +``` + +### Enable service enforcement in AppLocker policy + +Since many installation processes rely on services, it is typically necessary to enable tracking of services. +Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit only rule will suffice. This can be added to the policy created above, which specifies your managed installer rule collection. + +For example: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Enable the managed installer option in WDAC policy + +In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. +This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. + +Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option. + +1. Copy the DefaultWindows_Audit policy into your working folder from "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + +2. Reset the policy ID to ensure it is in multiple policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification. + + For example: + + ```powershell + Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID + ``` + +3. Set Option 13 (Enabled:Managed Installer) + + ```powershell + Set-RuleOption -FilePath -Option 13 + ``` + +## Set the AppLocker filter driver to autostart + +To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it. + +To do so, run the following command as an Administrator: + +```console +appidtel.exe start [-mionly] +``` + +Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). + +## Enabling managed installer logging events + +Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. \ No newline at end of file From 73521cb17a1c634ad23402cca663010cd41d0464 Mon Sep 17 00:00:00 2001 From: v-dihans Date: Thu, 20 May 2021 12:27:42 -0600 Subject: [PATCH 070/415] Fixed formatting --- .../mdm/diagnosticlog-csp.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index ef43f3c484..b9bc259616 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -136,45 +136,45 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`. - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed: - - %windir%\\system32\\certutil.exe - - %windir%\\system32\\dxdiag.exe - - %windir%\\system32\\gpresult.exe - - %windir%\\system32\\msinfo32.exe - - %windir%\\system32\\netsh.exe - - %windir%\\system32\\nltest.exe - - %windir%\\system32\\ping.exe - - %windir%\\system32\\powercfg.exe - - %windir%\\system32\\w32tm.exe - - %windir%\\system32\\wpr.exe - - %windir%\\system32\\dsregcmd.exe - - %windir%\\system32\\dispdiag.exe - - %windir%\\system32\\ipconfig.exe - - %windir%\\system32\\logman.exe - - %windir%\\system32\\tracelog.exe - - %programfiles%\\windows defender\\mpcmdrun.exe - - %windir%\\system32\\MdmDiagnosticsTool.exe - - %windir%\\system32\\pnputil.exe + - %windir%\\system32\\certutil.exe + - %windir%\\system32\\dxdiag.exe + - %windir%\\system32\\gpresult.exe + - %windir%\\system32\\msinfo32.exe + - %windir%\\system32\\netsh.exe + - %windir%\\system32\\nltest.exe + - %windir%\\system32\\ping.exe + - %windir%\\system32\\powercfg.exe + - %windir%\\system32\\w32tm.exe + - %windir%\\system32\\wpr.exe + - %windir%\\system32\\dsregcmd.exe + - %windir%\\system32\\dispdiag.exe + - %windir%\\system32\\ipconfig.exe + - %windir%\\system32\\logman.exe + - %windir%\\system32\\tracelog.exe + - %programfiles%\\windows defender\\mpcmdrun.exe + - %windir%\\system32\\MdmDiagnosticsTool.exe + - %windir%\\system32\\pnputil.exe - **FoldersFiles** - Captures log files from a given path (without recursion). - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log". - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed: - - %PROGRAMFILES% - - %PROGRAMDATA% - - %PUBLIC% - - %WINDIR% - - %TEMP% - - %TMP% + - %PROGRAMFILES% + - %PROGRAMDATA% + - %PUBLIC% + - %WINDIR% + - %TEMP% + - %TMP% - Additionally, only files with the following extensions are captured: - - .log - - .txt - - .dmp - - .cab - - .zip - - .xml - - .html - - .evtx - - .etl + - .log + - .txt + - .dmp + - .cab + - .zip + - .xml + - .html + - .evtx + - .etl **DiagnosticArchive/ArchiveResults** Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. From 1fa08ae6d3d4de95aaa8cd168659243b7e1284b2 Mon Sep 17 00:00:00 2001 From: v-dihans Date: Thu, 20 May 2021 12:41:17 -0600 Subject: [PATCH 071/415] fix formatting --- windows/client-management/mdm/diagnosticlog-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index b9bc259616..b8ffe15b74 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -136,8 +136,8 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`. - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed: - - %windir%\\system32\\certutil.exe - - %windir%\\system32\\dxdiag.exe + - %windir%\\system32\\certutil.exe + - %windir%\\system32\\dxdiag.exe - %windir%\\system32\\gpresult.exe - %windir%\\system32\\msinfo32.exe - %windir%\\system32\\netsh.exe From 13f59c7b058804c40fdd1ea8b50d5e5775db00f9 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 20 May 2021 14:02:10 -0700 Subject: [PATCH 072/415] Update policy-csp-authentication.md updated description for web sign in policy --- windows/client-management/mdm/policy-csp-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d62b5b232d..0c1b971103 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. From 4867c75d1f89c3f1efe92ef338d4134b046f4137 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 20 May 2021 15:29:01 -0700 Subject: [PATCH 073/415] Update windows/client-management/mdm/policy-csp-authentication.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 0c1b971103..1b75bd9a6b 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. From d2a7d0718fe7b8174f044b5ae646f3db717535e7 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 20 May 2021 17:15:23 -0700 Subject: [PATCH 074/415] Updated language about explicit allow or deny rules Clarified language regarding when WDAC calls the cloud to determine a binary's reputation. --- ...der-application-control-with-intelligent-security-graph.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 7ad4a8467b..dcd705cd5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -31,7 +31,9 @@ Beginning with Windows 10, version 1709, you can set an option to automatically ## How does the integration between WDAC and the Intelligent Security Graph work? -The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When a binary runs on a system with WDAC enabled with the ISG option, WDAC checks the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the binary runs, it is allowed based on its positive reputation unless there is an explicit deny rule set in the WDAC policy. Conversely, a file that has unknown or known bad reputation will be allowed if your WDAC policy explicitly allows it. +The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. + +If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot. If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. From 9de68009d2568d04aaa2e4d87fb5d2345c7a46f7 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 20 May 2021 17:36:16 -0700 Subject: [PATCH 075/415] Updated select-types-of-rules-to-create Created a "More information about hashes," and placed it above the "Windows Defender Application Control filename rules" section. --- .../select-types-of-rules-to-create.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1314fa6e21..e91bfb3d64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,6 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +## More information about hashes + +### Why does scan create 4 hash rules per XML file? + +(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256) +During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash. + +In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. + +### Why does scan create 8 hash rules for certain XML files? + +Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution. + ## Windows Defender Application Control filename rules File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. From cbca91cc1b1d3c1ca91d3be7d3256c6630866a76 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 20 May 2021 17:40:34 -0700 Subject: [PATCH 076/415] Update 404 link from entry in the redirect file --- windows/whats-new/whats-new-windows-10-version-1803.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 0f28f72c7e..b83bdda9a7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -171,7 +171,7 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat ### Microsoft Defender Antivirus -Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard From 6c0242ca208802d1ba7b4430892d63942287f0b0 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:16:50 +0530 Subject: [PATCH 077/415] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 787fbbbb2a..828bc97b2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -842,7 +842,7 @@ ADMX Info: Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. -If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. +If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. From 64de74b17d47d461eb6c47200e47bac57946e5b8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:29:06 +0530 Subject: [PATCH 078/415] made boot to System/BootStartDriverInitialization as per user feedback from @illfated under issue #9554 , so i made sentence **System/BootStartDriverInitialization** to bold. --- windows/client-management/mdm/policy-csp-system.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..3a5f16aba7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -852,6 +852,7 @@ The following list shows the supported values:
+ **System/BootStartDriverInitialization** @@ -1779,4 +1780,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 2df5eb9b63e59c3a70164fdefbe8cbcd61eef034 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 21 May 2021 18:52:04 +0530 Subject: [PATCH 079/415] Update policy-csp-deviceinstallation.md --- .../mdm/policy-csp-deviceinstallation.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 9a9ca55915..62ce04adc6 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -519,15 +519,6 @@ ADMX Info: -To enable this policy, use the following SyncML. This example applies a layered order of evaluation for Allow and Prevent device installation policies across all device match criteria: - -- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} -- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} -- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} - -Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. - - ```xml From caabdbb0952f8f0f028549acf0d11d9d85b4a6b0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 09:34:50 -0700 Subject: [PATCH 080/415] draft --- windows/sv/TOC.yml | 44 +++++++++++++++++++++++++++++++++-- windows/sv/index.yml | 6 ++--- windows/sv/sv-faq.md | 22 ++++++++++++++++++ windows/sv/sv-overview.md | 22 ++++++++++++++++++ windows/sv/sv-requirements.md | 22 ++++++++++++++++++ 5 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 windows/sv/sv-faq.md create mode 100644 windows/sv/sv-overview.md create mode 100644 windows/sv/sv-requirements.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 459e198125..b8531c0f0c 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,2 +1,42 @@ -- name: Windows SV - href: index.yml \ No newline at end of file +- name: Deploy and update Windows 10 + href: index.yml + items: + - name: Get started + items: + - name: Sun Valley overview + href: sv-overview.md + - name: Windows Sun Valley requirements + href: sv-requirements.md + - name: Sun Valley FAQ + href: sv-faq.md + + + - name: Upgrade to Windows Sun Valley + items: + + - name: Plan to deploy Windows Sun Valley + href: update/plan-define-readiness.md + - name: Prepare for Windows Sun Valley + href: update/eval-infra-tools.md + - name: Deploy Windows Sun Valley + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/plan-define-strategy.md + - name: Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization.md + + + - name: Support + items: + - name: Windows Sun Valley lifecycle + href: sv-requirements.md + - name: Prepare to deploy Windows Sun Valley + href: update/plan-define-readiness.md + - name: Deploy Windows Sun Valley + href: update/eval-infra-tools.md + - name: Determine application readiness + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/plan-define-strategy.md + - name: Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization.md diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 0f8c82e9f2..dd25268757 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -22,7 +22,7 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Card 1 + - title: Get started linkLists: - linkListType: overview links: @@ -37,7 +37,7 @@ landingContent: # Card (optional) - - title: Card 2 + - title: Upgrade to Sun Valley linkLists: - linkListType: overview links: @@ -52,7 +52,7 @@ landingContent: # Card (optional) - - title: Card 3 + - title: Support information linkLists: - linkListType: overview links: diff --git a/windows/sv/sv-faq.md b/windows/sv/sv-faq.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-faq.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/sv/sv-overview.md b/windows/sv/sv-overview.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-overview.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/sv/sv-requirements.md b/windows/sv/sv-requirements.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/sv/sv-requirements.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + From 77497788f16c68eaf6d43a030f10add991c7fc25 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 09:51:34 -0700 Subject: [PATCH 081/415] draft2 --- .../sv-app-readiness.md | 183 ++++++++++ windows/client-management/sv-manage.md | 67 ++++ windows/configuration/sv-configure.md | 329 ++++++++++++++++++ windows/deployment/TOC.yml | 4 +- windows/deployment/sv-planning.md | 275 +++++++++++++++ windows/sv/TOC.yml | 41 +-- 6 files changed, 873 insertions(+), 26 deletions(-) create mode 100644 windows/application-management/sv-app-readiness.md create mode 100644 windows/client-management/sv-manage.md create mode 100644 windows/configuration/sv-configure.md create mode 100644 windows/deployment/sv-planning.md diff --git a/windows/application-management/sv-app-readiness.md b/windows/application-management/sv-app-readiness.md new file mode 100644 index 0000000000..d8cddab78d --- /dev/null +++ b/windows/application-management/sv-app-readiness.md @@ -0,0 +1,183 @@ +--- +title: Windows 10 - Apps +ms.reviewer: +manager: dansimp +description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: greglin +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- +# Understand the different apps included in Windows 10 + +>Applies to: Windows 10 + +The following types of apps run on Windows 10: +- Windows apps - introduced in Windows 8, primarily installed from the Store app. +- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. +- "Win32" apps - traditional Windows applications. + +Digging into the Windows apps, there are two categories: +- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: + - Provisioned: Installed in user account the first time you sign in with a new user account. + - Installed: Installed as part of the OS. +- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. + +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI. + +Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. + +## Provisioned Windows apps + +You can list all provisioned Windows apps with this PowerShell command: + +```Powershell +Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +``` + +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. + +| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | + +>[!NOTE] +>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + +## System apps + +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. + +You can list all system apps with this PowerShell command: + +```Powershell +Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +``` + +| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | +|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No | +| | InputApp | x | x | x | No | +| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No | +| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | x | x | x | No | +| | Microsoft.ECApp | x | x | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No | +| | Microsoft.PPIProjection | x | x | x | No | +| | Microsoft.Win32WebViewHost | | x | x | No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows.CapturePicker | | x | x | No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | +| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | +| | Microsoft.Windows.ParentalControls | x | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No | +| | Microsoft.Windows.SecHealthUI | x | x | x | No | +| | Microsoft.Windows.SecondaryTileExperience | x | | | No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | | | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| | Windows.CBSPreview | | x | x | No | +| Contact Support* | Windows.ContactSupport | * | | | Via Settings App | +| Settings | Windows.immersivecontrolpanel | x | x | x | No | +| Print 3D | Windows.Print3D | | x | x | Yes | +| Print UI | Windows.PrintDialog | x | x | x | No | + + +> [!NOTE] +> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Installed Windows apps + +Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. + + +| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | +|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| +| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Sway | Microsoft.Office.Sway | x | x | x | Yes | +| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | +| | Microsoft.Services.Store.Engagement | x | x | | Yes | +| | Microsoft.VCLibs.120.00 | x | x | | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | + +--- diff --git a/windows/client-management/sv-manage.md b/windows/client-management/sv-manage.md new file mode 100644 index 0000000000..4fc41d68c1 --- /dev/null +++ b/windows/client-management/sv-manage.md @@ -0,0 +1,67 @@ +--- +title: Manage corporate devices (Windows 10) +description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. +ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D +ms.reviewer: +manager: dansimp +ms.author: dansimp +keywords: ["MDM", "device management"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices +author: dansimp +ms.localizationpriority: medium +ms.date: 09/21/2017 +ms.topic: article +--- + +# Manage corporate devices + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. + +## In this section + +| Topic | Description | +| --- | --- | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | +| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | +| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | +| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | +| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | +| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | + + +## Learn more + +[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) + +[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) + +[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) + +[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) + +[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765) + +[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) + +[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) + +[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) + +Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/) + + + + + + +  \ No newline at end of file diff --git a/windows/configuration/sv-configure.md b/windows/configuration/sv-configure.md new file mode 100644 index 0000000000..15407ebc50 --- /dev/null +++ b/windows/configuration/sv-configure.md @@ -0,0 +1,329 @@ +--- +title: Configure Windows 10 taskbar (Windows 10) +description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: ["taskbar layout","pin apps"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.topic: article +ms.localizationpriority: medium +ms.date: 01/18/2018 +ms.reviewer: +manager: dansimp +--- +# Configure Windows 10 taskbar + +Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. + +> [!NOTE] +> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. + +You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). + +If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. + +The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. + +> [!NOTE] +> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + +The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). + +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) + + +## Configure taskbar (general) + +**To configure the taskbar:** + +1. Create the XML file. + * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. + * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. +2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. + * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. + * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. + * Use `` and Desktop Application Link Path to pin desktop applications. +3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). + +>[!IMPORTANT] +>If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. +> +>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. + +### Tips for finding AUMID and Desktop Application Link Path + +In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. + +The easiest way to find this data for an application is to: +1. Pin the application to the Start menu on a reference or testing PC. +2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. +3. Open the generated XML file. +4. Look for an entry corresponding to the app you pinned. +5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. + + +### Sample taskbar configuration XML file + +```xml + + + + + + + + + + + +``` +### Sample taskbar configuration added to Start layout XML file + +```xml + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Keep default apps and add your own + +The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. + +```xml + + + + + + + + + + + + +``` +**Before:** + +![default apps pinned to taskbar](images/taskbar-default.png) + +**After:** + + ![additional apps pinned to taskbar](images/taskbar-default-plus.png) + +## Remove default apps and add your own + +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. + +If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. + +```xml + + + + + + + + + + + + +``` +**Before:** + +![Taskbar with default apps](images/taskbar-default.png) + +**After:** + +![Taskbar with default apps removed](images/taskbar-default-removed.png) + +## Remove default apps + +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. + + +```xml + + + + + + + + + + +``` + +## Configure taskbar by country or region + +The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: + +![taskbar for US and UK locale](images/taskbar-region-usuk.png) + +The resulting taskbar for computers in Germany or France: + +![taskbar for DE and FR locale](images/taskbar-region-defr.png) + +The resulting taskbar for computers in any other country region: + +![taskbar for all other regions](images/taskbar-region-other.png) + + +> [!NOTE] +> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) + + + + +## Layout Modification Template schema definition + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Related topics + +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index c8a3334ac2..fb5306a3e3 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -1,4 +1,4 @@ -- name: Deploy and update Windows 10 +- name: Deploy and update Windows client href: index.yml items: - name: Get started @@ -33,6 +33,8 @@ - name: Plan items: + - name: Windows Sun Valley deployment planning + href: sv-planning.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria diff --git a/windows/deployment/sv-planning.md b/windows/deployment/sv-planning.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-planning.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index b8531c0f0c..f9d971cc94 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,42 +1,33 @@ - name: Deploy and update Windows 10 href: index.yml items: - - name: Get started + - name: Get started with Windows Sun Valley items: - name: Sun Valley overview href: sv-overview.md - name: Windows Sun Valley requirements href: sv-requirements.md - - name: Sun Valley FAQ - href: sv-faq.md - + - name: Upgrade to Windows Sun Valley items: - - name: Plan to deploy Windows Sun Valley - href: update/plan-define-readiness.md + href: ../deployment/sv-planning.md - name: Prepare for Windows Sun Valley - href: update/eval-infra-tools.md + href: ../deployment/sv-prepare.md - name: Deploy Windows Sun Valley - href: update/plan-determine-app-readiness.md - - name: Define your servicing strategy - href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates - href: update/waas-delivery-optimization.md - + href: ../deployment/sv-deploy.md + - name: Configure Windows Sun Valley + href: ../configuration/sv-configure.md + - name: Manage Windows Sun Valley + href: ../client-management/sv-manage.md - - name: Support + - name: Windows Sun Valley Support items: - name: Windows Sun Valley lifecycle - href: sv-requirements.md - - name: Prepare to deploy Windows Sun Valley - href: update/plan-define-readiness.md - - name: Deploy Windows Sun Valley - href: update/eval-infra-tools.md - - name: Determine application readiness - href: update/plan-determine-app-readiness.md - - name: Define your servicing strategy - href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates - href: update/waas-delivery-optimization.md + href: sv-lifecycle.md + - name: Windows Sun Valley application readiness + href: application-management/sv-app-readiness.md + - name: Sun Valley FAQ + href: sv-faq.md + From 33d5c8c5867c7c413574cc96abc6f8d455b54575 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Fri, 21 May 2021 10:00:18 -0700 Subject: [PATCH 082/415] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md updated the security considerations section as it does not take Azure AD joined devices into consideration, which are verified and authenticated by Azure AD --- ...requests-to-this-computer-to-use-online-identities.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 716b1da171..671eb87720 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -74,17 +74,18 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. ### Countermeasure -Set this policy to *Disabled* or don't configure this security policy for domain-joined devices. +Set this policy to *Disabled* or don't configure this security policy for *on-premises only* environments. ### Potential impact -If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices. +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. + +If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. -Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. ## Related topics From f3d8408cfc8dea7b52bda1a4f98bec3cb2cbde22 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:05:29 -0700 Subject: [PATCH 083/415] draft3 --- windows/sv/TOC.yml | 21 +++++++++++---------- windows/sv/index.yml | 41 ++++++++++++++++++----------------------- 2 files changed, 29 insertions(+), 33 deletions(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index f9d971cc94..76ac398036 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,15 +1,16 @@ -- name: Deploy and update Windows 10 +- name: Windows Sun Valley href: index.yml items: - - name: Get started with Windows Sun Valley + - name: Get started items: - - name: Sun Valley overview + - name: Windows Sun Valley overview href: sv-overview.md - name: Windows Sun Valley requirements href: sv-requirements.md + - name: Sun Valley FAQ + href: sv-faq.md - - - name: Upgrade to Windows Sun Valley + - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley href: ../deployment/sv-planning.md @@ -21,13 +22,13 @@ href: ../configuration/sv-configure.md - name: Manage Windows Sun Valley href: ../client-management/sv-manage.md + - name: Windows Sun Valley application readiness + href: application-management/sv-app-readiness.md - - name: Windows Sun Valley Support + - name: Support items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md - - name: Windows Sun Valley application readiness - href: application-management/sv-app-readiness.md - - name: Sun Valley FAQ - href: sv-faq.md + + diff --git a/windows/sv/index.yml b/windows/sv/index.yml index dd25268757..f528902792 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows SV # < 60 chars -summary: Find out about Windows SV. # < 160 chars +summary: Find out about Windows Sun Valley. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -26,41 +26,36 @@ landingContent: linkLists: - linkListType: overview links: - - text: Link 1 - url: placeholder.md - - text: Link 2 - url: placeholder.md - - text: Link 3 - url: placeholder.md - - text: Link 4 - url: placeholder.md - + - text: Windows Sun Valley overview + url: sv-overview.md + - text: Windows Sun Valley requirements + url: sv-requirements.md + - text: Windows Sun Valley FAQ + url: sv-faq.md # Card (optional) - - title: Upgrade to Sun Valley + - title: Deploy Windows Sun Valley linkLists: - linkListType: overview links: - - text: Link 1 + - text: Plan to deploy Windows Sun Valley url: placeholder.md - - text: Link 2 + - text: Prepare for Windows Sun Valley url: placeholder.md - - text: Link 3 + - text: Deploy Windows Sun Valley url: placeholder.md - - text: Link 4 + - text: Configure Windows Sun Valley + url: placeholder.md + - text: Manage Windows Sun Valley + url: placeholder.md + - text: Windows Sun Valley application readiness url: placeholder.md - # Card (optional) - title: Support information linkLists: - linkListType: overview links: - - text: Link 1 - url: placeholder.md - - text: Link 2 - url: placeholder.md - - text: Link 3 - url: placeholder.md - - text: Link 4 + - text: Windows Sun Valley lifecycle url: placeholder.md + From 68f9baf2a90dea7ccb1359e50df688f9ba251597 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:19:50 -0700 Subject: [PATCH 084/415] draft4 --- windows/hub/TOC.yml | 4 +++- windows/hub/index.yml | 34 ++++++++++++++++++++++------------ windows/sv/TOC.yml | 2 ++ windows/sv/index.yml | 2 ++ 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 2d99b5fb17..36a3417877 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -1,8 +1,10 @@ -- name: Windows 10 +- name: Windows client href: index.yml items: - name: What's new href: /windows/whats-new + - name: Windows Sun Valley + href: /windows/sv - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 2714aec10e..7ecfe4e922 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,10 +1,10 @@ ### YamlMime:Landing -title: Windows 10 resources and documentation for IT Pros # < 60 chars +title: Windows client resources and documentation for IT Pros # < 60 chars summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars metadata: - title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. + title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. @@ -26,12 +26,14 @@ landingContent: linkLists: - linkListType: overview links: - - text: What's new in Windows 10, version 21H1 + - text: Windows Sun Valley overview + url: /sv/sv-overview.md + - text: What's new in Windows Sun Valley, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: What's new in Windows 10, version 20H2 - url: /windows/whats-new/whats-new-windows-10-version-20H2 - - text: What's new in Windows 10, version 2004 - url: /windows/whats-new/whats-new-windows-10-version-2004 + - text: What's new in Windows 10, version 21H2 + url: /windows/whats-new/whats-new-windows-10-version-21H1 + - text: Windows Sun Valley release information + url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -40,8 +42,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Configure Windows 10 + - text: Configure Windows client url: /windows/configuration/index + - text: Configure Windows Sun Valley + url: /windows/configuration/sv-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -54,8 +58,10 @@ landingContent: linkLists: - linkListType: deploy links: - - text: Deploy and update Windows 10 + - text: Deploy and update Windows client url: /windows/deployment/index + - text: Deploy Windows Sun Valley + url: /windows/deployment/sv-deploy.md - text: Windows 10 deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -69,8 +75,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 application management + - text: Windows application management url: /windows/application-management/index + - text: Windows Sun Valley application management + url: /windows/application-management/sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -83,8 +91,10 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 client management + - text: Windows client management url: /windows/client-management/index + - text: Manage Windows Sun Valley + url: /windows/client-management/sv-manage.md - text: Administrative tools in Windows 10 url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles @@ -97,7 +107,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Windows 10 Enterprise Security + - text: Windows Enterprise Security url: /windows/security/index - text: Windows Privacy url: /windows/privacy/index diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 76ac398036..5e9b8425bd 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -29,6 +29,8 @@ items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md + - name: Windows Sun Valley release information + href: ../release-health diff --git a/windows/sv/index.yml b/windows/sv/index.yml index f528902792..61131a5288 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -58,4 +58,6 @@ landingContent: links: - text: Windows Sun Valley lifecycle url: placeholder.md + - text: Windows Sun Valley release information + url: ../release-health From 0b5e722bc9e78c763885157ec7ff287cf38248f9 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:25:16 -0700 Subject: [PATCH 085/415] draft5 --- windows/deployment/TOC.yml | 16 +- .../{sv-planning.md => sv-deploy.md} | 0 windows/deployment/sv-plan.md | 275 ++++++++++++++++++ windows/deployment/sv-prepare.md | 275 ++++++++++++++++++ 4 files changed, 560 insertions(+), 6 deletions(-) rename windows/deployment/{sv-planning.md => sv-deploy.md} (100%) create mode 100644 windows/deployment/sv-plan.md create mode 100644 windows/deployment/sv-prepare.md diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index fb5306a3e3..21fe4cf03f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,7 +5,7 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows 10 deployment scenarios + - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? href: update/waas-quick-start.md @@ -34,7 +34,7 @@ - name: Plan items: - name: Windows Sun Valley deployment planning - href: sv-planning.md + href: sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -69,6 +69,8 @@ - name: Prepare items: + - name: Prepare to deploy Windows Sun Valley + href: sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -98,11 +100,13 @@ - name: Deploy items: - - name: Deploy Windows 10 + - name: Deploy Windows client items: - - name: Deploy Windows 10 with Autopilot + - name: Windows Sun Valley deployment overview + href: sv-deploy.md + - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - - name: Deploy Windows 10 with Configuration Manager + - name: Deploy Windows client with Configuration Manager items: - name: Deploy to a new device href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -112,7 +116,7 @@ href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md - name: In-place upgrade href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md - - name: Deploy Windows 10 with MDT + - name: Deploy Windows client with MDT items: - name: Deploy to a new device href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md diff --git a/windows/deployment/sv-planning.md b/windows/deployment/sv-deploy.md similarity index 100% rename from windows/deployment/sv-planning.md rename to windows/deployment/sv-deploy.md diff --git a/windows/deployment/sv-plan.md b/windows/deployment/sv-plan.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-plan.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/sv-prepare.md new file mode 100644 index 0000000000..e28a0eb0e8 --- /dev/null +++ b/windows/deployment/sv-prepare.md @@ -0,0 +1,275 @@ +--- +title: Windows Sun Valley deployment planning +description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro +ms.author: greglin +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +ms.topic: article +--- + +# Windows Sun Valley deployment planning + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). + - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryScenarioDescriptionMore information
Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
+ +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager +
+ Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
+ + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
+ + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
+ Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager +
+ + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
+ +
  + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) +- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file From 0e6ff045990caa70188ebd15afd380822e5c2b84 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:32:07 -0700 Subject: [PATCH 086/415] draft6 --- windows/hub/TOC.yml | 4 +-- windows/hub/index.yml | 12 ++++---- windows/sv/breadcrumb/toc.yml | 53 +++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 windows/sv/breadcrumb/toc.yml diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 36a3417877..5ba5004d55 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -3,10 +3,10 @@ items: - name: What's new href: /windows/whats-new - - name: Windows Sun Valley - href: /windows/sv - name: Release information href: /windows/release-health + - name: Windows Sun Valley + href: /windows/sv - name: Deployment href: /windows/deployment - name: Configuration diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 7ecfe4e922..5a9ddebb3d 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -62,11 +62,11 @@ landingContent: url: /windows/deployment/index - text: Deploy Windows Sun Valley url: /windows/deployment/sv-deploy.md - - text: Windows 10 deployment scenarios + - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan url: /windows/deployment/update/create-deployment-plan - - text: Prepare to deploy Windows 10 + - text: Prepare to deploy Windows client url: /windows/deployment/update/prepare-deploy-windows @@ -77,7 +77,7 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Windows Sun Valley application management + - text: Manage Windows Sun Valley applications url: /windows/application-management/sv-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 @@ -95,7 +95,7 @@ landingContent: url: /windows/client-management/index - text: Manage Windows Sun Valley url: /windows/client-management/sv-manage.md - - text: Administrative tools in Windows 10 + - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles url: /windows/client-management/mandatory-user-profile diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml new file mode 100644 index 0000000000..e2971f2d84 --- /dev/null +++ b/windows/sv/breadcrumb/toc.yml @@ -0,0 +1,53 @@ +- name: Docs + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows + topicHref: /windows/windows-10 + items: + - name: What's new + tocHref: /windows/whats-new/ + topicHref: /windows/whats-new/index + - name: Configuration + tocHref: /windows/configuration/ + topicHref: /windows/configuration/index + - name: Deployment + tocHref: /windows/deployment/ + topicHref: /windows/deployment/index + - name: Application management + tocHref: /windows/application-management/ + topicHref: /windows/application-management/index + - name: Client management + tocHref: /windows/client-management/ + topicHref: /windows/client-management/index + items: + - name: Mobile Device Management + tocHref: /windows/client-management/mdm/ + topicHref: /windows/client-management/mdm/index + - name: Release information + tocHref: /windows/release-information/ + topicHref: /windows/release-health/release-information + - name: Privacy + tocHref: /windows/privacy/ + topicHref: /windows/privacy/index + - name: Security + tocHref: /windows/security/ + topicHref: /windows/security/index + items: + - name: Identity and access protection + tocHref: /windows/security/identity-protection/ + topicHref: /windows/security/identity-protection/index + items: + - name: Windows Hello for Business + tocHref: /windows/security/identity-protection/hello-for-business + topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification + - name: Threat protection + tocHref: /windows/security/threat-protection/ + topicHref: /windows/security/threat-protection/index + - name: Information protection + tocHref: /windows/security/information-protection/ + topicHref: /windows/security/information-protection/index + - name: Hardware-based protection + tocHref: /windows/security/hardware-protection/ + topicHref: /windows/security/hardware-protection/index From cfac9b77b9104f510a232a055df71a9772948b57 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:36:43 -0700 Subject: [PATCH 087/415] Update add-unsigned-app-to-code-integrity-policy.md Update DGSSv1 retirement date. --- .../add-unsigned-app-to-code-integrity-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index b269d9356a..454b74a767 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,12 +18,12 @@ ms.date: 03/10/2021 # Add unsigned app to code integrity policy > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -117,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). \ No newline at end of file +7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). From 431a5e5d0f76b5cea2ee8753b48068bb89ad9b25 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:36:57 -0700 Subject: [PATCH 088/415] Update device-guard-signing-portal.md Update DGSSv1 retirement date. --- store-for-business/device-guard-signing-portal.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 19b24783d0..6ad01e0f88 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> For any questions, please contact us at DGSSMigration@microsoft.com. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** @@ -72,4 +72,4 @@ Catalog and policy files have required files types. Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. ## Device Guard signing certificates -All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. \ No newline at end of file +All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. From 3c67265d05561e89ed4f341db665255b0e5f6fd1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:37:00 -0700 Subject: [PATCH 089/415] draft7 --- windows/sv/TOC.yml | 2 +- windows/sv/sv-faq.md | 4 ++-- windows/sv/sv-lifecycle.md | 22 ++++++++++++++++++++++ windows/sv/sv-overview.md | 4 ++-- windows/sv/sv-requirements.md | 4 ++-- 5 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 windows/sv/sv-lifecycle.md diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 5e9b8425bd..fb7d2ccba4 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,7 +13,7 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: ../deployment/sv-planning.md + href: ../deployment/sv-plan.md - name: Prepare for Windows Sun Valley href: ../deployment/sv-prepare.md - name: Deploy Windows Sun Valley diff --git a/windows/sv/sv-faq.md b/windows/sv/sv-faq.md index fecfe94a8e..220beac886 100644 --- a/windows/sv/sv-faq.md +++ b/windows/sv/sv-faq.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley frequently asked questions (FAQ) -Placeholder text. +FAQ. diff --git a/windows/sv/sv-lifecycle.md b/windows/sv/sv-lifecycle.md new file mode 100644 index 0000000000..c16baa14b7 --- /dev/null +++ b/windows/sv/sv-lifecycle.md @@ -0,0 +1,22 @@ +--- +title: Lifecycle +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows Sun Valley lifecycle + +Sun Valley lifecycle. + diff --git a/windows/sv/sv-overview.md b/windows/sv/sv-overview.md index fecfe94a8e..4099c30662 100644 --- a/windows/sv/sv-overview.md +++ b/windows/sv/sv-overview.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley overview -Placeholder text. +Overview of Sun Valley. diff --git a/windows/sv/sv-requirements.md b/windows/sv/sv-requirements.md index fecfe94a8e..5e4a647fea 100644 --- a/windows/sv/sv-requirements.md +++ b/windows/sv/sv-requirements.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Placeholder +# Windows Sun Valley requirements -Placeholder text. +Windows Sun Valley requirements. From 09500541cbc480fcab3883b390caf00e4d90c1a0 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:37:11 -0700 Subject: [PATCH 090/415] Update sign-code-integrity-policy-with-device-guard-signing.md Update DGSSv1 retirement date. --- .../sign-code-integrity-policy-with-device-guard-signing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index ef38349ddd..ffdff3f7c1 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -58,4 +58,4 @@ Before you get started, be sure to review these best practices: 4. After the files are uploaded, click **Sign** to sign the code integrity policy. 5. Click **Download** to download the signed code integrity policy. - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. \ No newline at end of file + When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. From 659c59863498881b486a0a062f8af9d75833adec Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:44:43 -0700 Subject: [PATCH 091/415] draft8 --- windows/sv/TOC.yml | 14 +++++++------- windows/sv/index.yml | 12 ++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index fb7d2ccba4..355d8e61c1 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,24 +13,24 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: ../deployment/sv-plan.md + href: /windows/deployment/sv-plan.md - name: Prepare for Windows Sun Valley - href: ../deployment/sv-prepare.md + href: /windows/deployment/sv-prepare.md - name: Deploy Windows Sun Valley - href: ../deployment/sv-deploy.md + href: /windows/deployment/sv-deploy.md - name: Configure Windows Sun Valley - href: ../configuration/sv-configure.md + href: /windows/configuration/sv-configure.md - name: Manage Windows Sun Valley - href: ../client-management/sv-manage.md + href: /windows/client-management/sv-manage.md - name: Windows Sun Valley application readiness - href: application-management/sv-app-readiness.md + href: /windows/application-management/sv-app-readiness.md - name: Support items: - name: Windows Sun Valley lifecycle href: sv-lifecycle.md - name: Windows Sun Valley release information - href: ../release-health + href: /windows/release-health diff --git a/windows/sv/index.yml b/windows/sv/index.yml index 61131a5288..477ed81e72 100644 --- a/windows/sv/index.yml +++ b/windows/sv/index.yml @@ -39,17 +39,17 @@ landingContent: - linkListType: overview links: - text: Plan to deploy Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-plan.md - text: Prepare for Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-prepare.md - text: Deploy Windows Sun Valley - url: placeholder.md + url: /windows/deployment/sv-deploy.md - text: Configure Windows Sun Valley - url: placeholder.md + url: /windows/configuration/sv-configure.md - text: Manage Windows Sun Valley - url: placeholder.md + url: /windows/client-management/sv-manage.md - text: Windows Sun Valley application readiness - url: placeholder.md + url: /windows/application-management/sv-app-readiness.md # Card (optional) - title: Support information From a9eea14b6088c303110d976e4b3d013da119d3d0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:50:25 -0700 Subject: [PATCH 092/415] draft9 --- windows/deployment/TOC.yml | 2 ++ windows/deployment/index.yml | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 21fe4cf03f..9eb39c2bb6 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,6 +5,8 @@ items: - name: What's new href: deploy-whats-new.md + - name: Windows Sun Valley deployment overview + href: sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 55641790b7..12426c9a08 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,10 +1,10 @@ ### YamlMime:Landing -title: Windows 10 deployment resources and documentation # < 60 chars +title: Windows client deployment resources and documentation # < 60 chars summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars metadata: - title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. @@ -40,7 +40,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Prepare to deploy Windows 10 updates + - text: Prepare to deploy Windows updates url: update/prepare-deploy-windows.md - text: Prepare updates using Windows Update for Business url: update/waas-manage-updates-wufb.md @@ -66,7 +66,9 @@ landingContent: links: - text: What's new in Windows deployment url: windows-10-deployment-scenarios.md - - text: Windows 10 deployment scenarios + - text: Windows Sun Valley deployment overview + url: sv-deploy.md + - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools url: update/get-started-updates-channels-tools.md From 52ff9eaae898127e8195f0b3051740fa35368944 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 21 May 2021 10:57:41 -0700 Subject: [PATCH 093/415] draft10 --- windows/deployment/deploy-whats-new.md | 8 +- windows/deployment/index.yml | 2 +- windows/deployment/sv-deploy.md | 254 +------------------------ 3 files changed, 8 insertions(+), 256 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4707849d86..95cc27289d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -1,9 +1,9 @@ --- -title: What's new in Windows 10 deployment +title: What's new in Windows client deployment ms.reviewer: manager: laurawi ms.author: greglin -description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization. +description: Use this article to learn about new solutions and online content related to deploying Windows in your organization. keywords: deployment, automate, tools, configure, news ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -20,12 +20,14 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 +- Windows Sun Valley ## In this topic -This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. +This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). +- For an all-up overview of new features in Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/index). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 12426c9a08..10182bbea5 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -65,7 +65,7 @@ landingContent: - linkListType: overview links: - text: What's new in Windows deployment - url: windows-10-deployment-scenarios.md + url: deploy-whats-new.md - text: Windows Sun Valley deployment overview url: sv-deploy.md - text: Windows client deployment scenarios diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/sv-deploy.md index e28a0eb0e8..75df574256 100644 --- a/windows/deployment/sv-deploy.md +++ b/windows/deployment/sv-deploy.md @@ -19,257 +19,7 @@ ms.topic: article # Windows Sun Valley deployment planning **Applies to** -- Windows 10 +- Windows Sun Valley -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home). - - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates. -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryScenarioDescriptionMore information
Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
- -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager -
- Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
- - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
- - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
- Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager -
- - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
- -
  - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file From 832aff3e5a4f6e45bb0df6aabd8678686c505be2 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 21 May 2021 13:48:55 -0700 Subject: [PATCH 094/415] Update configure-md-app-guard.md Removing rouge settings --- .../configure-md-app-guard.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 208da5965e..8df3886343 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -61,6 +61,3 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.| -|Allow extensions in the container|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use extensions.|**Enabled.** Favorites are able to sync from the host browser to the container. Note that this doesn’t work the other way around. The favorites sync to the user’s work profile by default.

**Disabled.** Users are not able to access their favorites from within the Application Guard container.| -|Allow favorites sync|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether favorites can be accessible from Application Guard container.|**Enabled.** Favorites are able to sync from the host browser to the container, but it doesn’t work the other way around. The favorites sync to the user’s work profile by default.

**Disabled.** Users are not able to access their favorites from within the Application Guard container. From 77be61ed2c094991d15c5168851b43d5b04a935b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 21 May 2021 14:42:52 -0700 Subject: [PATCH 095/415] Corrected content types on code blocks Valid types for code blocks are listed here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- ...rtificate-authentication-device-enrollment.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index f01490c427..91ff84cd45 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -14,7 +14,7 @@ ms.date: 06/26/2017 # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). > [!Note] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). @@ -31,7 +31,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The following example shows the discovery service request. -``` syntax +```xml POST /EnrollmentServer/Discovery.svc HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -71,7 +71,7 @@ Cache-Control: no-cache The following example shows the discovery service response. -``` +```xml HTTP/1.1 200 OK Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 @@ -111,7 +111,7 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer The following example shows the policy web service request. -``` +```xml POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -183,7 +183,7 @@ Cache-Control: no-cache The following snippet shows the policy web service response. -``` +```xml HTTP/1.1 200 OK Date: Fri, 03 Aug 2012 20:00:00 GMT Server: @@ -261,7 +261,7 @@ Content-Length: xxxx The following example shows the enrollment web service request. -``` +```xml POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -369,7 +369,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol The following example shows the enrollment web service response. -``` +```xml HTTP/1.1 200 OK Cache-Control: private Content-Length: 10231 @@ -422,7 +422,7 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT The following example shows the encoded provisioning XML. -``` +```xml From 7bd22fdeb383508dfc31cac8927c6227d32a57a4 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 21 May 2021 14:47:28 -0700 Subject: [PATCH 096/415] Delete TOC2.yml --- .../TOC2.yml | 113 ------------------ 1 file changed, 113 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml deleted file mode 100644 index bb66da245a..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml +++ /dev/null @@ -1,113 +0,0 @@ - -### WDAC:Landing -title: Application Control for Windows -metadata: - title: Application Control for Windows - description: Landing page for Windows Defender Application Control -# services: service -# ms.service: microsoft-WDAC-AppLocker -# ms.subservice: Application-Control -# ms.topic: landing-page -# author: Kim Klein -# ms.author: Jordan Geurten -# manager: Jeffrey Sutherland -# ms.update: 04/30/2021 -# linkListType: overview | how-to-guide | tutorial | video -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card - - title: Learn about Application Control - linkLists: - - linkListType: overview - links: - - text: What is WDAC (WDAC Overview)? - url: wdac-and-applocker-overview.md - - text: What is AppLocker? - url: applocker\applocker-overview.md - - text: WDAC and AppLocker feature availability - url: feature-availability.md - # Card - - title: Learn about the Design Guide - linkLists: - - linkListType: overview - links: - - text: Using code signing to simplify application control - url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md - - text: Merging Policies - url: wdac-wizard-merging-policies.md - - text: Recommended blocks - url: microsoft-recommended-block-rules.md - - text: Recommended driver blocks - url: microsoft-recommended-driver-block-rules.md - - text: Example policies - url: example-wdac-base-policies.md - - text: LOB Win32 apps on S Mode - url: LOB-win32-apps-on-s.md - - linkListType: how-to-guide - links: - - text: Create a WDAC policy for a lightly managed device - url: cardreate-wdac-policy-for-lightly-managed-devices.md - - text: Create a WDAC policy for a fully managed device - url: create-wdac-policy-for-fully-managed-devices.md - - text: Create a WDAC policy for a fixed-workload - url: create-initial-default-policy.md - - text: Using catalog files - url: deploy-catalog-files-to-support-windows-defender-application-control.md - - text: WDAC Wizard tool - url: wdac-wizard.md - - linkListType: Tutorial (videos) - links: - - text: Using the WDAC Wizard - url: video md - - text: Specifying custom values - url: video md - # Card - - title: Learn about Policy Configuration - linkLists: - - linkListType: overview - links: - - text: Understanding policy rules - url: - - text: Understanding File rules - url: - - linkListType: how-to-guide (written) - links: - - text: Allow managed installer and configure managed installer rules - url: configure-authorized-apps-deployed-with-a-managed-installer.md - - text: Allow reputable apps with ISG - url: use-windows-defender-application-control-with-intelligent-security-graph.md - # Card - - title: Learn how to deploy WDAC Policies - linkLists: - - linkListType: overview - links: - - text: Signed policies - url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md - - text: Audit and enforce policies - url: audit-and-enforce-windows-defender-application-control-policies.md - - text: Disabling WDAC policies - url: disable-windows-defender-application-control-policies.md - - linkListType: tutorial - links: - - text: Deployment with MDM - url: deploy-windows-defender-application-control-policies-using-intune.md - - text: Deployment with MEMCM - url: deployment/deploy-wdac-policies-with-memcm.md - - text: Deployment with script and refresh policy - url: deployment/deploy-wdac-policies-with-script.md - # Card - - title: Learn how to monitor and reiterate WDAC Policies (operational) - linkLists: - - linkListType: overview - links: - - text: Event logs (tags, IDs) - url: event-id-and-tag-explanations.md - - linkListType: how-to-guide - links: - - text: Querying using advanced hunting - url: querying-application-control-events-centrally-using-advanced-hunting.md - - linkListType: tutorial - links: - - text: Creating a policy from event logs (video) - url: #Jordan will create a video for this \ No newline at end of file From 85168ed32565622c6c1b6d5331709661aafb3b95 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 21 May 2021 14:55:14 -0700 Subject: [PATCH 097/415] Acrolinx "provisioining" --- windows/deployment/upgrade/windows-10-edition-upgrades.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 71af1da585..5205193bb7 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -84,7 +84,7 @@ Use Windows Configuration Designer to create a provisioning package to upgrade a - To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) - [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) From f1d9dd9b5cd9b1307aa8973c07627a4981a18c21 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 21 May 2021 15:18:34 -0700 Subject: [PATCH 098/415] Corrected note styles --- .../upgrade/windows-10-edition-upgrades.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 5205193bb7..4cc61f1954 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -26,9 +26,13 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. +> [!NOTE] +> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +> [!TIP] +> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. ![not supported](../images/x_blk.png) (X) = not supported
![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
@@ -122,7 +126,8 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th 3. Follow the on-screen instructions. - **Note**
If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + > [!NOTE] + > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). ## License expiration @@ -130,7 +135,8 @@ Volume license customers whose license has expired will need to change the editi Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. -Note: If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. +> [!NOTE] +> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. ### Scenario example From ec3b863fc4e9c4d461f428d495040eeebf917eaa Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 21 May 2021 15:21:03 -0700 Subject: [PATCH 099/415] Changed some to --- .../upgrade/windows-10-edition-upgrades.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 4cc61f1954..c9b296a9c8 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -156,21 +156,21 @@ You can move directly from Enterprise to any valid destination edition. In this
- + - - - - - - - - - + + + + + + + + + - + From 2b6d435f7e45d6cbb3dd06294680402928b41355 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 21 May 2021 17:41:06 -0700 Subject: [PATCH 100/415] Changed some - + @@ -97,7 +97,7 @@ Additional lists: - + @@ -123,7 +123,7 @@ Additional lists: - + @@ -149,7 +149,7 @@ Additional lists: - + @@ -201,7 +201,7 @@ Additional lists: - + @@ -227,7 +227,7 @@ Additional lists: - + @@ -253,7 +253,7 @@ Additional lists: - + @@ -305,7 +305,7 @@ Additional lists: - + @@ -331,7 +331,7 @@ Additional lists: - + @@ -358,7 +358,7 @@ Additional lists: - + @@ -384,7 +384,7 @@ Additional lists: - + @@ -410,7 +410,7 @@ Additional lists: - + @@ -436,7 +436,7 @@ Additional lists: - + @@ -462,7 +462,7 @@ Additional lists: - + @@ -514,7 +514,7 @@ Additional lists: - + @@ -540,7 +540,7 @@ Additional lists: - + @@ -566,7 +566,7 @@ Additional lists: - + @@ -592,7 +592,7 @@ Additional lists: - + @@ -618,7 +618,7 @@ Additional lists: - + @@ -644,7 +644,7 @@ Additional lists: - + @@ -670,7 +670,7 @@ Additional lists: - + @@ -722,7 +722,7 @@ Additional lists: - + @@ -748,7 +748,7 @@ Additional lists: - + @@ -774,7 +774,6 @@ Additional lists: - @@ -802,7 +801,6 @@ Additional lists: - @@ -829,7 +827,7 @@ Additional lists: - + @@ -882,7 +880,7 @@ Additional lists: - + @@ -934,7 +932,7 @@ Additional lists: - + @@ -960,7 +958,7 @@ Additional lists: - + @@ -1012,7 +1010,7 @@ Additional lists: - + @@ -1037,9 +1035,9 @@ Additional lists: +A + - @@ -1065,10 +1063,9 @@ Additional lists: - - +
Destination editionDestination edition
      HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise       HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
Starting editionStarting edition
Home to --- .../upgrade/windows-10-upgrade-paths.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 57994ce79b..2b5bb70b58 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -43,17 +43,17 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - - - - - - - - + + + + + + + + - + @@ -116,7 +116,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - + @@ -209,7 +209,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - + From 988b07c78c4ec090e719c80b5f30be474e0c4730 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 24 May 2021 09:59:45 +0530 Subject: [PATCH 101/415] Update bitlocker-deployment-comparison.md To fix edit issue --- .../bitlocker/bitlocker-deployment-comparison.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index dd32f174a6..2ef7fbf2b9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -49,9 +49,7 @@ This article depicts the BitLocker deployment comparison chart. |Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | -|Store recovery password for operating system and -fixed drives to Azure AD or Active Directory | Yes (Active Directory and -Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | |Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From e57ba5b729344902306418ac00a608744c751d70 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 24 May 2021 15:46:24 +0530 Subject: [PATCH 102/415] Changed instances of "Bitlocker" to BitLocker" to keep the terminology consistent --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 2ef7fbf2b9..d3e5e2f766 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -16,7 +16,7 @@ ms.date: 05/20/2021 ms.custom: bitlocker --- -# Bitlocker deployment comparison +# BitLocker deployment comparison **Applies to** @@ -24,7 +24,7 @@ ms.custom: bitlocker This article depicts the BitLocker deployment comparison chart. -## Bitlocker deployment comparison chart +## BitLocker deployment comparison chart | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| From e876258e88e88bb9a7c55753a370cddd901b001e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 24 May 2021 06:05:28 -0700 Subject: [PATCH 103/415] Update configure-md-app-guard.md --- .../configure-md-app-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 8df3886343..c67c087461 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/06/2021 +ms.date: 05/24/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -27,7 +27,7 @@ Application Guard uses both network isolation and application-specific settings. ## Network isolation settings -These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. @@ -48,7 +48,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.| ## Application-specific settings -These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard**, can help you to manage your company's implementation of Application Guard. +These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your company's implementation of Application Guard. |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| From e1c3b21fbbefca7de9d69b721ff2f7f0da790833 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 24 May 2021 06:07:08 -0700 Subject: [PATCH 104/415] Update configure-md-app-guard.md --- .../configure-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index c67c087461..593984f0dc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -52,7 +52,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
-Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| From 0e1b842fb9016049e452ec258fde08b5db5f595c Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 24 May 2021 10:01:48 -0700 Subject: [PATCH 105/415] Update TOC.yml test site relative link --- windows/sv/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index 355d8e61c1..a293d047ad 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -13,7 +13,7 @@ - name: Deploy and Manage Windows Sun Valley items: - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/sv-plan.md + href: /windows/deployment/sv-plan - name: Prepare for Windows Sun Valley href: /windows/deployment/sv-prepare.md - name: Deploy Windows Sun Valley From d8b97435929ea25323d7e1447ccc181ea2b54802 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:09:43 -0700 Subject: [PATCH 106/415] Task ID 29550212 Made recommended edit. --- .../select-types-of-rules-to-create.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e91bfb3d64..000dc79659 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,14 +126,14 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. -## More information about hashes +## More information about hashes -### Why does scan create 4 hash rules per XML file? +### Why does scan create four hash rules per XML file? -(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256) -During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash. +The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash. +During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash. -In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. +In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. ### Why does scan create 8 hash rules for certain XML files? From 5e53adc4effca1e0294803f0385c8ba9c95364af Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:13:53 -0700 Subject: [PATCH 107/415] Task ID 33324832 Made 2 recommended edits. --- ...d-enforce-windows-defender-application-control-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 31f6314425..04664080a7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -32,7 +32,7 @@ While a WDAC policy is running in audit mode, any binary that runs but would hav ## Overview of the process to create WDAC policy to allow apps using audit events -> [!Note] +> [!NOTE] > You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. @@ -75,7 +75,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. -## Convert WDAC **base** policy from audit to enforced +## Convert WDAC **BASE** policy from audit to enforced As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. From c1ae84c81f44ae1590a5e7830745c0bc1ab65e4e Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:34:24 -0700 Subject: [PATCH 108/415] Task ID 33324832 Fixed primary heading size. --- ...and-enforce-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 04664080a7..4b1860ea36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -19,7 +19,7 @@ ms.date: 05/03/2021 ms.technology: mde --- -## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced +# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced **Applies to:** From 75160b732405a061f12a6869ad46e40c3280566b Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:38:02 -0700 Subject: [PATCH 109/415] Task ID 31558721 Removed "rendering ISG reputation as moot" --- ...ender-application-control-with-intelligent-security-graph.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index dcd705cd5b..082eb3a3f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -33,7 +33,7 @@ Beginning with Windows 10, version 1709, you can set an option to automatically The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. -If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot. +If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. From b9fcf4421627b005f5db5268a4e90486e3260a20 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:40:32 -0700 Subject: [PATCH 110/415] Task ID 33324832 Fixed first heading. --- ...nfigure-authorized-apps-deployed-with-a-managed-installer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3922be1e3b..6612e9fbf7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -18,7 +18,7 @@ ms.date: 08/14/2020 ms.technology: mde --- -## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control +# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control **Applies to:** From 84458fe2ffb40b4f2165e5e07ac62cac9e721629 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 11:46:21 -0700 Subject: [PATCH 111/415] Updated wdac-and-applocker-overview document Restored first heading size and made suggested text edit to the WDAC System Requirements section. --- .../wdac-and-applocker-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 0897007f32..2d7ae11177 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -19,7 +19,7 @@ ms.custom: asr ms.technology: mde --- -## Windows Defender Application Control and AppLocker Overview +# Windows Defender Application Control and AppLocker Overview **Applies to:** @@ -47,7 +47,7 @@ Note that prior to Windows 10 version 1709, Windows Defender Application Control WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above. -WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). From 087c522d61678843302f41f2abe6140ce448ab95 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 13:15:14 -0700 Subject: [PATCH 112/415] Task ID 29550212 Implemented last suggested edit to the "create eight hash rules" section. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 000dc79659..390b687187 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -135,7 +135,7 @@ During validation CI will choose which hashes to calculate depending on how the In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. -### Why does scan create 8 hash rules for certain XML files? +### Why does scan create eight hash rules for certain XML files? Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution. From 092c6bfb6c44603217a2f2d34d5d0593872c44d0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 13:26:23 -0700 Subject: [PATCH 113/415] Task ID 33324832 Updated TOC and all articles that point to old managed installer documents with new combined managed installer link. --- ...lication-control-with-managed-installer.md | 59 ------------------- 1 file changed, 59 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md deleted file mode 100644 index 66afc7f933..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Authorize apps installed by a managed installer (Windows 10) -description: Explains how to automatically allow applications deployed and installed by a managed installer. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: dansimp -manager: dansimp -ms.date: 04/20/2021 -ms.technology: mde ---- - -# Authorize apps deployed by a managed installer - -**Applies to:** - -- Windows 10 -- Windows Server 2019 - -Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. - -## How does a managed installer work? - -A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) and tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. - -Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the Enabled:Managed Installer option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin. - -You should ensure that the WDAC policy allows the system to boot and any other authorized applications that can't be deployed through a managed installer. - -For an example of a managed installer use case, see [Creating a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md). - -## Security considerations with managed installer - -Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. -It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. - -Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. - -If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. - -Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation. - -## Known limitations with managed installer - -- Application control based on managed installer does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - -- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md). - -- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - -- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. From a85b27f4bfa623752f94ff6cf89c0cf1c50ec8c7 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 24 May 2021 13:42:46 -0700 Subject: [PATCH 114/415] Task ID 33324832 continued These are the other files that were updated for this task. --- .../windows-defender-application-control/TOC.yml | 4 ++-- .../create-wdac-policy-for-fully-managed-devices.md | 2 +- .../create-wdac-policy-for-lightly-managed-devices.md | 2 +- .../feature-availability.md | 2 +- .../plan-windows-defender-application-control-management.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- ...ws-defender-application-control-policy-design-decisions.md | 2 +- .../wdac-and-applocker-overview.md | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index eaf0d1aa66..8fa33cfe26 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -21,9 +21,9 @@ href: select-types-of-rules-to-create.md items: - name: Allow apps installed by a managed installer - href: use-windows-defender-application-control-with-managed-installer.md + href: configure-authorized-apps-deployed-with-a-managed-installer.md - name: Configure managed installer rules - href: configure-wdac-managed-installer.md + href: configure-authorized-apps-deployed-with-a-managed-installer.md - name: Allow reputable apps with Intelligent Security Graph (ISG) href: use-windows-defender-application-control-with-intelligent-security-graph.md - name: Allow COM object registration diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 8399532bab..cceb8da77d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -149,7 +149,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) + See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) Existing mitigations applied: - Limit who can elevate to administrator on the device. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 08e82cbe13..c4dabcde4c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Limit who can elevate to administrator on the device. - **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) + See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 3f411ffb3e..16dd454c61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -34,7 +34,7 @@ ms.technology: mde | Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | | Kernel mode policies | Available on all Windows 10 versions | Not available | | Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available | -| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available | +| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available | | Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available | | Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available | | Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 8c0156d01b..5d0dd83466 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con ### Policy rule updates -As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. +As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. ## WDAC event management diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 390b687187..add268e0ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | | **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | -| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) | +| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.| diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 9443134723..9bd69f5bee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -58,7 +58,7 @@ Organizations with well-defined, centrally-managed app management and deployment | Possible answers | Design considerations| | - | - | -| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | +| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | | Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 2d7ae11177..ce2acde0e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -37,7 +37,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file - The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) -- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md)) +- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md)) - The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary From 3f303e1e27542a1e3fe28a34fa6d832f4ff520f3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 25 May 2021 11:28:21 +0100 Subject: [PATCH 115/415] Update policy-csp-system.md --- .../mdm/policy-csp-system.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..cf6bdc3ff3 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -736,13 +736,22 @@ The following list shows the supported values for Windows 8.1:

      Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 EnterpriseWindows 10 MobileWindows 10 Mobile Enterprise Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 EnterpriseWindows 10 MobileWindows 10 Mobile Enterprise
Windows 7Windows 7
Starter
Windows 8.1Windows 8.1
(Core)
Windows 10Windows 10
Home
--> -In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10: +In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. + +The following list shows the supported values for Windows 10 version 1809 and older: + - 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. - 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. - 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +The following list shows the supported values for Windows 10 version 19H1 and later: + +- Diagnostic data off - No Windows diagnostic data sent. +- Required (Basic) - Minimum data required to keep the device secure, up to date, and performing as expected. +- Optional (Full) - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. + - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - ADMX Info: @@ -1609,7 +1611,7 @@ This policy setting, in combination with the System/AllowTelemetry To enable this behavior, you must complete two steps:
  • Enable this policy setting
    • -
  • Set Allow Telemetry to level 2 (Enhanced)
    • +
  • Set Allow Telemetry to Optional (Full)
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. From ca4eb87ea2af18c18f1c77b0bcf7ee9c5ecdc005 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 25 May 2021 11:38:48 +0100 Subject: [PATCH 116/415] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index cf6bdc3ff3..f8b011b8b0 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -740,17 +740,19 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. +- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. - 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. - 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +Most restricted value is 0. + The following list shows the supported values for Windows 10 version 19H1 and later: -- Diagnostic data off - No Windows diagnostic data sent. -- Required (Basic) - Minimum data required to keep the device secure, up to date, and performing as expected. -- Optional (Full) - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +- **Diagnostic data off** - No Windows diagnostic data sent. +- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. +- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. @@ -5356,4 +5356,4 @@ ADMX Info: > [!NOTE] > These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file + From 019efaf14e3c7c6c96f349887633c6f737829c8e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 26 May 2021 15:53:17 +0500 Subject: [PATCH 125/415] Pointing to the correct link As the content has been moved to MDM, I have updated and pointed to the correct link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9451 --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..685e4236d2 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the Azure portal. +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). -2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. +2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. ![Open Client apps](images/create-app-protection-policy.png) From 40e95d880a415ce23e428884b318d3f3a75416d3 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 26 May 2021 11:57:25 +0100 Subject: [PATCH 126/415] Create manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ows-operating-system-components-to-microsoft-services.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 434a191b14..2704df533b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -555,6 +555,8 @@ To disable the Microsoft Account Sign-In Assistant: Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](/DeployEdge/configure-microsoft-edge). +For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). + ### 13.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. @@ -590,12 +592,8 @@ Alternatively, you can configure the following Registry keys as described: | Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
REG_DWORD: MSCompatibilityMode
Value: **0**| -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies). - ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). - > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. > - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). From 8b81df85ba7de07a89065f78453c9bbf47c8d379 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 26 May 2021 13:02:58 +0100 Subject: [PATCH 127/415] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 416ea864c1..61558a2ca2 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1615,7 +1615,7 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - For Windows 10 version 1809 and older: set **AllowTelemetry** to (Enhanced) - - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full). + - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. From 1bf4abff9868c390ded6f4313b9e2d43f088b1b7 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 10:22:15 -0700 Subject: [PATCH 128/415] Task ID 33123704 Deleted the merged event tags and id page to rework it under a different branch. --- .../event-id-and-tag-explanations.md | 160 ------------------ 1 file changed, 160 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md deleted file mode 100644 index 9b21c840e5..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Understanding Application Control event IDs and tags (Windows 10) -description: Learn what different Windows Defender Application Control event IDs and tags signify. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.reviewer: v-kikl -ms.author: dansimp -manager: dansimp -ms.date: 5/7/2021 -ms.technology: mde ---- - -## Understanding Application Control event IDs and tags - -A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means. - -These events are generated under two locations: - -- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational - -- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script - -## Microsoft Windows CodeIntegrity Operational log event IDs - -| Event ID | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 3076 | Audit executable/dll file | -| 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | -| 3099 | Indicates that a policy has been loaded | - -## Microsoft Windows Applocker MSI and Script log event IDs - -| Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | -| 8029 | Block script/MSI file | -| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | - -## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events - -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. - -| Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 3090 | Allow executable/dll file | -| 3091 | Audit executable/dll file | -| 3092 | Block executable/dll file | - -3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. - -### SmartLocker template - -Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. - -| Name | Explanation | -|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | -| ManagedInstallerEnabled | Policy trusts a MI | -| PassesManagedInstaller | File originated from a trusted MI | -| SmartlockerEnabled | Policy trusts the ISG | -| PassesSmartlocker | File had positive reputation | -| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | - -### Enabling ISG and MI diagnostic events - -In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: - -```powershell -reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 -``` - -In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: - -```powershell -reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 -``` - -## Event Tags - -Below, we have documented the values and meanings for a few useful event tags. - -## SignatureType - -Represents the type of signature which verified the image. - -| SignatureType Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Unsigned or verification has not been attempted | -| 1 | Embedded signature | -| 2 | Cached signature; presence of CI EA shows that file had been previously verified | -| 3 | Cached catalog verified via Catalog Database or searching catalog directly | -| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | -| 5 | Successfully verified using an EA that informs CI which catalog to try first | -|6 | AppX / MSIX package catalog verified | -| 7 | File was verified | - -## ValidatedSigningLevel - -Represents the signature level at which the code was verified. - -| ValidatedSigningLevel Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Signing level has not yet been checked | -| 1 | File is unsigned | -| 2 | Trusted by WDAC policy | -| 3 | Developer signed code | -| 4 | Authenticode signed | -| 5 | Microsoft Store signed app PPL (Protected Process Light) | -| 6 | Microsoft Store-signed | -| 7 | Signed by an Antimalware vendor whose product is using AMPPL | -| 8 | Microsoft signed | -| 11 | Only used for signing of the .NET NGEN compiler | -| 12 | Windows signed | -| 14 | Windows Trusted Computing Base signed | - -## VerificationError - -Represents why verification failed, or if it succeeded. - -| VerificationError Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Successfully verified signature | -| 1 | File has an invalid hash | -| 2 | File contains shared writable sections | -| 3 | File is not signed| -| 4 | Revoked signature | -| 5 | Expired signature | -| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy | -| 7 | Invalid root certificate | -| 8 | Signature was unable to be validated; generic error | -| 9 | Signing time not trusted | -| 10 | The file must be signed using page hashes for this scenario | -| 11 | Page hash mismatch | -| 12 | Not valid for a PPL (Protected Process Light) | -| 13 | Not valid for a PP (Protected Process) | -| 14 | The signature is missing the required ARM EKU | -| 15 | Failed WHQL check | -| 16 | Default policy signing level not met | -| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | -| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI | -| 19 | Binary is revoked by file hash | -| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy | -| 21 | Failed to pass WDAC policy | -| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | -| 23 | Invalid image hash | -| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | -| 25 | Anti-cheat policy violation | -| 26 | Explicitly denied by WADC policy | -| 27 | The signing chain appears to be tampered/invalid | -| 28 | Resource page hash mismatch | From 58ca97ae759646943a74b1d3fcb876fd7c63f2c5 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 10:40:29 -0700 Subject: [PATCH 129/415] Updated TOC Removed configure managed installer name and href. --- .../windows-defender-application-control/TOC.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 8fa33cfe26..2a9d13497a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,8 +22,6 @@ items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md - - name: Configure managed installer rules - href: configure-authorized-apps-deployed-with-a-managed-installer.md - name: Allow reputable apps with Intelligent Security Graph (ISG) href: use-windows-defender-application-control-with-intelligent-security-graph.md - name: Allow COM object registration From 36673e5b5e4bc2325d6d16345265df3cc9b5a063 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 10:45:33 -0700 Subject: [PATCH 130/415] Fixed title heading size --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 8aab0d3c1b..26a3b3fd6a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -18,7 +18,7 @@ ms.date: 3/17/2020 ms.technology: mde --- -## Understanding Application Control events +# Understanding Application Control events A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: From 09d4ac542c2acf8ddc9bc17c4a332f66c46f50de Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 13:14:27 -0700 Subject: [PATCH 131/415] Task ID 23142312 fixed editing issues in root cert section. --- .../event-tag-explanations.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index e1ea4e1926..bcbeab1e3e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -107,15 +107,15 @@ The rule means trust anything signed by a cert that chains to this root CA. |7 | Microsoft Standard Root 2011 | |8 | Microsoft Code Verification Root 2006 | |9 | Microsoft Test Root 1999 | -|10 | Microsoft Tes\t Root 2010 | +|10 | Microsoft Test Root 2010 | |11 | Microsoft DMD Test Root 2005 | |12 | Microsoft DMDRoot 2005 | |13 | Microsoft DMD Preview Root 2005 | |14 | Microsoft Flight Root 2014 | |15 | Microsoft Third Party Marketplace Root | -|16 | Microsoft Ecc Testing Root Ca2017 | -|17 | Microsoft Ecc Developmen tRoot Ca 2018 | -|18 | Microsoft Ecc Product Root Ca 2018 | -|19 | Microsoft Ecc Devices Root Ca 2017 | +|16 | Microsoft ECC Testing Root CA 2017 | +|17 | Microsoft ECC Development Root CA 2018 | +|18 | Microsoft ECC Product Root CA 2018 | +|19 | Microsoft ECC Devices Root CA 2017 | For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file. \ No newline at end of file From 6136ddc0d5d380854ea01aeb2c2fe9ebb336a459 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 14:06:10 -0700 Subject: [PATCH 132/415] Updated event-id-explantions Cleaned up the table formatting. --- .../event-id-explanations.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 26a3b3fd6a..e0c8044cf1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | @@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows Applocker MSI and Script log event IDs | Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | | 8029 | Block script/MSI file | | 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | @@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 3090 | Allow executable/dll file | | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | @@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | -|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | ManagedInstallerEnabled | Policy trusts a MI | | PassesManagedInstaller | File originated from a trusted MI | From faee789b267ba90d691979a343b4bcf8c1432eb9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 27 May 2021 09:37:24 -0700 Subject: [PATCH 133/415] Task ID 23142312 and 29028100 Made cosmetic changes to the certificate section in event-tags-explanation, and added a line break before the Figure 1 image in audit-and-enforce. --- ...s-defender-application-control-policies.md | 3 +- .../event-tag-explanations.md | 42 +++++++++---------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 4b1860ea36..b33cace078 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -41,7 +41,8 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). - **Figure 1. Exceptions to the deployed WDAC policy** + **Figure 1. Exceptions to the deployed WDAC policy**
+ ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index bcbeab1e3e..76084853c5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -94,28 +94,28 @@ Represents why verification failed, or if it succeeded. ## Microsoft Root CAs trusted by Windows -The rule means trust anything signed by a cert that chains to this root CA. +The rule means trust anything signed by a certificate that chains to this root CA. | Root ID | Root Name | |---|----------| -|0| None | -|1| Unknown | -|2 | Self-Signed | -|3 | Authenticode | -|4 | Microsoft Product Root 1997 | -|5 | Microsoft Product Root 2001 | -|6 | Microsoft Product Root 2010 | -|7 | Microsoft Standard Root 2011 | -|8 | Microsoft Code Verification Root 2006 | -|9 | Microsoft Test Root 1999 | -|10 | Microsoft Test Root 2010 | -|11 | Microsoft DMD Test Root 2005 | -|12 | Microsoft DMDRoot 2005 | -|13 | Microsoft DMD Preview Root 2005 | -|14 | Microsoft Flight Root 2014 | -|15 | Microsoft Third Party Marketplace Root | -|16 | Microsoft ECC Testing Root CA 2017 | -|17 | Microsoft ECC Development Root CA 2018 | -|18 | Microsoft ECC Product Root CA 2018 | -|19 | Microsoft ECC Devices Root CA 2017 | +| 0| None | +| 1| Unknown | +| 2 | Self-Signed | +| 3 | Authenticode | +| 4 | Microsoft Product Root 1997 | +| 5 | Microsoft Product Root 2001 | +| 6 | Microsoft Product Root 2010 | +| 7 | Microsoft Standard Root 2011 | +| 8 | Microsoft Code Verification Root 2006 | +| 9 | Microsoft Test Root 1999 | +| 10 | Microsoft Test Root 2010 | +| 11 | Microsoft DMD Test Root 2005 | +| 12 | Microsoft DMDRoot 2005 | +| 13 | Microsoft DMD Preview Root 2005 | +| 14 | Microsoft Flight Root 2014 | +| 15 | Microsoft Third Party Marketplace Root | +| 16 | Microsoft ECC Testing Root CA 2017 | +| 17 | Microsoft ECC Development Root CA 2018 | +| 18 | Microsoft ECC Product Root CA 2018 | +| 19 | Microsoft ECC Devices Root CA 2017 | For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file. \ No newline at end of file From fd4776ff535ca97031750985250fe33a4572f273 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 15:09:31 -0700 Subject: [PATCH 134/415] Acrolinx style suggestions --- ...lication-control-policy-design-decisions.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 9bd69f5bee..7640970646 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -40,13 +40,13 @@ You should consider using WDAC as part of your organization's application contro ## Decide what policies to create -Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. While this opens up many new use cases for organizations, your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. +Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust", we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. -Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. +Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations. @@ -54,31 +54,31 @@ The following questions can help you plan your WDAC deployment and determine the ### How are apps managed and deployed in your organization? -Organizations with well-defined, centrally-managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization. +Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization. | Possible answers | Design considerations| | - | - | | All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | -| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | +| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| -### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed? +### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed? Traditional Win32 apps on Windows can run without being digitally signed. This practice can expose Windows devices to malicious or tampered code and presents a security vulnerability to your Windows devices. Adopting code-signing as part of your organization's app development practices or augmenting apps with signed catalog files as part of your app ingestion and distribution can greatly improve the integrity and security of apps used. | Possible answers | Design considerations | | - | - | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | -| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | +| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | ### Are there specific groups in your organization that need customized application control policies? -Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies which may lead you to choose between broad, organization-wide policies and multiple team-specific policies. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | -| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally-defined base policy.| +| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally defined base policy.| | No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| ### Does your IT department have resources to analyze application usage, and to design and manage the policies? @@ -87,7 +87,7 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.| | No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? From f0bfb149b761d7dbd7fd9f70c4153fe07b6dfb4a Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 15:14:24 -0700 Subject: [PATCH 135/415] Acrolinx suggestions --- .../event-id-explanations.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e0c8044cf1..57043da075 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -35,17 +35,17 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3099 | Indicates that a policy has been loaded | -## Microsoft Windows Applocker MSI and Script log event IDs +## Microsoft Windows AppLocker MSI and Script log event IDs | Event ID | Explanation | |---|----------| -| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | +| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information. | Event ID | Explanation | |---|----------| @@ -53,11 +53,11 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | -3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template that appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. ### SmartLocker template -Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. +Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | |---|----------| @@ -76,7 +76,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 ``` -In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: +To enable 3090 allow events, and 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 From dd1035c3bea09135690426df189d95ee2f5f29a0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 27 May 2021 15:29:19 -0700 Subject: [PATCH 136/415] Task ID 33452921 Created an Appendix table that lists other IDs and their descriptions. --- .../event-id-explanations.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e0c8044cf1..80c6a5ba40 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -81,3 +81,42 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` + +## Appendix +A list of other relevant event IDs and their corresponding description. +| Event ID | Description | +|---|----------| +| 3001 | An unsigned driver was attempted to load on the system. | +| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | +| 3004 | Code Integrity could not verify the file as the page hash could not be found. | +| 3010 | The catalog containing the signature for the file under validation is invalid. | +| 3011 | Code Integrity finished loading the signature catalog. | +| 3012 | Code Integrity started loading the signature catalog. | +| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. | +| 3024 | Windows application control was unable to refresh the boot catalog file. | +| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. | +| 3033 | The file under validation did not meet the requirements to pass the application control policy. | +| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  +| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | +| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |  +| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | +| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | +| 3075 | This event monitors the performance of the Code Integrity policy check a file. | +| 3079 | The file under validation did not meet the requirements to pass the application control policy. | +| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. | +| 3081 | The file under validation did not meet the requirements to pass the application control policy. | +| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | +| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. | +| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. | +| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | +| 3097 | The Code Integrity policy cannot be refreshed. | +| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | +| 3101 | Code Integrity started refreshing the policy. | +| 3102 | Code Integrity finished refreshing the policy. | +| 3103 | Code Integrity is ignoring the policy refresh. | +| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | +| 3105 | Code Integrity is attempting to refresh the policy. | +| 3108 | Windows mode change event was successful. | +| 3110 | Windows mode change event was unsuccessful. | +| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | \ No newline at end of file From d70b314e191ba01105099d7dd2bd7dad19356d6e Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 15:55:49 -0700 Subject: [PATCH 137/415] Update windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md --- ...-and-enforce-windows-defender-application-control-policies.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index b33cace078..c1d7ac7c71 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -12,7 +12,6 @@ audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte -ms.reviewer: v-kikl ms.author: dansimp manager: dansimp ms.date: 05/03/2021 From 0cfeae94b048e6f419c24ef7dc61987cec8d40bb Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 16:14:17 -0700 Subject: [PATCH 138/415] warning fix...hopefully --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index a0308dfadc..7f2b24da54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p ### Deploying signed policies -In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically. +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically. 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: ```powershell From 8b92722dde241f87092e60f7d8dd00f78ff4493d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 16:21:24 -0700 Subject: [PATCH 139/415] bookmark not found warning --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 7f2b24da54..00adfbb261 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p ### Deploying signed policies -In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically. +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the Application Control CSP will handle this step automatically. 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: ```powershell From 33f8a4a189719cb68b8f9d4f017d469d5bdffc1b Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 16:44:21 -0700 Subject: [PATCH 140/415] edit --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 00adfbb261..ca2d5fed65 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p ### Deploying signed policies -In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the Application Control CSP will handle this step automatically. +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: ```powershell From 48d7e752113825973a1f2559ea6c14009dd7e3d6 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 27 May 2021 16:55:49 -0700 Subject: [PATCH 141/415] Update windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md --- .../event-tag-explanations.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 76084853c5..2ae5aa34a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -95,6 +95,7 @@ Represents why verification failed, or if it succeeded. ## Microsoft Root CAs trusted by Windows The rule means trust anything signed by a certificate that chains to this root CA. + | Root ID | Root Name | |---|----------| | 0| None | @@ -118,4 +119,4 @@ The rule means trust anything signed by a certificate that chains to this root C | 18 | Microsoft ECC Product Root CA 2018 | | 19 | Microsoft ECC Devices Root CA 2017 | -For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file. \ No newline at end of file +For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file. From 1a2e96258aa3aa28174c0ff6bf0d467836fe5257 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 22:14:28 +0530 Subject: [PATCH 142/415] faq-md-app-guard.md converted into yml --- .../TOC.yml | 2 +- .../faq-md-app-guard.yml | 200 ++++++++++++++++++ .../md-app-guard-overview.md | 2 +- 3 files changed, 202 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index c77a91d3e5..ee887e168a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -12,4 +12,4 @@ - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - name: FAQ - href: faq-md-app-guard.md + href: faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml new file mode 100644 index 0000000000..7b33d23616 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -0,0 +1,200 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Microsoft Defender Application Guard (Windows 10) + description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. + ms.prod: m365-security + ms.mktglfcycl: manage + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: denisebmsft + ms.author: deniseb + ms.date: 05/12/2021 + ms.reviewer: + manager: dansimp + ms.custom: asr + ms.technology: mde + +title: Frequently asked questions - Microsoft Defender Application Guard +summary: | + **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. + + ## Frequently Asked Questions + +sections: + - name: Frequently Asked Questions + questions: + - question: | + Can I enable Application Guard on machines equipped with 4-GB RAM? + answer: | + We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. + + `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) + + - question: | + Can employees download documents from the Application Guard Edge session onto host devices? + answer: | + In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. + + In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. + + - question: | + Can employees copy and paste between the host device and the Application Guard Edge session? + answer: | + Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. + + - question: | + Why don't employees see their favorites in the Application Guard Edge session? + answer: | + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) + + - question: | + Why aren’t employees able to see their extensions in the Application Guard Edge session? + answer: | + Make sure to enable the extensions policy on your Application Guard configuration. + + - question: | + How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? + answer: | + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + + - question: | + Which Input Method Editors (IME) in 19H1 are not supported? + answer: | + The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: + + - Vietnam Telex keyboard + - Vietnam number key-based keyboard + - Hindi phonetic keyboard + - Bangla phonetic keyboard + - Marathi phonetic keyboard + - Telugu phonetic keyboard + - Tamil phonetic keyboard + - Kannada phonetic keyboard + - Malayalam phonetic keyboard + - Gujarati phonetic keyboard + - Odia phonetic keyboard + - Punjabi phonetic keyboard + + - question: | + I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? + answer: | + This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + + - question: | + What is the WDAGUtilityAccount local account? + answer: | + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: + + **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** + + We recommend that you do not modify this account. + + - question: | + How do I trust a subdomain in my site list? + answer: | + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + + - question: | + Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? + answer: | + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + + - question: | + Is there a size limit to the domain lists that I need to configure? + answer: | + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + + - question: | + Why does my encryption driver break Microsoft Defender Application Guard? + answer: | + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why do the Network Isolation policies in Group Policy and CSP look different? + answer: | + There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + + - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** + + - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** + + - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why did Application Guard stop working after I turned off hyperthreading? + answer: | + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + + - question: | + Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? + answer: | + Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. + + - question: | + Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? + answer: | + This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + + - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) + - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + - question: | + Why can I not launch Application Guard when Exploit Guard is enabled? + answer: | + There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. + + - question: | + How can I disable portions of ICS without breaking Application Guard? + answer: | + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + + 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. + + 2. Disable IpNat.sys from ICS load as follows:
+ `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` + + 3. Configure ICS (SharedAccess) to enabled as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` + + 4. (This is optional) Disable IPNAT as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` + + 5. Reboot the device. + + - question: | + Why doesn't the container fully load when device control policies are enabled? + answer: | + Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. + + Policy: Allow installation of devices that match any of the following device IDs: + + - `SCSI\DiskMsft____Virtual_Disk____` + - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` + - `VMS_VSF` + - `root\Vpcivsp` + - `root\VMBus` + - `vms_mp` + - `VMS_VSP` + - `ROOT\VKRNLINTVSP` + - `ROOT\VID` + - `root\storvsp` + - `vms_vsmp` + - `VMS_PP` + + Policy: Allow installation of devices using drivers that match these device setup classes + - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + +additionalContent: | + + ## See also + + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9c41f91b39..83850f5a21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices: |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | -|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file From a2805311479b72e7604e7ff21fd28d6d919a18c9 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 22:57:26 +0530 Subject: [PATCH 143/415] faq-md-app-guard.md deleted & updated .yml --- .../faq-md-app-guard.md | 210 ------------------ .../faq-md-app-guard.yml | 35 +++ 2 files changed, 35 insertions(+), 210 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index 0e4406aaa5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,210 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 05/12/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4-GB RAM? - -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7b33d23616..aef33b9815 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -146,6 +146,41 @@ sections: - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + ### First rule (DHCP Server) + 1. Program path: `%SystemRoot%\System32\svchost.exe` + + 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + + 3. Protocol UDP + + 4. Port 67 + + ### Second rule (DHCP Client) + This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + + 1. Right-click on inbound rules, and then create a new rule. + + 2. Choose **custom rule**. + + 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. + + 4. Specify the following settings: + - Protocol Type: UDP + - Specific ports: 67 + - Remote port: any + + 5. Specify any IP addresses. + + 6. Allow the connection. + + 7. Specify to use all profiles. + + 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. + + 9. In the **Programs and services** tab, under the **Services** section, select **settings**. + + 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - question: | Why can I not launch Application Guard when Exploit Guard is enabled? From 2bef916b8d6fb2e52d9ab2776f4a4968ddb2fa67 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:31:37 +0530 Subject: [PATCH 144/415] ie-edge-faqs.md converted into yml --- browsers/internet-explorer/TOC.yml | 2 +- .../kb-support/ie-edge-faqs.md | 220 ----------------- .../kb-support/ie-edge-faqs.yml | 233 ++++++++++++++++++ 3 files changed, 234 insertions(+), 221 deletions(-) delete mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.md create mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.yml diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml index 077879a18d..2c6602e1de 100644 --- a/browsers/internet-explorer/TOC.yml +++ b/browsers/internet-explorer/TOC.yml @@ -356,6 +356,6 @@ - name: KB Troubleshoot items: - name: Internet Explorer and Microsoft Edge FAQ for IT Pros - href: kb-support/ie-edge-faqs.md + href: kb-support/ie-edge-faqs.yml - name: Microsoft Edge and Internet Explorer troubleshooting href: /troubleshoot/browsers/welcome-browsers diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md deleted file mode 100644 index 3e2d6c100e..0000000000 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: medium -ms.date: 01/23/2020 ---- -# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros - -## Cookie-related questions - -### What is a cookie? - -An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. - -### How does Internet Explorer handle cookies? - -For more information about how Internet Explorer handles cookies, see the following articles: - -- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) -- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) -- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) -- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) -- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) - -### Where does Internet Explorer store cookies? - -To see where Internet Explorer stores its cookies, follow these steps: - -1. Start File Explorer. -2. Select **Views** \> **Change folder and search options**. -3. In the **Folder Options** dialog box, select **View**. -4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. -5. Clear **Hide protected operation system files (Recommended)**. -6. Select **Apply**. -7. Select **OK**. - -The following are the folder locations where the cookies are stored: - -**In Windows 10** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCache - -**In Windows 8 and Windows 8.1** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies - -**In Windows 7** -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low - -### What is the per-domain cookie limit? - -Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. - -There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. - -The JavaScript limitation was updated to 10 KB from 4 KB. - -For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). - -#### Additional information about cookie limits - -**What does the Cookie RFC allow?** -RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: - -- At least 300 cookies total -- At least 20 cookies per unique host or domain name - -For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - -### Cookie size limit per domain - -Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. - -## Proxy Auto Configuration (PAC)-related questions - -### Is an example Proxy Auto Configuration (PAC) file available? - -Here is a simple PAC file: - -```vb -function FindProxyForURL(url, host) -{ - return "PROXY proxyserver:portnumber"; -} -``` - -> [!NOTE] -> The previous PAC always returns the **proxyserver:portnumber** proxy. - -For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). - -**Third-party information disclaimer** -The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. - -### How to improve performance by using PAC scripts - -- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) -- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) - -## Other questions - -### How to set home and start pages in Microsoft Edge and allow user editing - -For more information, see the following blog article: - -[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) - -### How to add sites to the Enterprise Mode (EMIE) site list - -For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). - -### What is Content Security Policy (CSP)? - -By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. - -Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. - -CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. - -For more information, see the following articles: - -- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) -- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) - -### Where to find Internet Explorer security zones registry entries - -Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). - -This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. - -The default Zone Keys are stored in the following locations: - -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones - -### Why don't HTML5 videos play in Internet Explorer 11? - -To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. - -- 0 (the default value): Allow -- 3: Disallow - -This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. - -For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). - -For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). - -For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) - -### What is the Enterprise Mode Site List Portal? - -This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -### What is Enterprise Mode Feature? - -For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - -### Where can I obtain a list of HTTP Status codes? - -For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). - -### What is end of support for Internet Explorer 11? - -Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. - -For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). - -### How to configure TLS (SSL) for Internet Explorer - -For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). - -### What is Site to Zone? - -Site to Zone usually refers to one of the following: - -**Site to Zone Assignment List** -This is a Group Policy policy setting that can be used to add sites to the various security zones. - -The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: - -- Intranet zone -- Trusted Sites zone -- Internet zone -- Restricted Sites zone - -If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. - -**Site to Zone Mapping** -Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: - -- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap -- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey - -**Site to Zone Assignment List policy** -This policy setting is available for both Computer Configuration and User Configuration: - -- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page -- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page - -**References** -[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - -### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? - -For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). - -### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? - -The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. - -For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). \ No newline at end of file diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml new file mode 100644 index 0000000000..8c6a0be253 --- /dev/null +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -0,0 +1,233 @@ +### YamlMime:FAQ +metadata: + title: IE and Microsoft Edge FAQ for IT Pros + description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. + audience: ITPro + manager: msmets + author: ramakoni1 + ms.author: ramakoni + ms.reviewer: ramakoni, DEV_Triage + ms.prod: internet-explorer + ms.technology: + ms.topic: kb-support + ms.custom: CI=111020 + ms.localizationpriority: medium + ms.date: 01/23/2020 + +title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros +summary: | + +sections: + - name: Cookie-related questions + questions: + - question: | + What is a cookie? + answer: | + An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. + + - question: | + How does Internet Explorer handle cookies? + answer: | + For more information about how Internet Explorer handles cookies, see the following articles: + + - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) + - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) + - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) + - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) + - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) + + - question: | + Where does Internet Explorer store cookies? + answer: | + To see where Internet Explorer stores its cookies, follow these steps: + + 1. Start File Explorer. + 2. Select **Views** \> **Change folder and search options**. + 3. In the **Folder Options** dialog box, select **View**. + 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. + 5. Clear **Hide protected operation system files (Recommended)**. + 6. Select **Apply**. + 7. Select **OK**. + + The following are the folder locations where the cookies are stored: + + **In Windows 10** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCache + + **In Windows 8 and Windows 8.1** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies + + **In Windows 7** + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low + + - question: | + What is the per-domain cookie limit? + answer: | + Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. + + There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. + + The JavaScript limitation was updated to 10 KB from 4 KB. + + For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - question: | + Cookie size limit per domain + answer: | + Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. + + - name: Proxy Auto Configuration (PAC)-related questions + questions: + - question: | + Is an example Proxy Auto Configuration (PAC) file available? + answer: | + Here is a simple PAC file: + + ```vb + function FindProxyForURL(url, host) + { + return "PROXY proxyserver:portnumber"; + } + ``` + + > [!NOTE] + > The previous PAC always returns the **proxyserver:portnumber** proxy. + + For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). + + **Third-party information disclaimer** + The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + + - question: | + How to improve performance by using PAC scripts + answer: | + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + + - name: Other questions + questions: + - question: | + How to set home and start pages in Microsoft Edge and allow user editing + answer: | + For more information, see the following blog article: + + [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + + - question: | + How to add sites to the Enterprise Mode (EMIE) site list + answer: | + For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). + + - question: | + What is Content Security Policy (CSP)? + answer: | + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + + Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. + + CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. + + For more information, see the following articles: + + - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) + - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) + + - question: | + Where to find Internet Explorer security zones registry entries + answer: | + Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). + + This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. + + The default Zone Keys are stored in the following locations: + + - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + + - question: | + Why don't HTML5 videos play in Internet Explorer 11? + answer: | + To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. + + - 0 (the default value): Allow + - 3: Disallow + + This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. + + For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). + + For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). + + For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) + + - question: | + What is the Enterprise Mode Site List Portal? + answer: | + This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + + - question: | + What is Enterprise Mode Feature? + answer: | + For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + + - question: | + Where can I obtain a list of HTTP Status codes? + answer: | + For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). + + - question: | + What is end of support for Internet Explorer 11? + answer: | + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + + For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). + + - question: | + How to configure TLS (SSL) for Internet Explorer + answer: | + For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). + + - question: | + What is Site to Zone? + answer: | + Site to Zone usually refers to one of the following: + + **Site to Zone Assignment List** + This is a Group Policy policy setting that can be used to add sites to the various security zones. + + The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: + + - Intranet zone + - Trusted Sites zone + - Internet zone + - Restricted Sites zone + + If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. + + **Site to Zone Mapping** + Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: + + - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey + + **Site to Zone Assignment List policy** + This policy setting is available for both Computer Configuration and User Configuration: + + - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + + **References** + [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + + - question: | + What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? + answer: | + For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). + + - question: | + What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? + answer: | + The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. + + For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). From 14fc19ef109aa2cc8d229eeabfba46d8aa3c4b9b Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:57:54 +0530 Subject: [PATCH 145/415] missing content added --- .../internet-explorer/kb-support/ie-edge-faqs.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 8c6a0be253..7bc45c1ec2 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -71,6 +71,18 @@ sections: The JavaScript limitation was updated to 10 KB from 4 KB. For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - name: Additional information about cookie limits + questions: + - question: | + What does the Cookie RFC allow? + answer: | + RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: + + - At least 300 cookies total + - At least 20 cookies per unique host or domain name + + For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - question: | Cookie size limit per domain From 1f87678437a9f81518b72325058fd4ed9dff4e15 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 28 May 2021 12:13:29 -0700 Subject: [PATCH 146/415] Task ID 33452921 - edited some appendix items Also increased column spacing for the tables. --- .../event-id-explanations.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 80c6a5ba40..0e97655117 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | @@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows Applocker MSI and Script log event IDs | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | | 8029 | Block script/MSI file | | 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | @@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 3090 | Allow executable/dll file | | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | @@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | -|---|----------| +| -------- | ----------- | | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | ManagedInstallerEnabled | Policy trusts a MI | | PassesManagedInstaller | File originated from a trusted MI | @@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Appendix A list of other relevant event IDs and their corresponding description. | Event ID | Description | -|---|----------| +| -------- | ----------- | | 3001 | An unsigned driver was attempted to load on the system. | | 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | | 3004 | Code Integrity could not verify the file as the page hash could not be found. | @@ -98,16 +98,16 @@ A list of other relevant event IDs and their corresponding description. | 3033 | The file under validation did not meet the requirements to pass the application control policy. | | 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | -| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |  -| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | +| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |  +| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | | 3075 | This event monitors the performance of the Code Integrity policy check a file. | | 3079 | The file under validation did not meet the requirements to pass the application control policy. | -| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. | +| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. | | 3081 | The file under validation did not meet the requirements to pass the application control policy. | -| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | -| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. | -| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. | +| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | +| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | +| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | | 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | From beebe88cac054ccf99f32b09d7a64273fe7c11c9 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Sat, 29 May 2021 21:54:11 -0400 Subject: [PATCH 147/415] Update required-windows-diagnostic-data-events-and-fields-2004.md Minor spelling errors --- .../required-windows-diagnostic-data-events-and-fields-2004.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 67158554c1..7a756bffcb 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -6355,7 +6355,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. +This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event. The following fields are available: From 6ac2a0bc368fced5f672d96224d9e54f53891fa1 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 31 May 2021 12:51:27 +0100 Subject: [PATCH 148/415] Update policy-csp-system.md --- .../client-management/mdm/policy-csp-system.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 61558a2ca2..9497ff874d 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -748,11 +748,14 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restricted value is 0. -The following list shows the supported values for Windows 10 version 19H1 and later: +For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: -- **Diagnostic data off** - No Windows diagnostic data sent. -- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +- **0 - Diagnostic data off** - No Windows diagnostic data sent. +- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. +- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. + +> [!NOTE] +> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). \ No newline at end of file + From e41479bca6a0e65258440054adaec42a36b7a21b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 31 May 2021 12:59:35 +0100 Subject: [PATCH 149/415] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 9497ff874d..905ec90ac2 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -748,7 +748,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restricted value is 0. -For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: +For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: - **0 - Diagnostic data off** - No Windows diagnostic data sent. - **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. From 7107ab412c37ffd773259e679092a50de0d09c0a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 18:47:32 +0530 Subject: [PATCH 150/415] Update windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../applocker/applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 0a97c8aeb0..29d54546be 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used: - In addition to other measures, you need to control the access to sensitive data through app usage. > [!NOTE] -> AppLocker is a defense-in-depth security feature and not a security boundary. [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. +> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. From 626b77e4ed9b834bf19a1fa8aa9be371d04c6ef3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 19:03:44 +0530 Subject: [PATCH 151/415] removed invalid link added new link as per user report issue #9584 , so I removed invalid link and added new link --- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 74b961fb89..92a7eacf49 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -484,9 +484,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). ### Optimize update delivery @@ -642,4 +642,4 @@ See the following example: ## See Also -[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. From 59af80564b27c765a665efb11f5d695326ac0643 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 21:51:04 +0530 Subject: [PATCH 152/415] removed device word this is my own PR i removed word **Device** --- windows/client-management/mdm/healthattestation-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3463de078b..7ba60128fb 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: Device HealthAttestation CSP +title: HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: From 818a12067925afaadc3bc520df2a63a3c25d6ff1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 23:48:21 +0530 Subject: [PATCH 153/415] formatted table properly. added cross check marks this is my own PR, 01. I added Checkmarks only for Business edition if under Professional and Enterprise are already added Checkmarks 02. I added Crossmarks only for Business edition if under Professional and Enterprise are already added Crossmarks 03. Removed the following words **Only for mobile application management (MAM)** **Provisioning only** 04. Added footnotes **A- Only for mobile application management (MAM)** **B- Provisioning only** --- ...onfiguration-service-provider-reference.md | 160 +++++++++--------- 1 file changed, 79 insertions(+), 81 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..35baca9f52 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -71,7 +71,7 @@ Additional lists:
cross mark check mark4cross markcheck mark4 check mark4 check mark4 cross mark
check mark check markcheck mark check mark check mark check mark
cross mark cross markcross mark cross mark cross mark cross mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
cross mark check mark3check mark check mark check mark cross mark
check mark check markcheck mark check mark check mark check mark
cross mark cross markcross mark cross mark cross mark cross mark
check mark3 check mark3check mark3 check mark3 check mark3 check mark
cross mark cross markcross mark cross mark cross mark check mark1
check mark2 check mark2check mark2 check mark2 check mark2 check mark
check mark3 check mark3check mark3 check mark3 check mark3 check mark
check mark2 check mark2check mark2 check mark2 check mark2 check mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
cross mark cross markcross mark cross mark cross mark cross mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark cross mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
cross mark cross markcross mark cross mark cross mark check mark
cross mark cross markcross mark cross mark cross mark check mark
check mark check mark check mark check mark check mark
check mark check mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
check mark check markcheck mark check mark check mark check mark
check mark2 check mark2check mark2 check mark2 check mark2 check mark
cross mark cross markcross mark cross mark cross mark check mark
cross mark cross markcross mark cross mark cross mark check mark
check mark -Only for mobile application management (MAM)check mark check mark check mark check mark check mark
cross mark check mark check mark check markcross markcheck mark cross mark
@@ -1092,7 +1089,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1118,7 +1115,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1144,7 +1141,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1168,7 +1165,7 @@ Additional lists: Mobile - + cross mark check mark3 check mark3 check mark3 @@ -1196,10 +1193,10 @@ Additional lists: cross mark cross mark - cross mark cross mark - check mark (Provisioning only) + cross mark + check markB @@ -1248,7 +1245,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1274,7 +1271,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1300,7 +1297,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1378,7 +1375,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1404,7 +1401,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1482,7 +1479,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1534,7 +1531,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1560,7 +1557,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1586,7 +1583,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1638,7 +1635,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1664,7 +1661,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1688,12 +1685,12 @@ Additional lists: Mobile - check mark (Provisioning only) - check mark (Provisioning only) - - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) + check markB + check markB + check markB + check markB + check markB + check markB @@ -1716,7 +1713,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1742,7 +1739,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1768,7 +1765,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1794,7 +1791,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1820,7 +1817,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1846,7 +1843,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1872,7 +1869,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1898,7 +1895,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1924,7 +1921,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1950,7 +1947,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1976,7 +1973,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2002,7 +1999,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2028,7 +2025,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -2159,7 +2156,7 @@ Additional lists: cross mark cross mark - + check mark check mark check mark cross mark @@ -2185,7 +2182,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2211,7 +2208,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2237,7 +2234,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2290,7 +2287,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2316,7 +2313,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2368,7 +2365,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2421,7 +2418,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2447,7 +2444,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2503,7 +2500,6 @@ Additional lists: check mark - @@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:

Footnotes: +- A - Only for mobile application management (MAM) +- B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. @@ -2636,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 534690e3f5745b9a0c64e52bb98141b437cb0d97 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 00:24:54 +0530 Subject: [PATCH 154/415] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 35baca9f52..e23ec60e95 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM) - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 7ef4e5ade9277041be1aa55212925cee5db4bb04 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:36 +0530 Subject: [PATCH 155/415] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e23ec60e95..e13ad288ab 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM). - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 460f60dd4abec4c5228991d27e829a1489c0b06e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:48 +0530 Subject: [PATCH 156/415] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e13ad288ab..f4fab2c509 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2633,5 +2633,5 @@ The following list shows the CSPs supported in HoloLens devices: - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update +- 9 - Added in Windows 10 Team 2020 Update. - 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 827ed7c9761b1ca8fdefe65d59d306903c960fc3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:00 +0530 Subject: [PATCH 157/415] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index f4fab2c509..0f759f0e22 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2634,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update. -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2). From 3ac0b220781ec3f56a70100448772bceec07ac1e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:13 +0530 Subject: [PATCH 158/415] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 0f759f0e22..e9ff678bdb 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2624,7 +2624,7 @@ The following list shows the CSPs supported in HoloLens devices: Footnotes: - A - Only for mobile application management (MAM). -- B - Provisioning only +- B - Provisioning only. - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. From f139f3b91614e2ed3df61b40953315379a99b781 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:24:06 +0530 Subject: [PATCH 159/415] Update windows/client-management/mdm/healthattestation-csp.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/healthattestation-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7ba60128fb..9df5a62fdf 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: HealthAttestation CSP +title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: @@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio [Configuration service provider reference](configuration-service-provider-reference.md) - From 8ba8da2d5f4821141134ef596bef6c249dd1d714 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:53:18 +0530 Subject: [PATCH 160/415] Update windows/whats-new/ltsc/whats-new-windows-10-2019.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 92a7eacf49..cd82d2c618 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -484,7 +484,7 @@ Previously, the customized taskbar could only be deployed using Group Policy or ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). From 1cabfc785fefc65becce43d25f18c73d708671cc Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 1 Jun 2021 09:18:00 -0700 Subject: [PATCH 161/415] Corrected a typo for task ID 33452921 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 0e97655117..d12d89b766 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -103,7 +103,7 @@ A list of other relevant event IDs and their corresponding description. | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | | 3075 | This event monitors the performance of the Code Integrity policy check a file. | | 3079 | The file under validation did not meet the requirements to pass the application control policy. | -| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. | +| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. | | 3081 | The file under validation did not meet the requirements to pass the application control policy. | | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | From 8b70ad21214bff96116460ecaaf711bed625eada Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 09:21:51 -0700 Subject: [PATCH 162/415] sv to 11 --- .openpublishing.publish.config.json | 6 ++-- windows/application-management/index.yml | 2 +- windows/deployment/TOC.yml | 8 ++--- windows/deployment/deploy-whats-new.md | 4 +-- windows/deployment/index.yml | 2 +- windows/deployment/sv-deploy.md | 8 ++--- windows/deployment/sv-plan.md | 4 +-- windows/deployment/sv-prepare.md | 4 +-- windows/hub/TOC.yml | 4 +-- windows/hub/index.yml | 30 ++++++++-------- windows/sv/TOC.yml | 36 ------------------- windows/windows-11/TOC.yml | 36 +++++++++++++++++++ windows/{sv => windows-11}/breadcrumb/toc.yml | 0 windows/{sv => windows-11}/docfx.json | 4 +-- windows/{sv => windows-11}/index.yml | 26 +++++++------- windows/{sv => windows-11}/placeholder.md | 0 .../windows-11-faq.md} | 5 ++- .../windows-11-lifecycle.md} | 7 ++-- .../windows-11-overview.md} | 4 +-- .../windows-11-requirements.md} | 4 +-- 20 files changed, 96 insertions(+), 98 deletions(-) delete mode 100644 windows/sv/TOC.yml create mode 100644 windows/windows-11/TOC.yml rename windows/{sv => windows-11}/breadcrumb/toc.yml (100%) rename windows/{sv => windows-11}/docfx.json (90%) rename windows/{sv => windows-11}/index.yml (75%) rename windows/{sv => windows-11}/placeholder.md (100%) rename windows/{sv/sv-requirements.md => windows-11/windows-11-faq.md} (71%) rename windows/{sv/sv-lifecycle.md => windows-11/windows-11-lifecycle.md} (69%) rename windows/{sv/sv-overview.md => windows-11/windows-11-overview.md} (86%) rename windows/{sv/sv-faq.md => windows-11/windows-11-requirements.md} (85%) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index ecd7571ea7..4fc470da75 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -130,9 +130,9 @@ "template_folder": "_themes" }, { - "docset_name": "SV", - "build_source_folder": "windows/sv", - "build_output_subfolder": "SV", + "docset_name": "windows-11", + "build_source_folder": "windows/windows-11", + "build_output_subfolder": "windows-11", "locale": "en-us", "monikers": [], "moniker_ranges": [], diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..d3a95df0d0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 9eb39c2bb6..3a19c56f54 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,7 +5,7 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows Sun Valley deployment overview + - name: Windows 11 deployment overview href: sv-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md @@ -35,7 +35,7 @@ - name: Plan items: - - name: Windows Sun Valley deployment planning + - name: Windows 11 deployment planning href: sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md @@ -71,7 +71,7 @@ - name: Prepare items: - - name: Prepare to deploy Windows Sun Valley + - name: Prepare to deploy Windows 11 href: sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md @@ -104,7 +104,7 @@ items: - name: Deploy Windows client items: - - name: Windows Sun Valley deployment overview + - name: Windows 11 deployment overview href: sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 95cc27289d..03d5ce122e 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -20,14 +20,14 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 -- Windows Sun Valley +- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an all-up overview of new features in Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/index). +- For an all-up overview of new features in Windows 11, see [What's new in Windows 11](/windows/whats-new/index). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 10182bbea5..f6f9bf26ec 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -66,7 +66,7 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows Sun Valley deployment overview + - text: Windows 11 deployment overview url: sv-deploy.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/sv-deploy.md index 75df574256..ca92e990a7 100644 --- a/windows/deployment/sv-deploy.md +++ b/windows/deployment/sv-deploy.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,10 +16,10 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** -- Windows Sun Valley +- Windows 11, version 21H1 -To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows 11 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. diff --git a/windows/deployment/sv-plan.md b/windows/deployment/sv-plan.md index e28a0eb0e8..cd88a54b3d 100644 --- a/windows/deployment/sv-plan.md +++ b/windows/deployment/sv-plan.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,7 +16,7 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** - Windows 10 diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/sv-prepare.md index e28a0eb0e8..cd88a54b3d 100644 --- a/windows/deployment/sv-prepare.md +++ b/windows/deployment/sv-prepare.md @@ -1,5 +1,5 @@ --- -title: Windows Sun Valley deployment planning +title: Windows 11 deployment planning description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: @@ -16,7 +16,7 @@ audience: itpro ms.topic: article --- -# Windows Sun Valley deployment planning +# Windows 11 deployment planning **Applies to** - Windows 10 diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 5ba5004d55..812bcc04b5 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -5,8 +5,8 @@ href: /windows/whats-new - name: Release information href: /windows/release-health - - name: Windows Sun Valley - href: /windows/sv + - name: Windows 11 + href: /windows/windows-11 - name: Deployment href: /windows/deployment - name: Configuration diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 5a9ddebb3d..572df40317 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 10/20/2020 #Required; mm/dd/yyyy format. + ms.date: 06/01/2020 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -26,13 +26,13 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview - url: /sv/sv-overview.md - - text: What's new in Windows Sun Valley, version 21H2 + - text: Windows 11 overview + url: /windows-11/windows-11-overview.md + - text: What's new in Windows 11, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - - text: Windows Sun Valley release information + - text: Windows 11 release information url: /windows/release-health/release-information - text: Windows 10 release information url: /windows/release-health/release-information @@ -44,8 +44,8 @@ landingContent: links: - text: Configure Windows client url: /windows/configuration/index - - text: Configure Windows Sun Valley - url: /windows/configuration/sv-configure.md + - text: Configure Windows 11 + url: /windows/configuration/windows-11-configure.md - text: Accessibility information for IT Pros url: /windows/configuration/windows-10-accessibility-for-itpros - text: Configure access to Microsoft Store @@ -60,8 +60,8 @@ landingContent: links: - text: Deploy and update Windows client url: /windows/deployment/index - - text: Deploy Windows Sun Valley - url: /windows/deployment/sv-deploy.md + - text: Deploy Windows 11 + url: /windows/deployment/windows-11-deploy.md - text: Windows deployment scenarios url: /windows/deployment/windows-10-deployment-scenarios - text: Create a deployment plan @@ -77,8 +77,8 @@ landingContent: links: - text: Windows application management url: /windows/application-management/index - - text: Manage Windows Sun Valley applications - url: /windows/application-management/sv-app-manage.md + - text: Manage Windows 11 applications + url: /windows/application-management/windows-11-app-manage.md - text: Understand the different apps included in Windows 10 url: /windows/application-management/apps-in-windows-10 - text: Get started with App-V for Windows 10 @@ -93,8 +93,8 @@ landingContent: links: - text: Windows client management url: /windows/client-management/index - - text: Manage Windows Sun Valley - url: /windows/client-management/sv-manage.md + - text: Manage Windows 11 + url: /windows/client-management/windows-11-manage.md - text: Administrative tools url: /windows/client-management/administrative-tools-in-windows-10 - text: Create mandatory user profiles diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml deleted file mode 100644 index a293d047ad..0000000000 --- a/windows/sv/TOC.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: Windows Sun Valley - href: index.yml - items: - - name: Get started - items: - - name: Windows Sun Valley overview - href: sv-overview.md - - name: Windows Sun Valley requirements - href: sv-requirements.md - - name: Sun Valley FAQ - href: sv-faq.md - - - name: Deploy and Manage Windows Sun Valley - items: - - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/sv-plan - - name: Prepare for Windows Sun Valley - href: /windows/deployment/sv-prepare.md - - name: Deploy Windows Sun Valley - href: /windows/deployment/sv-deploy.md - - name: Configure Windows Sun Valley - href: /windows/configuration/sv-configure.md - - name: Manage Windows Sun Valley - href: /windows/client-management/sv-manage.md - - name: Windows Sun Valley application readiness - href: /windows/application-management/sv-app-readiness.md - - - name: Support - items: - - name: Windows Sun Valley lifecycle - href: sv-lifecycle.md - - name: Windows Sun Valley release information - href: /windows/release-health - - - diff --git a/windows/windows-11/TOC.yml b/windows/windows-11/TOC.yml new file mode 100644 index 0000000000..ad14e66327 --- /dev/null +++ b/windows/windows-11/TOC.yml @@ -0,0 +1,36 @@ +- name: Windows 11 + href: index.yml + items: + - name: Get started + items: + - name: Windows 11 overview + href: windows-11-overview.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Windows 11 FAQ + href: windows-11-faq.md + + - name: Deploy and Manage Windows 11 + items: + - name: Plan to deploy Windows 11 + href: /windows/deployment/windows-11-plan + - name: Prepare for Windows 11 + href: /windows/deployment/windows-11-prepare.md + - name: Deploy Windows 11 + href: /windows/deployment/windows-11-deploy.md + - name: Configure Windows 11 + href: /windows/configuration/windows-11-configure.md + - name: Manage Windows 11 + href: /windows/client-management/windows-11-manage.md + - name: Windows 11 application readiness + href: /windows/application-management/windows-11-app-readiness.md + + - name: Support + items: + - name: Windows 11 lifecycle + href: windows-11-lifecycle.md + - name: Windows 11 release information + href: /windows/release-health + + + diff --git a/windows/sv/breadcrumb/toc.yml b/windows/windows-11/breadcrumb/toc.yml similarity index 100% rename from windows/sv/breadcrumb/toc.yml rename to windows/windows-11/breadcrumb/toc.yml diff --git a/windows/sv/docfx.json b/windows/windows-11/docfx.json similarity index 90% rename from windows/sv/docfx.json rename to windows/windows-11/docfx.json index 7035c4cd69..e7955464fe 100644 --- a/windows/sv/docfx.json +++ b/windows/windows-11/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/sv/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "SV", + "dest": "windows-11", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/sv/index.yml b/windows/windows-11/index.yml similarity index 75% rename from windows/sv/index.yml rename to windows/windows-11/index.yml index 477ed81e72..5e33fe3113 100644 --- a/windows/sv/index.yml +++ b/windows/windows-11/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows SV # < 60 chars -summary: Find out about Windows Sun Valley. # < 160 chars +summary: Find out about Windows Windows 11. # < 160 chars metadata: title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -26,29 +26,29 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview + - text: Windows Windows 11 overview url: sv-overview.md - - text: Windows Sun Valley requirements + - text: Windows Windows 11 requirements url: sv-requirements.md - - text: Windows Sun Valley FAQ + - text: Windows Windows 11 FAQ url: sv-faq.md # Card (optional) - - title: Deploy Windows Sun Valley + - title: Deploy Windows 11 linkLists: - linkListType: overview links: - - text: Plan to deploy Windows Sun Valley + - text: Plan to deploy Windows Windows 11 url: /windows/deployment/sv-plan.md - - text: Prepare for Windows Sun Valley + - text: Prepare for Windows Windows 11 url: /windows/deployment/sv-prepare.md - - text: Deploy Windows Sun Valley + - text: Deploy Windows Windows 11 url: /windows/deployment/sv-deploy.md - - text: Configure Windows Sun Valley + - text: Configure Windows Windows 11 url: /windows/configuration/sv-configure.md - - text: Manage Windows Sun Valley + - text: Manage Windows Windows 11 url: /windows/client-management/sv-manage.md - - text: Windows Sun Valley application readiness + - text: Windows Windows 11 application readiness url: /windows/application-management/sv-app-readiness.md # Card (optional) @@ -56,8 +56,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley lifecycle + - text: Windows Windows 11 lifecycle url: placeholder.md - - text: Windows Sun Valley release information + - text: Windows Windows 11 release information url: ../release-health diff --git a/windows/sv/placeholder.md b/windows/windows-11/placeholder.md similarity index 100% rename from windows/sv/placeholder.md rename to windows/windows-11/placeholder.md diff --git a/windows/sv/sv-requirements.md b/windows/windows-11/windows-11-faq.md similarity index 71% rename from windows/sv/sv-requirements.md rename to windows/windows-11/windows-11-faq.md index 5e4a647fea..1ac810bb60 100644 --- a/windows/sv/sv-requirements.md +++ b/windows/windows-11/windows-11-faq.md @@ -1,7 +1,6 @@ --- title: Placeholder description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,7 +15,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley requirements +# Windows 11 frequently asked questions (FAQ) -Windows Sun Valley requirements. +FAQ. diff --git a/windows/sv/sv-lifecycle.md b/windows/windows-11/windows-11-lifecycle.md similarity index 69% rename from windows/sv/sv-lifecycle.md rename to windows/windows-11/windows-11-lifecycle.md index c16baa14b7..fab8fda180 100644 --- a/windows/sv/sv-lifecycle.md +++ b/windows/windows-11/windows-11-lifecycle.md @@ -1,7 +1,6 @@ --- title: Lifecycle -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +description: Lifecycle information for Windows 11 ms.reviewer: manager: laurawi ms.audience: itpro @@ -16,7 +15,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley lifecycle +# Windows 11 lifecycle -Sun Valley lifecycle. +Windows 11 lifecycle. diff --git a/windows/sv/sv-overview.md b/windows/windows-11/windows-11-overview.md similarity index 86% rename from windows/sv/sv-overview.md rename to windows/windows-11/windows-11-overview.md index 4099c30662..f39f5e4c23 100644 --- a/windows/sv/sv-overview.md +++ b/windows/windows-11/windows-11-overview.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley overview +# Windows 11 overview -Overview of Sun Valley. +Overview of Windows 11. diff --git a/windows/sv/sv-faq.md b/windows/windows-11/windows-11-requirements.md similarity index 85% rename from windows/sv/sv-faq.md rename to windows/windows-11/windows-11-requirements.md index 220beac886..482850a4f9 100644 --- a/windows/sv/sv-faq.md +++ b/windows/windows-11/windows-11-requirements.md @@ -16,7 +16,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley frequently asked questions (FAQ) +# Windows 11 requirements -FAQ. +Windows 11 requirements. From 5b1f9848a3b8a6de82a5cb336460c10a34d7ad14 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 09:46:31 -0700 Subject: [PATCH 163/415] H1 fixes --- windows/deployment/{sv-deploy.md => windows-11-deploy.md} | 0 windows/deployment/{sv-plan.md => windows-11-plan.md} | 4 ++-- .../deployment/{sv-prepare.md => windows-11-prepare.md} | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) rename windows/deployment/{sv-deploy.md => windows-11-deploy.md} (100%) rename windows/deployment/{sv-plan.md => windows-11-plan.md} (99%) rename windows/deployment/{sv-prepare.md => windows-11-prepare.md} (99%) diff --git a/windows/deployment/sv-deploy.md b/windows/deployment/windows-11-deploy.md similarity index 100% rename from windows/deployment/sv-deploy.md rename to windows/deployment/windows-11-deploy.md diff --git a/windows/deployment/sv-plan.md b/windows/deployment/windows-11-plan.md similarity index 99% rename from windows/deployment/sv-plan.md rename to windows/deployment/windows-11-plan.md index cd88a54b3d..e3b81e8c3c 100644 --- a/windows/deployment/sv-plan.md +++ b/windows/deployment/windows-11-plan.md @@ -1,6 +1,6 @@ --- title: Windows 11 deployment planning -description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi @@ -19,7 +19,7 @@ ms.topic: article # Windows 11 deployment planning **Applies to** -- Windows 10 +- Windows 11 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. diff --git a/windows/deployment/sv-prepare.md b/windows/deployment/windows-11-prepare.md similarity index 99% rename from windows/deployment/sv-prepare.md rename to windows/deployment/windows-11-prepare.md index cd88a54b3d..eb8ce64aa0 100644 --- a/windows/deployment/sv-prepare.md +++ b/windows/deployment/windows-11-prepare.md @@ -1,6 +1,6 @@ --- -title: Windows 11 deployment planning -description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. +title: Prepare to deploy Windows 11 +description: Understand the different ways Windows 11 operating system can be deployed in your organization. Explore several Windows 11 deployment scenarios. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 ms.reviewer: manager: laurawi @@ -16,10 +16,10 @@ audience: itpro ms.topic: article --- -# Windows 11 deployment planning +# Prepare to deploy Windows 11 **Applies to** -- Windows 10 +- Windows 11, version 21H1 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. From d5fd5aa78687402fc4ab076b86720236c227e68c Mon Sep 17 00:00:00 2001 From: Charles Date: Tue, 1 Jun 2021 13:10:36 -0400 Subject: [PATCH 164/415] added docs specifically for MEM(Intune) devices --- windows/deployment/TOC.yml | 2 + .../update-compliance-configuration-manual.md | 19 ++--- .../update-compliance-configuration-mem.md | 76 +++++++++++++++++++ .../update-compliance-configuration-script.md | 13 +--- .../update/update-compliance-get-started.md | 9 ++- 5 files changed, 94 insertions(+), 25 deletions(-) create mode 100644 windows/deployment/update/update-compliance-configuration-mem.md diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index c8a3334ac2..4e078e7f35 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -193,6 +193,8 @@ href: update/update-compliance-configuration-script.md - name: Manually configuring devices for Update Compliance href: update/update-compliance-configuration-manual.md + - name: Configuring MEM-enrolled devices for Update Compliance + href: update/update-compliance-configuration-mem.md - name: Update Compliance monitoring items: - name: Use Update Compliance diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index ccdb293504..10b6032442 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -41,16 +41,13 @@ Update Compliance has a number of policies that must be appropriately configured Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details. -| Policy | Value | Function | -|---------------------------|-|------------------------------------------------------------| -|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | -|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | -|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | -| **System/AllowUpdateComplianceProcessing** | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | - -> [!NOTE] -> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp). +| Policy | Data type | Value | Function | +|--------------------------|-|-|------------------------------------------------------------| +|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | +|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | +| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | ### Group policies @@ -89,6 +86,6 @@ Census is a service that runs on a regular schedule on Windows devices. A number A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: -1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. +1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. 3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md new file mode 100644 index 0000000000..09eeaed357 --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -0,0 +1,76 @@ +--- +title: Configuring MEM devices for Update Compliance +ms.reviewer: +manager: laurawi +description: Configuring MEM-enrolled devices for Update Compliance +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Configuring Microsoft Endpoint Manager devices for Update Compliance + +> [!NOTE] +> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. + +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) (MEM) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: + +1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. +2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. +3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md##enroll-devices-in-update-compliance). + +## Create a configuration profile + +Take the following steps to create a configuration profile that will set required policies for Update Compliance: + +1. Go to your MEM admin portal and navigate to **Devices/Windows/Configuration profiles**. +2. On the Configuration profiles view, select **Create a profile**. +3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". +4. For **Template name**, select "Custom", then hit **Create**. +5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). + 1. Add a setting for **Commercial ID**, with the following values: + - **Name**: Commercial ID + - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` + - **Data type**: String + - **Value**: *Set this to your Commercial ID* + 2. Add a setting configuring devices' **Windows Diagnostic Data level**: + - **Name**: Allow Telemetry + - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` + - **Data type**: Integer + - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). + 3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` + - **Data type**: Integer + - **Value**: 1 + 4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` + - **Data type**: Integer + - **Value**: 1 + 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + - **Name**: Allow Update Compliance Processing + - **Description**: Opts device data into Update Compliance processing. Required to see data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` + - **Data type**: Integer + - **Value**: 16 +7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +8. Review and **create**. + +## Deploy the configuration script + +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices to Update Compliance, though is not strictly necessary. It checks to ensure devices have required services running and checks connectivity to the endpoints detaield in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). Deploying the configuration script can be done by deploying the script as a Win32 app. Documentation for this can be found in the Intune documentation for [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management). + +When deploying the configuration script as a Win32 app, you will be unable to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 2bdf88323c..4821714cb4 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -18,22 +18,15 @@ ms.topic: article # Configuring devices through the Update Compliance Configuration Script > [!NOTE] -> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured. +> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. -The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. > [!NOTE] -> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. +> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there may be issues with device data appearing in Update Compliance. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. -## Script FAQ - -- I manage my devices with MDM. Should I use this script? -No, you should not use this script. Instead configure the policies through your MDM provider. -- Does this script configure devices for Delivery Optimization? -No. You must do that separately. - ## How this script is organized This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index a224816f2b..d84e9ccac6 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. 3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. -After adding the solution to Azure and configuring devices, it could take up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. +After adding the solution to Azure and configuring devices, it can take some time before all devices appear, this is discussed in more detail in the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites @@ -100,10 +100,11 @@ To find your CommercialID within Azure: ## Enroll devices in Update Compliance -Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance: +Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance: -- If you use Group Policy to manage device policies, use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). -- If you manage devices through MDM providers like Intune, [manually configure device for Update Compliance](update-compliance-configuration-manual.md). +1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). +2. If you are a [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) customer, you can follow the MEM enrollment process documented at [Configuring MEM-enrolled devices for Update Compliance](update-compliance-configuration-mem.md). +3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues. After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. From 102cc4d8c2d89be9254eb298429906c9157a87c0 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 1 Jun 2021 10:18:59 -0700 Subject: [PATCH 165/415] Update TOC.yml Do not use "MEM." --- windows/deployment/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 4e078e7f35..487cf680c0 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -193,7 +193,7 @@ href: update/update-compliance-configuration-script.md - name: Manually configuring devices for Update Compliance href: update/update-compliance-configuration-manual.md - - name: Configuring MEM-enrolled devices for Update Compliance + - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager href: update/update-compliance-configuration-mem.md - name: Update Compliance monitoring items: @@ -543,4 +543,4 @@ href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md - name: Install fonts in Windows 10 - href: windows-10-missing-fonts.md \ No newline at end of file + href: windows-10-missing-fonts.md From e2169d5b6a6dda2bec7953e5bc89a246841531c0 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 1 Jun 2021 10:25:32 -0700 Subject: [PATCH 166/415] Update update-compliance-configuration-mem.md Removing "MEM" (do not use "MEM") and a few tweaks for voice/tone. --- .../update-compliance-configuration-mem.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 09eeaed357..e9b66d2a5d 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -1,8 +1,8 @@ --- -title: Configuring MEM devices for Update Compliance +title: Configuring for Update Compliance in Microsoft Endpoint Manager ms.reviewer: manager: laurawi -description: Configuring MEM-enrolled devices for Update Compliance +description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.topic: article > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) (MEM) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. @@ -30,10 +30,10 @@ This article is specifically targeted at configuring devices enrolled to [Micros Take the following steps to create a configuration profile that will set required policies for Update Compliance: -1. Go to your MEM admin portal and navigate to **Devices/Windows/Configuration profiles**. -2. On the Configuration profiles view, select **Create a profile**. +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. +2. On the **Configuration profiles** view, select **Create a profile**. 3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -4. For **Template name**, select "Custom", then hit **Create**. +4. For **Template name**, select **Custom**, and then press **Create**. 5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). 1. Add a setting for **Commercial ID**, with the following values: @@ -42,7 +42,7 @@ Take the following steps to create a configuration profile that will set require - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* - 2. Add a setting configuring devices' **Windows Diagnostic Data level**: + 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` @@ -67,10 +67,10 @@ Take the following steps to create a configuration profile that will set require - **Data type**: Integer - **Value**: 16 7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -8. Review and **create**. +8. Review and select **Create**. ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices to Update Compliance, though is not strictly necessary. It checks to ensure devices have required services running and checks connectivity to the endpoints detaield in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). Deploying the configuration script can be done by deploying the script as a Win32 app. Documentation for this can be found in the Intune documentation for [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management). -When deploying the configuration script as a Win32 app, you will be unable to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. \ No newline at end of file +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. From 343d9db640693cf2692fd81b1b72151a1f8f2eb7 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 1 Jun 2021 10:27:01 -0700 Subject: [PATCH 167/415] Update update-compliance-configuration-script.md --- .../deployment/update/update-compliance-configuration-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 4821714cb4..085bf545d6 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -23,7 +23,7 @@ ms.topic: article The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. > [!NOTE] -> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there may be issues with device data appearing in Update Compliance. +> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. From ce4773f0a6d1aef55b21f203bb65909b475a2699 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 1 Jun 2021 10:28:54 -0700 Subject: [PATCH 168/415] Update update-compliance-get-started.md --- windows/deployment/update/update-compliance-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index d84e9ccac6..d1bcb967b9 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. 3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. -After adding the solution to Azure and configuring devices, it can take some time before all devices appear, this is discussed in more detail in the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. +After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites From 441adf9cacfeaa6c8508b89e6b289eadcfde1212 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 1 Jun 2021 10:30:17 -0700 Subject: [PATCH 169/415] Update update-compliance-get-started.md --- windows/deployment/update/update-compliance-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index d1bcb967b9..e975c71cf9 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -103,7 +103,7 @@ To find your CommercialID within Azure: Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance: 1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). -2. If you are a [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) customer, you can follow the MEM enrollment process documented at [Configuring MEM-enrolled devices for Update Compliance](update-compliance-configuration-mem.md). +2. If you use [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md). 3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues. After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. From 815910f0c7cf49399da0ba1037a14349163ca25d Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:31:57 -0700 Subject: [PATCH 170/415] Update update-compliance-configuration-mem.md bookmark fix; attempt to replace absolute links --- .../update/update-compliance-configuration-mem.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index e9b66d2a5d..aefc6bdaaf 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -20,11 +20,11 @@ ms.topic: article > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. -3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md##enroll-devices-in-update-compliance). +3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). ## Create a configuration profile @@ -71,6 +71,6 @@ Take the following steps to create a configuration profile that will set require ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. From 1feed94c3aa7b2ebbf5b1418f159fedaadfbdd2a Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:35:13 -0700 Subject: [PATCH 171/415] Update update-compliance-get-started.md switch to rel link --- windows/deployment/update/update-compliance-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index e975c71cf9..f1c18585dd 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -103,7 +103,7 @@ To find your CommercialID within Azure: Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance: 1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). -2. If you use [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md). +2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md). 3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues. After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. From 5af48f6be2deb00ea8733163229159bde7d2e972 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 1 Jun 2021 12:17:01 -0700 Subject: [PATCH 172/415] sv --- .openpublishing.publish.config.json | 6 +- windows/deployment/TOC.yml | 8 +-- windows/{windows-11 => sv}/TOC.yml | 0 windows/{windows-11 => sv}/breadcrumb/toc.yml | 0 windows/{windows-11 => sv}/docfx.json | 0 windows/{windows-11 => sv}/index.yml | 0 windows/{windows-11 => sv}/placeholder.md | 0 windows/{windows-11 => sv}/windows-11-faq.md | 0 .../windows-11-lifecycle.md | 0 .../{windows-11 => sv}/windows-11-overview.md | 0 .../windows-11-requirements.md | 0 windows/whats-new/sv/TOC.yml | 36 +++++++++++ windows/whats-new/sv/breadcrumb/toc.yml | 53 ++++++++++++++++ windows/whats-new/sv/docfx.json | 51 +++++++++++++++ windows/whats-new/sv/index.yml | 63 +++++++++++++++++++ windows/whats-new/sv/placeholder.md | 22 +++++++ windows/whats-new/sv/windows-11-faq.md | 21 +++++++ windows/whats-new/sv/windows-11-lifecycle.md | 21 +++++++ windows/whats-new/sv/windows-11-overview.md | 22 +++++++ .../whats-new/sv/windows-11-requirements.md | 22 +++++++ 20 files changed, 318 insertions(+), 7 deletions(-) rename windows/{windows-11 => sv}/TOC.yml (100%) rename windows/{windows-11 => sv}/breadcrumb/toc.yml (100%) rename windows/{windows-11 => sv}/docfx.json (100%) rename windows/{windows-11 => sv}/index.yml (100%) rename windows/{windows-11 => sv}/placeholder.md (100%) rename windows/{windows-11 => sv}/windows-11-faq.md (100%) rename windows/{windows-11 => sv}/windows-11-lifecycle.md (100%) rename windows/{windows-11 => sv}/windows-11-overview.md (100%) rename windows/{windows-11 => sv}/windows-11-requirements.md (100%) create mode 100644 windows/whats-new/sv/TOC.yml create mode 100644 windows/whats-new/sv/breadcrumb/toc.yml create mode 100644 windows/whats-new/sv/docfx.json create mode 100644 windows/whats-new/sv/index.yml create mode 100644 windows/whats-new/sv/placeholder.md create mode 100644 windows/whats-new/sv/windows-11-faq.md create mode 100644 windows/whats-new/sv/windows-11-lifecycle.md create mode 100644 windows/whats-new/sv/windows-11-overview.md create mode 100644 windows/whats-new/sv/windows-11-requirements.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4fc470da75..32eb1b181b 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -130,9 +130,9 @@ "template_folder": "_themes" }, { - "docset_name": "windows-11", - "build_source_folder": "windows/windows-11", - "build_output_subfolder": "windows-11", + "docset_name": "sv", + "build_source_folder": "windows/sv", + "build_output_subfolder": "sv", "locale": "en-us", "monikers": [], "moniker_ranges": [], diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 3a19c56f54..559a6b7d13 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -6,7 +6,7 @@ - name: What's new href: deploy-whats-new.md - name: Windows 11 deployment overview - href: sv-deploy.md + href: windows-11-deploy.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -36,7 +36,7 @@ - name: Plan items: - name: Windows 11 deployment planning - href: sv-plan.md + href: windows-11-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -72,7 +72,7 @@ - name: Prepare items: - name: Prepare to deploy Windows 11 - href: sv-prepare.md + href: windows-11-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -105,7 +105,7 @@ - name: Deploy Windows client items: - name: Windows 11 deployment overview - href: sv-deploy.md + href: windows-11-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - name: Deploy Windows client with Configuration Manager diff --git a/windows/windows-11/TOC.yml b/windows/sv/TOC.yml similarity index 100% rename from windows/windows-11/TOC.yml rename to windows/sv/TOC.yml diff --git a/windows/windows-11/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml similarity index 100% rename from windows/windows-11/breadcrumb/toc.yml rename to windows/sv/breadcrumb/toc.yml diff --git a/windows/windows-11/docfx.json b/windows/sv/docfx.json similarity index 100% rename from windows/windows-11/docfx.json rename to windows/sv/docfx.json diff --git a/windows/windows-11/index.yml b/windows/sv/index.yml similarity index 100% rename from windows/windows-11/index.yml rename to windows/sv/index.yml diff --git a/windows/windows-11/placeholder.md b/windows/sv/placeholder.md similarity index 100% rename from windows/windows-11/placeholder.md rename to windows/sv/placeholder.md diff --git a/windows/windows-11/windows-11-faq.md b/windows/sv/windows-11-faq.md similarity index 100% rename from windows/windows-11/windows-11-faq.md rename to windows/sv/windows-11-faq.md diff --git a/windows/windows-11/windows-11-lifecycle.md b/windows/sv/windows-11-lifecycle.md similarity index 100% rename from windows/windows-11/windows-11-lifecycle.md rename to windows/sv/windows-11-lifecycle.md diff --git a/windows/windows-11/windows-11-overview.md b/windows/sv/windows-11-overview.md similarity index 100% rename from windows/windows-11/windows-11-overview.md rename to windows/sv/windows-11-overview.md diff --git a/windows/windows-11/windows-11-requirements.md b/windows/sv/windows-11-requirements.md similarity index 100% rename from windows/windows-11/windows-11-requirements.md rename to windows/sv/windows-11-requirements.md diff --git a/windows/whats-new/sv/TOC.yml b/windows/whats-new/sv/TOC.yml new file mode 100644 index 0000000000..ad14e66327 --- /dev/null +++ b/windows/whats-new/sv/TOC.yml @@ -0,0 +1,36 @@ +- name: Windows 11 + href: index.yml + items: + - name: Get started + items: + - name: Windows 11 overview + href: windows-11-overview.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Windows 11 FAQ + href: windows-11-faq.md + + - name: Deploy and Manage Windows 11 + items: + - name: Plan to deploy Windows 11 + href: /windows/deployment/windows-11-plan + - name: Prepare for Windows 11 + href: /windows/deployment/windows-11-prepare.md + - name: Deploy Windows 11 + href: /windows/deployment/windows-11-deploy.md + - name: Configure Windows 11 + href: /windows/configuration/windows-11-configure.md + - name: Manage Windows 11 + href: /windows/client-management/windows-11-manage.md + - name: Windows 11 application readiness + href: /windows/application-management/windows-11-app-readiness.md + + - name: Support + items: + - name: Windows 11 lifecycle + href: windows-11-lifecycle.md + - name: Windows 11 release information + href: /windows/release-health + + + diff --git a/windows/whats-new/sv/breadcrumb/toc.yml b/windows/whats-new/sv/breadcrumb/toc.yml new file mode 100644 index 0000000000..e2971f2d84 --- /dev/null +++ b/windows/whats-new/sv/breadcrumb/toc.yml @@ -0,0 +1,53 @@ +- name: Docs + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows + topicHref: /windows/windows-10 + items: + - name: What's new + tocHref: /windows/whats-new/ + topicHref: /windows/whats-new/index + - name: Configuration + tocHref: /windows/configuration/ + topicHref: /windows/configuration/index + - name: Deployment + tocHref: /windows/deployment/ + topicHref: /windows/deployment/index + - name: Application management + tocHref: /windows/application-management/ + topicHref: /windows/application-management/index + - name: Client management + tocHref: /windows/client-management/ + topicHref: /windows/client-management/index + items: + - name: Mobile Device Management + tocHref: /windows/client-management/mdm/ + topicHref: /windows/client-management/mdm/index + - name: Release information + tocHref: /windows/release-information/ + topicHref: /windows/release-health/release-information + - name: Privacy + tocHref: /windows/privacy/ + topicHref: /windows/privacy/index + - name: Security + tocHref: /windows/security/ + topicHref: /windows/security/index + items: + - name: Identity and access protection + tocHref: /windows/security/identity-protection/ + topicHref: /windows/security/identity-protection/index + items: + - name: Windows Hello for Business + tocHref: /windows/security/identity-protection/hello-for-business + topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification + - name: Threat protection + tocHref: /windows/security/threat-protection/ + topicHref: /windows/security/threat-protection/index + - name: Information protection + tocHref: /windows/security/information-protection/ + topicHref: /windows/security/information-protection/index + - name: Hardware-based protection + tocHref: /windows/security/hardware-protection/ + topicHref: /windows/security/hardware-protection/index diff --git a/windows/whats-new/sv/docfx.json b/windows/whats-new/sv/docfx.json new file mode 100644 index 0000000000..e7955464fe --- /dev/null +++ b/windows/whats-new/sv/docfx.json @@ -0,0 +1,51 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices.md" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "windows-11", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/whats-new/sv/index.yml b/windows/whats-new/sv/index.yml new file mode 100644 index 0000000000..5e33fe3113 --- /dev/null +++ b/windows/whats-new/sv/index.yml @@ -0,0 +1,63 @@ +### YamlMime:Landing + +title: Windows SV # < 60 chars +summary: Find out about Windows Windows 11. # < 160 chars + +metadata: + title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/07/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Get started + linkLists: + - linkListType: overview + links: + - text: Windows Windows 11 overview + url: sv-overview.md + - text: Windows Windows 11 requirements + url: sv-requirements.md + - text: Windows Windows 11 FAQ + url: sv-faq.md + + # Card (optional) + - title: Deploy Windows 11 + linkLists: + - linkListType: overview + links: + - text: Plan to deploy Windows Windows 11 + url: /windows/deployment/sv-plan.md + - text: Prepare for Windows Windows 11 + url: /windows/deployment/sv-prepare.md + - text: Deploy Windows Windows 11 + url: /windows/deployment/sv-deploy.md + - text: Configure Windows Windows 11 + url: /windows/configuration/sv-configure.md + - text: Manage Windows Windows 11 + url: /windows/client-management/sv-manage.md + - text: Windows Windows 11 application readiness + url: /windows/application-management/sv-app-readiness.md + + # Card (optional) + - title: Support information + linkLists: + - linkListType: overview + links: + - text: Windows Windows 11 lifecycle + url: placeholder.md + - text: Windows Windows 11 release information + url: ../release-health + diff --git a/windows/whats-new/sv/placeholder.md b/windows/whats-new/sv/placeholder.md new file mode 100644 index 0000000000..fecfe94a8e --- /dev/null +++ b/windows/whats-new/sv/placeholder.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Placeholder + +Placeholder text. + diff --git a/windows/whats-new/sv/windows-11-faq.md b/windows/whats-new/sv/windows-11-faq.md new file mode 100644 index 0000000000..1ac810bb60 --- /dev/null +++ b/windows/whats-new/sv/windows-11-faq.md @@ -0,0 +1,21 @@ +--- +title: Placeholder +description: PH +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 frequently asked questions (FAQ) + +FAQ. + diff --git a/windows/whats-new/sv/windows-11-lifecycle.md b/windows/whats-new/sv/windows-11-lifecycle.md new file mode 100644 index 0000000000..fab8fda180 --- /dev/null +++ b/windows/whats-new/sv/windows-11-lifecycle.md @@ -0,0 +1,21 @@ +--- +title: Lifecycle +description: Lifecycle information for Windows 11 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 lifecycle + +Windows 11 lifecycle. + diff --git a/windows/whats-new/sv/windows-11-overview.md b/windows/whats-new/sv/windows-11-overview.md new file mode 100644 index 0000000000..f39f5e4c23 --- /dev/null +++ b/windows/whats-new/sv/windows-11-overview.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 overview + +Overview of Windows 11. + diff --git a/windows/whats-new/sv/windows-11-requirements.md b/windows/whats-new/sv/windows-11-requirements.md new file mode 100644 index 0000000000..482850a4f9 --- /dev/null +++ b/windows/whats-new/sv/windows-11-requirements.md @@ -0,0 +1,22 @@ +--- +title: Placeholder +description: PH +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 requirements + +Windows 11 requirements. + From 9fd633ba5a9bf87b9868997929b69b44db80a164 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:38:29 +0500 Subject: [PATCH 173/415] update basic-audit-account-management.md --- .../basic-audit-account-management.md | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..dd21f98e57 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -46,48 +46,48 @@ You can configure this security setting by opening the appropriate policy under | Account management events | Description | |---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | | 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From ab320a70eac965e084f5e73670f000c27b9d559a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:24:45 +0500 Subject: [PATCH 174/415] Update Proxy servers and Internal proxy servers Made changes in Proxy servers and Internal proxy servers. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9499 --- .../create-wip-policy-using-intune-azure.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..69a4976fae 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From 0ea039011830844a17359aa17bffc66723a54bbd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:29:53 +0500 Subject: [PATCH 175/415] Update in Changing the PIN Made some update in Changing the PIN Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9475 --- .../virtual-smart-card-use-virtual-smart-cards.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cb9d870d46..f5d0883f98 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. - +The PIN for virtual smart card can be changed by following steps: +- Log on with the old pin or password. +- Press Ctrl+Alt+Del and choose **Change a password**. +- Click ""Sign-in Options**. +- Click the **Virtual smart card icon**. +- Change the pin. ## Resolving issues ### TPM not provisioned @@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter ## See also -For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). \ No newline at end of file +For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). From 24f4911e7e52468364a83e2477d2b91cf8f495b4 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 2 Jun 2021 15:24:17 +0530 Subject: [PATCH 176/415] added may 2021 admx link as per user feedback #9636 , so i added may 2021 admx template link. --- ...-a-windows-10-device-automatically-using-group-policy.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 75c2d3f601..939ecd1a60 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -195,6 +195,8 @@ Requirements: - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -211,6 +213,8 @@ Requirements: - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. 5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**. @@ -294,7 +298,7 @@ To collect Event Viewer logs: - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links - +- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) From 70acd1d2b6e65ecdce2dbf73fa5a8bfc84416a25 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 2 Jun 2021 13:01:35 +0100 Subject: [PATCH 177/415] updates for AllowTelemetry --- .../mdm/policy-csp-system.md | 20 +++++++------------ ...s-to-windows-diagnostic-data-collection.md | 2 +- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 905ec90ac2..89ff9b9090 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -740,22 +740,16 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. -- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +- 0 – (**Security**) This turns Windows diagnostic data off. +- **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. +- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data, such as limited crash dumps. +- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. -Most restricted value is 0. - -For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: - -- **0 - Diagnostic data off** - No Windows diagnostic data sent. -- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +Most restrictive value is 0. > [!NOTE] -> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). +> If your devices are set to Enhanced when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). + +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +## Human-operated ransomware + +Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. + +Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. + +The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). + +See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. From 1174cb4b333f2ebca7c124e6a51b379eac330ea7 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Fri, 4 Jun 2021 13:02:07 -0700 Subject: [PATCH 241/415] Update ransomware-malware.md --- .../intelligence/ransomware-malware.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 00bd93579d..2eee3a6421 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -66,7 +66,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends 2. Deploy regular hardware and software systems patching and effective vulnerability management - A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software vendors release them. + A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them. A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. @@ -74,9 +74,9 @@ To provide the best protection against ransomware attacks, Microsoft recommends **HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10). -3. Use up-to-date antivirus and an endpoint detection and response (EDR) solutions +3. Use up to date antivirus and an endpoint detection and response (EDR) solutions - While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, it’s very important to ensure that your antivirus solutions are kept up-to-date with your software vendors. + While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. @@ -88,11 +88,11 @@ To provide the best protection against ransomware attacks, Microsoft recommends **HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions. -5. Implement effective application allow lists +5. Implement effective application allowlists - It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application allow lists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. + You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. - **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. + **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. 6. Regularly back up critical systems and files From 840a38048575d1bbb83ef14c9877ab793d1ba891 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 4 Jun 2021 13:54:49 -0700 Subject: [PATCH 242/415] Added suggested feedback to event-id-explanation and select-types-of-rules documents. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index fb6a29d22d..f6ca319d9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -109,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 91b1a1725e..fa5065912e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. ## More information about hashes From 9f96ebfac501647c03b74cfc94a93bac1c7032bd Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Fri, 4 Jun 2021 15:57:28 -0700 Subject: [PATCH 243/415] Update ransomware-malware.md --- .../threat-protection/intelligence/ransomware-malware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 2eee3a6421..f09ebe1af1 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -62,7 +62,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress. - **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization' Exchange Online mailboxes against spam, malware, and other email threats. + **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats. 2. Deploy regular hardware and software systems patching and effective vulnerability management From d55e19b1fb18b23c3fc84817a9e0b98eebe68456 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:01:29 +0530 Subject: [PATCH 244/415] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 3214cc878a..a045a86cc0 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -126,7 +126,7 @@ There are potentially a thousand or more feature updates displayed in the Config Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**, +2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. The **Download Software Updates Wizard** opens. 3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: From aab9c1f49a47a4ec695871db8436ed75194e6de6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:09:52 +0530 Subject: [PATCH 245/415] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index a045a86cc0..b1ee4d2dd8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -127,6 +127,7 @@ Before you deploy the feature updates, you can download the content as a separat 1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. + The **Download Software Updates Wizard** opens. 3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: From 4976757337aa37e7c23e5e7cf7a304086585426f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:10:06 +0530 Subject: [PATCH 246/415] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index b1ee4d2dd8..630c2b6867 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -185,6 +185,7 @@ After you determine which feature updates you intend to deploy, you can manually 1. In the Configuration Manager console, click **Software Library**. 2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**, + The **Deploy Software Updates Wizard** opens. 4. On the General page, configure the following settings: - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** From 7687ee2034c302e019134cbd28184475802b256c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:10:39 +0530 Subject: [PATCH 247/415] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 630c2b6867..6f359c369a 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -251,7 +251,7 @@ After you determine which feature updates you intend to deploy, you can manually - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content Source Priority](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). 10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 11. Click **Next** to deploy the feature update(s). From cfb6ec4f44efa773f610febb8bafbcbf18cdd1db Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:11:02 +0530 Subject: [PATCH 248/415] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 6f359c369a..771a7648f8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -184,7 +184,7 @@ After you determine which feature updates you intend to deploy, you can manually 1. In the Configuration Manager console, click **Software Library**. 2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**, +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. The **Deploy Software Updates Wizard** opens. 4. On the General page, configure the following settings: From 4551a1a6c5824a305885e0821bbaf3f6515c82ee Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 7 Jun 2021 07:35:30 -0700 Subject: [PATCH 249/415] Update ransomware-malware.md --- .../intelligence/ransomware-malware.md | 47 +------------------ 1 file changed, 1 insertion(+), 46 deletions(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index f09ebe1af1..5a04348f87 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -56,58 +56,13 @@ Organizations can be targeted specifically by attackers, or they can be caught i To provide the best protection against ransomware attacks, Microsoft recommends that you: -1. Use an effective email filtering solution - - According to the [Microsoft Security Intelligence Report Volume 24 of 2018](https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original), spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, you must adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. - - By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress. - - **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats. - -2. Deploy regular hardware and software systems patching and effective vulnerability management - - A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them. - - A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. - - Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware. - - **HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10). - -3. Use up to date antivirus and an endpoint detection and response (EDR) solutions - - While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers. - - Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. - - EDR solutions collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by an EDR solution can help stop advanced threats and are often leveraged for responding to security incidents. - -4. Separate administrative and privileged credentials from standard credentials - - Separate your system administrative accounts from your standard user accounts to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single standard user account doesn’t lead to the compromise of your entire IT infrastructure. - - **HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions. - -5. Implement effective application allowlists - - You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. - - **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. - -6. Regularly back up critical systems and files - - The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack. - +- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. For more general tips, see [prevent malware infection](prevent-malware-infection.md). From eb5fb0cf09ae5feade62a76072c5bc0884d789b0 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Mon, 7 Jun 2021 08:45:00 -0700 Subject: [PATCH 250/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2c20894dcf..ff10761a52 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -59,6 +59,9 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) +--------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -521,6 +524,71 @@ More details: - [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) +**Configuration/PlatformUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/EngineUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/DefinitionUpdatesChannel** +Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + +Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%) + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. + +The data type is integer. +Supported operations are Add, Delete, Get, Replace. + +Valid Values are: +• 0: Not configured (Default) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + **Scan** Node that can be used to start a Windows Defender scan on a device. From 57309f51e80c02e22b105c93f9198f14c9811faf Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 09:38:34 -0700 Subject: [PATCH 251/415] Implemented 1 last suggestion to event ID 8036 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index f6ca319d9d..e09ff64630 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From c18073c830e580029fdf78314f953f82a6753e31 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Mon, 7 Jun 2021 14:44:15 -0400 Subject: [PATCH 252/415] corrected OMA-URI for Commercial ID @jaimeo --- .../deployment/update/update-compliance-configuration-mem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index c4ce3579f9..01de3567bf 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -40,7 +40,7 @@ Take the following steps to create a configuration profile that will set require 2. Add a setting for **Commercial ID** ) with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: From baba2c8823d9e23078aff23dd22e34c020748feb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Jun 2021 12:42:30 -0700 Subject: [PATCH 253/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index ff10761a52..acc2fed615 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/02/2021 +ms.date: 06/07/2021 --- # Defender CSP @@ -521,7 +521,7 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) **Configuration/PlatformUpdatesChannel** From ec1e78030b840bb4000029b3194ac327ffdba97d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 7 Jun 2021 13:55:47 -0700 Subject: [PATCH 254/415] overview url shortened --- windows/hub/TOC.yml | 2 +- windows/hub/index.yml | 2 +- windows/whats-new/TOC.yml | 2 +- windows/whats-new/index.yml | 2 +- windows/whats-new/{windows-sv-overview.md => windows-sv.md} | 0 5 files changed, 4 insertions(+), 4 deletions(-) rename windows/whats-new/{windows-sv-overview.md => windows-sv.md} (100%) diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 18f3f6c535..1752028577 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -7,7 +7,7 @@ - name: What's new in Windows href: /windows/whats-new - name: Windows Sun Valley - href: /windows/whats-new/windows-sv-overview + href: /windows/whats-new/windows-sv - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 2673320b9e..e9086a6765 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -27,7 +27,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv-overview + url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - text: Get started with Windows Sun Valley diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 21c6326fb5..896d20ab51 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -4,7 +4,7 @@ expanded: true items: - name: Windows Sun Valley overview - href: windows-sv-overview.md + href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - name: Get started with Windows Sun Valley diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 3c77fc9036..2d9e4f6076 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -28,7 +28,7 @@ landingContent: - linkListType: overview links: - text: Windows Sun Valley Overview - url: windows-sv-overview.md + url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - text: Get started with Windows Sun Valley diff --git a/windows/whats-new/windows-sv-overview.md b/windows/whats-new/windows-sv.md similarity index 100% rename from windows/whats-new/windows-sv-overview.md rename to windows/whats-new/windows-sv.md From 560d09e0e55760ffc4b97bf4242133b7203d0af2 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 15:26:17 -0700 Subject: [PATCH 255/415] Added a section for supplemental policies. --- .../select-types-of-rules-to-create.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..f5e5b8c109 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,6 +71,16 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | +### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +| Rule option | Description | +|------------ | ----------- | +| 5 | Enabled: Inherit Default Policy | +| **6** | **Enabled: Unsigned System Integrity Policy** | +| 7 | Allowed: Debug Policy Augmented | +| **13** | **Enabled: Managed Installer** | +| **14** | **Enabled: Intelligent Security Graph Authorization** | +| **18** | **Disabled: Runtime FilePath Rule Protection** | + ## Windows Defender Application Control file rule levels File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. From bb345aa0690e2344aca3f2b0de66b5e0440f730b Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 8 Jun 2021 10:18:28 +0530 Subject: [PATCH 256/415] added-for-5120578 new image for 5120578 --- .../bitlocker/images/yes-icon.png | Bin 0 -> 916 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/yes-icon.png diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..bbae7d30522832e4ebf00c52e1c2af7f11e5e952 GIT binary patch literal 916 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2co&H|6fVxatW5N34Jm|X!BWH0gb zb!C6TCcvg7pm3r3FIdPmqQtSZBqP6wVdc6r9zY?U5}=SvYH@N=WQ0!XYD{Sc8LDcqU2PDum780 z!<0Ga=jNv7l`woeGi^Umj18nLB(o$Zm0`uZOX>^^O!1yBjv*Gky;EX6L;^*Q|NnmP z=FG_Q@Y}wJ_X%9S)1_4KyW%82OS4@^+@k3shnm(12y1HebXC1r+N8i0T=UVD_tQ!N zXJ$?AGizK`E_j`};*cGkKIiUCOWPL1-9Jm`>HRPMZ-35mPPL@qLCMC|jaN$gD_tLL zIlbjZ+T}Dx&j1&(FDExeRv2l;&f8}wTUa$ic+=;;{MS9_su#6!BuxBpV%ogfa{4c= z7JogLUGuMCNucdFTcy_NObiEde0CfbKJ|LBZd)_cZXd7PWjDht*_&~WqJ-j> z!gWu6YVPg+`TEbwxSPMEdOJf;ONw?b;9}k1Bf)Us?WQCiofF13&%RD&U|6tg0aLSh z`$PYaj0|6POkmc$7OQ8`8pfn?;$GXWMYk)=u5?Mh-EJ)UWZBuGxn1FmMzxxp4W)MG zQKzg7*Y+-c^|H0)&YY8GA9frSirN_x)7>~ru;m*2f2Y(1&;L~4NLl>hU|z<@BR7xh zK6|L=$hp;YPc4V;y2XD}*qbDcc4=Eboch<|#s=}p7jM+(?qYd)NA<<#;6FyfM;9Ki zRw!h(O?TgzS!$QJ&!WBYV?Oseuc;YL!W;Wfb{$|&u9lw&-9kyq~gPwpn zi|1x&o6oXjD4BCDUhG*$Y174`d-V;M_T2ont!S~NN7d1G>8s3tlf8E5aa~VhaNYE_ z_GXo9_RNbW>o-36ukt!9s%%!)ef2|Phm*3C#fnci@q{k&JZEsoGIa0izP7pZ?3>TN WbFAMm`zSE+F?hQAxvXxtI@ literal 0 HcmV?d00001 From 236f5143deb430b86426fb70c329aff141097034 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 10:31:46 +0530 Subject: [PATCH 257/415] Update bitlocker-deployment-comparison.md Updated the image to yes icon --- .../bitlocker-deployment-comparison.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index d3e5e2f766..f4d29550e4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,32 +35,32 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | From 2b82513f59cc8d11340fb7074376ac64553d7a5c Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 11:06:56 +0530 Subject: [PATCH 258/415] delete-irrelevant-images deleted unwanted images that i added earlier for this task --- .../bitlocker/images/dot.png | Bin 674 -> 0 bytes .../bitlocker/images/dot1.png | Bin 739 -> 0 bytes .../bitlocker/images/dot_new.png | Bin 734 -> 0 bytes 3 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/security/information-protection/bitlocker/images/dot.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot1.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png deleted file mode 100644 index 8dc160da790bb40082cb31ae078125c8dd9bcb14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png deleted file mode 100644 index c9ec7c52ab41b4f5c567d7a8db90e7b679d47928..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Tue, 8 Jun 2021 09:38:41 -0700 Subject: [PATCH 259/415] Removed the heading format for the new text and also swapped out "number" for "option." --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f5e5b8c109..7a56e31130 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,7 +71,8 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | -### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported. + | Rule option | Description | |------------ | ----------- | | 5 | Enabled: Inherit Default Policy | From 3c8347fee326b81e0ef337794893e9ce3a6982b2 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 10:23:43 -0700 Subject: [PATCH 260/415] plan and prepare --- windows/whats-new/TOC.yml | 6 ++-- windows/whats-new/index.yml | 7 ++-- ...s-sv-get-started.md => windows-sv-plan.md} | 0 windows/whats-new/windows-sv-prepare.md | 36 +++++++++++++++++++ 4 files changed, 44 insertions(+), 5 deletions(-) rename windows/whats-new/{windows-sv-get-started.md => windows-sv-plan.md} (100%) create mode 100644 windows/whats-new/windows-sv-prepare.md diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 896d20ab51..612896a73f 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,8 +7,10 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Get started with Windows Sun Valley - href: windows-sv-get-started.md + - name: Plan to deploy Windows Sun Valley + href: windows-sv-plan.md + - name: Get ready for Windows Sun Valley + href: windows-sv-prepare.md - name: Windows 10 expanded: true items: diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 2d9e4f6076..7e3ba4fc82 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -31,9 +31,10 @@ landingContent: url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - - text: Get started with Windows Sun Valley - url: windows-sv-get-started.md - + - text: Plan to deploy Windows Sun Valley + url: windows-sv-plan.md + - text: Get ready for Windows Sun Valley + url: windows-sv-prepare.md - title: Windows 10 linkLists: diff --git a/windows/whats-new/windows-sv-get-started.md b/windows/whats-new/windows-sv-plan.md similarity index 100% rename from windows/whats-new/windows-sv-get-started.md rename to windows/whats-new/windows-sv-plan.md diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md new file mode 100644 index 0000000000..25b0d9e99c --- /dev/null +++ b/windows/whats-new/windows-sv-prepare.md @@ -0,0 +1,36 @@ +--- +title: Get started with Windows Sun Valley +description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +keywords: ["get started", "windows sun valley"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.date: 10/16/2017 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# Get started with Windows Sun Valley + +**Applies to** + +- Windows Sun Valley + +## Deployment planning + +Consider using the following process to deploy Windows Sun Valley to existing devices: +1. Preview Windows Sun Valley and create a deployment plan. +2. Test critical applications and management policies. +3. Update devices to the latest release of Windows 10. +4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. +5. Update deployment tools and infrastructure. +6. Update qualifying devices to Windows Sun Valley. + + +## See also + +[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) From 65360cb93aa8a91aedaa2a78c63625a3ee0444cf Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 10:38:55 -0700 Subject: [PATCH 261/415] reset deploy content --- windows/deployment/TOC.yml | 8 +++----- windows/deployment/index.yml | 8 ++++---- windows/deployment/windows-sv-deploy.md | 26 ------------------------ windows/deployment/windows-sv-plan.md | 26 ------------------------ windows/deployment/windows-sv-prepare.md | 23 --------------------- windows/whats-new/windows-sv-plan.md | 12 +++++------ windows/whats-new/windows-sv-prepare.md | 14 ++++++------- 7 files changed, 20 insertions(+), 97 deletions(-) delete mode 100644 windows/deployment/windows-sv-deploy.md delete mode 100644 windows/deployment/windows-sv-plan.md delete mode 100644 windows/deployment/windows-sv-prepare.md diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index b66af87886..e3fcfca9e0 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -6,7 +6,7 @@ - name: What's new href: deploy-whats-new.md - name: Windows Sun Valley deployment overview - href: windows-sv-deploy.md + href: /windows/whats-new/windows-sv-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -36,7 +36,7 @@ - name: Plan items: - name: Windows Sun Valley deployment planning - href: windows-sv-plan.md + href: /windows/whats-new/windows-sv-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -72,7 +72,7 @@ - name: Prepare items: - name: Prepare to deploy Windows Sun Valley - href: windows-sv-prepare.md + href: /windows/whats-new/windows-sv-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -104,8 +104,6 @@ items: - name: Deploy Windows client items: - - name: Windows Sun Valley deployment overview - href: windows-sv-deploy.md - name: Deploy Windows client with Autopilot href: windows-autopilot/index.yml - name: Deploy Windows client with Configuration Manager diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7b8a56f315..ef58977660 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows client deployment resources and documentation # < 60 chars -summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars +summary: Learn about deploying and keeping Windows client devices up to date. # < 160 chars metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 08/05/2020 #Required; mm/dd/yyyy format. + ms.date: 06/24/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -66,8 +66,8 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows 11 deployment overview - url: windows-sv-deploy.md + - text: Windows Sun Valley overview + url: /windows/whats-new/windows-sv-overview.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/deployment/windows-sv-deploy.md b/windows/deployment/windows-sv-deploy.md deleted file mode 100644 index fe50501d35..0000000000 --- a/windows/deployment/windows-sv-deploy.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Windows Sun Valley deployment planning -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Windows Sun Valley deployment planning - -**Applies to** -- Windows Sun Valley - -## Windows Sun Valley deployment considerations - - - diff --git a/windows/deployment/windows-sv-plan.md b/windows/deployment/windows-sv-plan.md deleted file mode 100644 index 7244da875c..0000000000 --- a/windows/deployment/windows-sv-plan.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Windows Sun Valley deployment planning -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Windows 11 deployment planning - -**Applies to** -- Windows Sun Valley - -To successfully deploy the Windows Sun Valley operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows Sun Valley deployment scenarios. The scenarios are each assigned to one of three categories. \ No newline at end of file diff --git a/windows/deployment/windows-sv-prepare.md b/windows/deployment/windows-sv-prepare.md deleted file mode 100644 index 2a0b778723..0000000000 --- a/windows/deployment/windows-sv-prepare.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Prepare to deploy Windows Sun Valley -description: Understand the different ways Windows Sun Valley operating system can be deployed in your organization. Explore several Windows Sun Valley deployment scenarios. -ms.reviewer: -manager: laurawi -ms.audience: itpro -ms.author: greglin -author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro -ms.topic: article ---- - -# Prepare to deploy Windows 11 - -**Applies to** -- Windows Sun Valley - -To successfully deploy \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 25b0d9e99c..337709d6fe 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -1,13 +1,13 @@ --- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. -keywords: ["get started", "windows sun valley"] -ms.prod: w10 +title: Plan to deploy Windows Sun Valley +description: Windows Sun Valley deployment planning, IT Pro content. +keywords: ["get started", "windows sun valley", "plan"] +ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 10/16/2017 +ms.date: 06/24/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -33,4 +33,4 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) +[Get ready for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 25b0d9e99c..f3692eeaff 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -1,26 +1,26 @@ --- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. +title: Prepare to deploy Windows Sun Valley +description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. keywords: ["get started", "windows sun valley"] -ms.prod: w10 +ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 10/16/2017 +ms.date: 06/24/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high ms.topic: article --- -# Get started with Windows Sun Valley +# Prepare to deploy Windows Sun Valley **Applies to** - Windows Sun Valley -## Deployment planning +## Deployment readiness Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. @@ -33,4 +33,4 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) +[Windows Sun Valley deployment planning](windows-sv-plan.md) From 1da7b6dfefcb1dd20281f3d0ac9a01476edc232d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 11:37:09 -0700 Subject: [PATCH 262/415] added whitepaper draft --- windows/whats-new/TOC.yml | 4 +- windows/whats-new/windows-sv-plan.md | 90 +++++++++++++++++++++++++ windows/whats-new/windows-sv-prepare.md | 63 +++++++++++++++++ windows/whats-new/windows-sv.md | 13 +++- 4 files changed, 167 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 612896a73f..d611e4787f 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,9 +7,9 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Plan to deploy Windows Sun Valley + - name: Create a deployment plan href: windows-sv-plan.md - - name: Get ready for Windows Sun Valley + - name: Prepare to deploy Windows Sun Valley href: windows-sv-prepare.md - name: Windows 10 expanded: true diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 337709d6fe..190595d9be 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,6 +22,96 @@ ms.topic: article ## Deployment planning +Planning for Sun Valley + +Sun Valley has the same underlying technology used today in Windows 10. IT Professionals can use familiar existing toolsets to plan, prepare , deploy, manage, and updateand manage both Sun Valley and Windows 10 updates alike. Because we anticipate customers organizations will be using a mix of Windows 10 devices side-by-side as they integrate Sun Valley into their environments, there are some unique yet largely familiar considerations for this new operating system to help aid in planning for upcoming deployments. + +Determining eligibility +We know one of the first questions that you will have is "Do the current PC(s) in my environment meet the Sun Valley hardware requirements bar? To assess if your device(s) meet these hardware criteria, IT Professionals can continue to use the first party analytics tools they are familiar with, including Update Compliance. In addition, Microsoft is sharing necessary information to 3rd party ISVs to enable their tools to support analytics for Sun Valley. + +Consumers can determine whether their device is eligible for Sun Valley by using the PC Health Check application to assess if a device meets the minimum hardware specifications [place forthcoming ink here]. In addition, detailed minimum requirements can be found at aka.ms/minspec [link forthcoming here]. + + +Sun Valley rollouts +In this section, we’ll share more on the rollout experience for home users benefiting from the role of intelligent rollout and for IT admin managed devices who will note some changes to management controls. +Home user, consumer devices +W indows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Sun Valley will be offered Sun Valley in October of 2021. Though the message will vary by PC manufacturer, customers will see labels such as ‘this PC will upgrade to Sun Valley once available’ on products for purchase. Note, devices purchased beginning in October will see the Sun Valley offer during the out of box experience or already be imaged with Sun Valley. + +Sun Valley will be made available to current Windows 10 devices who are eligible after General Availability (GA) through the familiar Windows Update experience, first to seekers, then as part of our intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. + + +As with Windows 10, the machine learning based intelligent rollout will be leveraged when rolling out upgrades. Our ML uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience, ensuring that devices first nominated for updates are those likely to have a seamless experience, and that devices which may be problematic get the benefit of resolving potential compatibility issues before being offered an upgrade to Sun Valley. + +Managed devices + +While we are excited about the innovations and end user productivity improvements in Sun Valley, we recognize that the "right time" to move will be different for each organization. As always, for devices that you manage as an organization, you can choose between Sun Valley and Windows 10, and when the right time is for your organization to make the migration. + +Commercial customers will be able to deploy the Sun Valley update using their typical management tools to eligible devices in their organization beginning at GA. Customers upgrading from Windows Update using WUfB will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements to upgrade to Sun Valley and Safeguard holds. Safeguard holds will function for Sun Valley devices just as they do for Windows 10. IT Professionals will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Sun Valley . + +It is worth noting that if you use Windows Update for Business to manage feature update deployments today you will need to leverage the “Target Version” policy rather than Feature Update deferrals to move from Windows 10 to Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (e.g. Windows 10 21H1 to Windows 10 21H2), but they can not move you between products (e.g. Windows 10 to Windows Sun Valley). + +Additionally, please note that Sun Valley has a new end user license agreement. By nature of deploying with WUfB Target Version or with WSUS you are accepting this new end user license agreement on behalf of the end users within your organization. + +Finally, please note that while Windows 10 Pro or higher can upgrade for free using their existing management tools, those using S mode will need to first switch out of S mode (as S mode is currently not supported on Sun Valley). + +What about customizations that customers have in place necessary to support their deployments today? Will those continue to work for Sun Valley? + +Availability and upgrade path +The Sun Valley upgrade offer will begin for eligible devices at Sun Valley GA in October of this year (2021). This is true for eligible devices already running updated Windows 10 as well as for brand new devices . + +Enterprise customers who have a volume licensing agreement with Software Assurance or Windows Enterprise E3 subscription will be able to upgrade existing devices to Sun Valley after GA. + +To get a jump start on Sun Valley, we recommend that IT professionals join the Windows Insider Program (WIP) to deploy and validate it in their environments. + +If you're an IT administrator who's interested in exploring new features as they're being created, we recommend using the Beta Channel (available summer 2021) + +As an IT administrator, if you who would like to validate the Sun Valley release (and Windows 10 releases) before broadly deploying in your organization, we recommend you join our Windows Insider Program Release Preview Channel (available in summer 2021). + +Commercial customers can begin validating and exploring Sun Valley prior to GA. Sun Valley will be available for commercial customers to deploy beginning in the summer of 2021 via the Windows Insider Program for Business. Customers can deploy bits from the Windows Insider Pre-release category in WSUS, by configuring Manage Preview Builds to “Release Preview” with WUfB, by leveraging Windows Virtual Devices or Cloud PC*(will this be announced when this paper goes out?) and Azure Marketplace images, or even through simply downloading and deploying ISOs from our Windows Insider Program ISO Download page. Note – regardless of which way you choose to deploy, commercial customers have the benefit of free Microsoft support when validating pre-release, simply submit your support cases here. + +To learn more about the Windows Insider Program for Business, click here. + + + +Like Windows 10, Sun Valley devices will receive regular monthly quality updates to provide security updates and bug fixes, and at times, new functionality when deemed appropriate. Unlike Windows 10, however, Sun Valley devices will receive a single feature update annually. Knowing this will help you define your servicing strategy. + +For devices on in-service versions of Windows 10 that do not meet Sun Valley hardware requirements, they will continue to receive monthly Windows 10 security updates. +Servicing Duration: Sun Valley vs. Windows 10 +The duration of support changes slightly. Today, Windows 10 feature updates are released twice yearly, around March and September, via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. For Sun Valley, we will support each annual release for 24 months for Home and Pro editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021. + +Windows 10 will continue to receive twice yearly feature updates . We have committed to supporting Windows 10 through October 14, 2025. + +For more information, see the Windows Release Information Page, which includes information for Windows 10 semi-annual channel and LTSC releases, as well as Sun Valley. + +Potential section from Michael Raschko (pending as of 5/31): Windows 10 currently runs on more than 1 billion devices around the world, representing considerable time and investment from consumers and organizations alike. While we expect the migration to Windows “Sun Valley” will have less overhead than previous legacy Windows versions to Windows 10, we understand that organizations will need time to complete their move to Sun Valley based on their individual situations. Further, they will want to maintain and grow the value of their Windows 10 investment in the interim. + +For organizations who cannot move to Sun Valley immediately, Microsoft’s guidance is to standardize their devices on Windows 10 version to 21H2. Windows 10, version 21H2 will be the last feature update to Windows 10 but will receive specific feature enhancements to ease any growing pains there may be in migrating to Sun Valley. These features aim to provide compatibility with Microsoft existing and future products and services. + +It’s important that organizations remain in control and have adequate time to plan for feature enhancements which could affect the experience of end users. To facilitate this, feature enhancements will be provided on a quarterly cadence and will be provided with management policies to enable or disable those features. [some of this, once we get it locked in, will belong in the Feature update section below] + +Alternative sentence coming from Ellie’s deck: We will release Windows 10, version 21H2 in the second half of 2021 to keep your users productive and secure while you chart your path to Sun Valley. this is ‘we have your back’ language, and would be great to include it +Application compatibility & readiness + +Application Compatibility +Understanding that applications will work following an OS rollout is critical in the planning stage. Since Sun Valley has been built with compatibility in mind, it’s undergoing and passing the same application compatibility testing requirements that we have in place for Windows 10 feature and quality update releases. + +Microsoft is committed to ensuring applications work on the latest versions of our software. Our promise states that applications that worked on Windows 7/8.1/10 will work on Sun Valley. [This is where app compat info goes, as Test Base and AppAssure go into the Prepare section] + + + + + + + + + + + + + + + + Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index f3692eeaff..5cf0d2459c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -21,6 +21,62 @@ ms.topic: article - Windows Sun Valley ## Deployment readiness + +Organizations will vary in their pace relative to transitioning from Windows 10 to Sun Valley, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. With the new Sun Valley experience, it’s highly plausible that hybrid environments of both operating systems running simultaneously will be the norm, at least initially. + +As you prepare for Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are on -premises, Configuration Manager’s Cloud management gateway <- additional Configuration Manager content needed here . + +Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. + +The IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10: + +Analytics +Content on Endpoint analytics needed. + +Application compatibility +Two Microsoft services that work directly with you to ensure application compatibility with Sun Valley are App Assure and Test Base. + +If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. + +Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. + +Management tools +The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few nuanced differences described here: + +• Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. +• Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . +• MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. +• MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. +• Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. +• In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. +o +o To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. +o Note that Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. + + + + + + + + + + + + + + + + + + + + + + + + + Consider using the following process to deploy Windows Sun Valley to existing devices: 1. Preview Windows Sun Valley and create a deployment plan. @@ -34,3 +90,10 @@ Consider using the following process to deploy Windows Sun Valley to existing de ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) + +• Technical documentation: Prescriptive and authoritative documentation on Microsoft Docs can help you plan for, prepare, and deploy Sun Valley — and to service and manage Windows devices effectively across your organization. +• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. +• Windows 10 update history: For every version of the Windows operating system, we publish a consolidated update history documentation experience, offering quick access to the knowledge base (KB) articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. Want to see an example? See Windows 10 update history. +• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. +• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Sun Valley effectively. + diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 2407048dbc..c25337973d 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,6 +25,15 @@ This article provides an introduction and answers some frequently asked question Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +--statement to edit +In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. +You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. +Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. +Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well. +---------statement end + ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. @@ -91,4 +100,6 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb ## See also -[Get started with Windows Sun Valley](windows-sv-get-started.md) +[Get started with Windows Sun Valley](windows-sv-plan.md) + + From 1e4b23e92e217e81b560a44b218dffc13828ff71 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 13:36:24 -0700 Subject: [PATCH 263/415] some edits --- windows/whats-new/windows-sv-plan.md | 2 +- windows/whats-new/windows-sv.md | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 190595d9be..e005a6fda7 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Get started with Windows Sun Valley +# Planning for Windows Sun Valley **Applies to** diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index c25337973d..1bd9dac13e 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,13 +25,20 @@ This article provides an introduction and answers some frequently asked question Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. ---statement to edit +The following articles are available to learn about Windows Sun Valley. The articles are designed to be read in order. + +1. Windows Sun Valley overview: An introduction to Windows Sun Valley (this article). +2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. +3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. +4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. + +--statement to edit
In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well.
---------statement end ## How to get Windows Sun Valley @@ -84,7 +91,7 @@ Most accessories and associated software that worked with Windows 10 are expecte ## Application compatibility -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). +Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](/fasttrack/products-and-capabilities#app-assure). ## Licensing From d0c4483edec560d839288689bfc3557412a17c7f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 13:55:32 -0700 Subject: [PATCH 264/415] Acrolinx "Bitlocker" --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index f4d29550e4..de76b10cc5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,6 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article shows the Bitlocker deployment comparison chart. +description: This article shows the BitLocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From 0e4086933b45b98e4d64d6320eb84709f3cc202c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 14:43:21 -0700 Subject: [PATCH 265/415] some edits --- windows/whats-new/windows-sv.md | 50 +++++++++++++++++---------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 1bd9dac13e..f63b6653dd 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -21,33 +21,33 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows Sun Valley -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +The following articles are available to learn about Windows Sun Valley. -The following articles are available to learn about Windows Sun Valley. The articles are designed to be read in order. - -1. Windows Sun Valley overview: An introduction to Windows Sun Valley (this article). +1. [Windows Sun Valley overview](windows-sv-md): An introduction to Windows Sun Valley (this article). 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. 4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. ---statement to edit
-In general, you can deploy , manage, and secure Sun Valley using the same tools and solutions you use today. -You can use Configuration Manager for your deployment, though we recommend cloud-based solutions such as Microsoft Endpoint Manager to fully take advantage of more data-driven insights. Monitoring update compliance. -Since your familiar Windows 10 tools are meant to be used with Sun Valley as well, then managing, securing, and deploying Sun Valley devices will be well-known procedures in the Plan, Prepare and Deploy process. -Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Sun Valley is no different. Further, you will likely have an environment that is a blend of Windows 10-capable devices and Windows 10 + Sun Valley-eligible devices. You will be poised to rollout an update to a select number of devices, once you’ve gone through the checklist of Pilot deployment tasks such as assigning the pilot devices from your Prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth. When you deploy to your test group, we recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. -Using artifacts from your Plan and Prepare phase (such as application assignments, security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Sun Valley as well.
----------statement end +## Introduction + +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. + +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. + +All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). +You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. +For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. + +For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Settings** > **Update & Security** > **Windows Update**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). @@ -61,15 +61,17 @@ Microsoft will continue to provide one cumulative package that includes all late ### Servicing -Windows Sun Valley annual releases are supported for 24 months for the following editions: -- Home -- Pro -- Pro for Workstations -- Pro Education +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. -Windows Sun Valley annual releases are supported for 36 months for the following editions: -- Enterprise -- Education + + + + + + + + +
EditionServicing timeline
Windows Sun Valley Home24 months from the release date
Windows Sun Valley Pro
Windows Sun Valley Pro for Workstations
Windows Sun Valley Pro Education
Windows Sun Valley Enterprise36 months from the release date
Windows Sun Valley Education
### Features and applications From ea92ce15d666e34f50a95d3ef72c2257eae296fa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 14:57:15 -0700 Subject: [PATCH 266/415] some edits --- windows/whats-new/windows-sv.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index f63b6653dd..b522d4c788 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -25,7 +25,7 @@ This article provides an introduction and answers some frequently asked question The following articles are available to learn about Windows Sun Valley. -1. [Windows Sun Valley overview](windows-sv-md): An introduction to Windows Sun Valley (this article). +1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. 4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. @@ -63,15 +63,14 @@ Microsoft will continue to provide one cumulative package that includes all late Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. - - - - - - - - -
EditionServicing timeline
Windows Sun Valley Home24 months from the release date
Windows Sun Valley Pro
Windows Sun Valley Pro for Workstations
Windows Sun Valley Pro Education
Windows Sun Valley Enterprise36 months from the release date
Windows Sun Valley Education
+ +| 24 months from the release date | 36 months from the release date | +| --- | --- | +| Windows Sun Valley Home | Windows Sun Valley Enterprise | +| Windows Sun Valley Pro | Windows Sun Valley Education | +| Windows Sun Valley Pro for Workstations | | +| Windows Sun Valley Pro Education | | + ### Features and applications From e3aa788ac7f136c183a7480b70ee08247bed97c0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Jun 2021 15:06:15 -0700 Subject: [PATCH 267/415] Update windows/client-management/mdm/defender-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/defender-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index acc2fed615..dbdc03e3aa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -566,11 +566,11 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -• 0: Not configured (Default) -• 1: Beta Channel - Prerelease -• 2: Current Channel (Preview) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) +- 0 - Not configured (Default) +- 1 - Beta Channel - Prerelease +- 2 - Current Channel (Preview) +- 3 - Current Channel (Staged) +- 4 - Current Channel (Broad) **Configuration/DefinitionUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. From 595141a61131183276144ea7e2fdce0af897dc5e Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 15:59:11 -0700 Subject: [PATCH 268/415] some edits --- windows/whats-new/windows-sv-prepare.md | 21 +++++++++++---------- windows/whats-new/windows-sv.md | 4 +++- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5cf0d2459c..7e9f6b1e5c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -41,17 +41,18 @@ If you experience any issues with your apps and are enrolled in the App Assure s Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. Management tools -The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few nuanced differences described here: +The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few differences: -• Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. -• Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . -• MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. -• MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. -• Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. -• In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. -o -o To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. -o Note that Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. +- Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. +- Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . +- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. +- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. +- Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. +- In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. + +To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. + +Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index b522d4c788..96288250c3 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -61,7 +61,9 @@ Microsoft will continue to provide one cumulative package that includes all late ### Servicing -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table. +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. + +See the following table. | 24 months from the release date | 36 months from the release date | From ccb70b243bcf508a3355b1d1194b5577eedb6c00 Mon Sep 17 00:00:00 2001 From: Marysia Kaminska <85372436+marysiakam9889@users.noreply.github.com> Date: Tue, 8 Jun 2021 16:35:35 -0700 Subject: [PATCH 269/415] Update defender-ddf.md adding new csp's for Defender Update controls: DisableGradualRelease, DefinitionUpdatesChannel, EngineUpdatesChannel, and PlatformUpdatesChannel --- windows/client-management/mdm/defender-ddf.md | 180 ++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index a63f4dec92..b4c21b747a 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -757,6 +757,186 @@ The XML below is the current version for this CSP. + + DisableGradualRelease + + + + + + + + Enable this policy to disable gradual rollout of Defender updates. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 1 + Gradual release is disabled + + + 0 + Gradual release is enabled + + + + + + DefinitionUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + EngineUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + PlatformUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + Scan From ba0b3bdec452c36c016c28445ce2a6ffb62cf8b4 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 8 Jun 2021 16:45:59 -0700 Subject: [PATCH 270/415] rm sv --- windows/application-management/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice From cd99516b0029f122bc575c93c7344caa6869ebda Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 8 Jun 2021 16:46:25 -0700 Subject: [PATCH 271/415] fix --- windows/application-management/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice From e640603aef1d3eb2aaadcf5db4fbdb6bacc66e20 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:03 -0700 Subject: [PATCH 272/415] Applied "> [!NOTE]" style --- ...policy-csp-localpoliciessecurityoptions.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8beeba2c2e..1d2f90b193 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1241,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. @@ -2457,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2535,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2613,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2897,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3172,7 +3178,8 @@ This policy setting controls whether applications that request to run with a Use - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. +> [!NOTE] +> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -3240,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. From 36f4a8e1e005f397d9df19b4738db1131d4270c9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:54 -0700 Subject: [PATCH 273/415] =?UTF-8?q?Replaced=20"=C3=A2=E2=82=AC=C2=A6"=20in?= =?UTF-8?q?=20file=20path=20with=20"."?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1d2f90b193..0d4580ee4b 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3174,9 +3174,9 @@ User Account Control: Only elevate UIAccess applications that are installed in s This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- .\Program Files\, including subfolders +- .\Windows\system32\ +- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows > [!NOTE] > Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. From 0df3a52c4af3656c945bfb7848ab32d0d1f37a73 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 9 Jun 2021 09:13:30 +0200 Subject: [PATCH 274/415] Update filter-origin-documentation.md Fixing a typo in the auditpol commands to enable WFP packet drop auditing --- .../windows-firewall/filter-origin-documentation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index c1121baa73..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra |**Audit #**|**Enable command**|**Link**| |:-----|:-----|:-----| |**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)| -|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| ## Example flow of debugging packet drops with filter origin @@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters, **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. \ No newline at end of file +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. From d383abf06cf5469119d5549a6cc6c7b86cb81c6e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 Jun 2021 11:05:13 -0700 Subject: [PATCH 275/415] revert --- windows/client-management/mdm/defender-csp.md | 74 +------------------ 1 file changed, 3 insertions(+), 71 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index dbdc03e3aa..a97b4484db 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/07/2021 +ms.date: 06/02/2021 --- # Defender CSP @@ -59,9 +59,6 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) ---------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ---------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ---------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -521,74 +518,9 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -**Configuration/PlatformUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -• 0: Not configured (Default) -• 1: Beta Channel - Prerelease -• 2: Current Channel (Preview) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) - -**Configuration/EngineUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -- 0 - Not configured (Default) -- 1 - Beta Channel - Prerelease -- 2 - Current Channel (Preview) -- 3 - Current Channel (Staged) -- 4 - Current Channel (Broad) - -**Configuration/DefinitionUpdatesChannel** -Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. - -Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%) - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. - -The data type is integer. -Supported operations are Add, Delete, Get, Replace. - -Valid Values are: -• 0: Not configured (Default) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) - **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -610,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file From c19599c11a1f5a02bbdcb61d8d7124d10474c363 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:20:21 -0700 Subject: [PATCH 276/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index a97b4484db..a423b48612 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -94,11 +94,11 @@ The data type is integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe +- 0 = Unknown +- 1 = Low +- 2 = Moderate +- 4 = High +- 5 = Severe Supported operation is Get. From ab77e37ba969b67c526233351346af25df4d4089 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:20:46 -0700 Subject: [PATCH 277/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index a423b48612..eeb53adf0b 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -171,17 +171,17 @@ The data type is integer. The following list shows the supported values: -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status ( Cleared) +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with noncritical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. From 3a0889b5734ecd753d7682e8ff761d7febc12b15 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:26:44 -0700 Subject: [PATCH 278/415] Update defender-ddf.md --- windows/client-management/mdm/defender-ddf.md | 180 ------------------ 1 file changed, 180 deletions(-) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index b4c21b747a..7aa0520e15 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -10,7 +10,6 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/11/2020 --- # Defender DDF file @@ -758,185 +757,6 @@ The XML below is the current version for this CSP. - DisableGradualRelease - - - - - - - - Enable this policy to disable gradual rollout of Defender updates. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 1 - Gradual release is disabled - - - 0 - Gradual release is enabled - - - - - - DefinitionUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - - - EngineUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - - - PlatformUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - Scan From 8a70374af83826fb4d9816ab68328ade757ff3b4 Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 9 Jun 2021 14:47:50 -0700 Subject: [PATCH 279/415] updateing multi camera support in FAQ --- .../identity-protection/hello-for-business/hello-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index eb89236d09..405b6710ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -69,9 +69,9 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external camera when my laptop is closed or docked? + - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. + Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -118,7 +118,7 @@ sections: Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | - Which is better or more secure: key trust or certificate trust? + Which is better or more secure, key trust or certificate trust? answer: | The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: - Required domain controllers From 85b745c30f703a915dcd7df61c0f04a342a5f8b0 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 10 Jun 2021 09:35:38 +0530 Subject: [PATCH 280/415] Update bitlocker-deployment-comparison.md Removed the asterisk for note. Row alignment corrected. --- .../bitlocker/bitlocker-deployment-comparison.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index de76b10cc5..0fbc7f9f48 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -26,12 +26,12 @@ This article depicts the BitLocker deployment comparison chart. ## BitLocker deployment comparison chart -| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | |---------|---------|---------|---------| |**Requirements**|||| |Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | |Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | -|Minimum Windows 10 version |1909** | None | None | +|Minimum Windows 10 version |1909 | None | None | |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | @@ -47,8 +47,7 @@ This article depicts the BitLocker deployment comparison chart. |Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Standard recovery password storage location | Azure AD or -Active Directory | Configuration Manager site database | MBAM database | +|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | |Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | From 568d14d252c78c7f5bea39725af3bf0099e726b7 Mon Sep 17 00:00:00 2001 From: Joel Christiansen <43965946+jchri@users.noreply.github.com> Date: Thu, 10 Jun 2021 14:12:34 -0500 Subject: [PATCH 281/415] Update update-csp.md Spelling mistake correction. --- windows/client-management/mdm/update-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 89c8d33d45..094b56add7 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -17,7 +17,7 @@ ms.date: 02/23/2018 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] -> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. +> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. The following shows the Update configuration service provider in tree format. From 400685ccf2212aadda5e7a72e1494b4b734eac0c Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 10 Jun 2021 14:19:34 -0700 Subject: [PATCH 282/415] Added CN info to the 2nd note under table 2 Also formatted the note as lists. --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 7a56e31130..ace22beaca 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. ## Example of file rule levels in use From 371c0224e94e326b82e0a5215fdecfe0cd450062 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 10 Jun 2021 16:28:09 -0700 Subject: [PATCH 283/415] draft --- windows/whats-new/windows-sv-plan.md | 173 +++++++++---------- windows/whats-new/windows-sv-prepare.md | 94 ++++------ windows/whats-new/windows-sv-requirements.md | 2 + windows/whats-new/windows-sv.md | 88 ++++------ 4 files changed, 148 insertions(+), 209 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index e005a6fda7..d7fda86414 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Planning for Windows Sun Valley +# Plan to deploy Windows Sun Valley **Applies to** @@ -22,103 +22,92 @@ ms.topic: article ## Deployment planning -Planning for Sun Valley - -Sun Valley has the same underlying technology used today in Windows 10. IT Professionals can use familiar existing toolsets to plan, prepare , deploy, manage, and updateand manage both Sun Valley and Windows 10 updates alike. Because we anticipate customers organizations will be using a mix of Windows 10 devices side-by-side as they integrate Sun Valley into their environments, there are some unique yet largely familiar considerations for this new operating system to help aid in planning for upcoming deployments. - -Determining eligibility -We know one of the first questions that you will have is "Do the current PC(s) in my environment meet the Sun Valley hardware requirements bar? To assess if your device(s) meet these hardware criteria, IT Professionals can continue to use the first party analytics tools they are familiar with, including Update Compliance. In addition, Microsoft is sharing necessary information to 3rd party ISVs to enable their tools to support analytics for Sun Valley. - -Consumers can determine whether their device is eligible for Sun Valley by using the PC Health Check application to assess if a device meets the minimum hardware specifications [place forthcoming ink here]. In addition, detailed minimum requirements can be found at aka.ms/minspec [link forthcoming here]. - - -Sun Valley rollouts -In this section, we’ll share more on the rollout experience for home users benefiting from the role of intelligent rollout and for IT admin managed devices who will note some changes to management controls. -Home user, consumer devices -W indows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Sun Valley will be offered Sun Valley in October of 2021. Though the message will vary by PC manufacturer, customers will see labels such as ‘this PC will upgrade to Sun Valley once available’ on products for purchase. Note, devices purchased beginning in October will see the Sun Valley offer during the out of box experience or already be imaged with Sun Valley. - -Sun Valley will be made available to current Windows 10 devices who are eligible after General Availability (GA) through the familiar Windows Update experience, first to seekers, then as part of our intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. - - -As with Windows 10, the machine learning based intelligent rollout will be leveraged when rolling out upgrades. Our ML uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience, ensuring that devices first nominated for updates are those likely to have a seamless experience, and that devices which may be problematic get the benefit of resolving potential compatibility issues before being offered an upgrade to Sun Valley. - -Managed devices - -While we are excited about the innovations and end user productivity improvements in Sun Valley, we recognize that the "right time" to move will be different for each organization. As always, for devices that you manage as an organization, you can choose between Sun Valley and Windows 10, and when the right time is for your organization to make the migration. - -Commercial customers will be able to deploy the Sun Valley update using their typical management tools to eligible devices in their organization beginning at GA. Customers upgrading from Windows Update using WUfB will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements to upgrade to Sun Valley and Safeguard holds. Safeguard holds will function for Sun Valley devices just as they do for Windows 10. IT Professionals will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Sun Valley . - -It is worth noting that if you use Windows Update for Business to manage feature update deployments today you will need to leverage the “Target Version” policy rather than Feature Update deferrals to move from Windows 10 to Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (e.g. Windows 10 21H1 to Windows 10 21H2), but they can not move you between products (e.g. Windows 10 to Windows Sun Valley). - -Additionally, please note that Sun Valley has a new end user license agreement. By nature of deploying with WUfB Target Version or with WSUS you are accepting this new end user license agreement on behalf of the end users within your organization. - -Finally, please note that while Windows 10 Pro or higher can upgrade for free using their existing management tools, those using S mode will need to first switch out of S mode (as S mode is currently not supported on Sun Valley). - -What about customizations that customers have in place necessary to support their deployments today? Will those continue to work for Sun Valley? - -Availability and upgrade path -The Sun Valley upgrade offer will begin for eligible devices at Sun Valley GA in October of this year (2021). This is true for eligible devices already running updated Windows 10 as well as for brand new devices . - -Enterprise customers who have a volume licensing agreement with Software Assurance or Windows Enterprise E3 subscription will be able to upgrade existing devices to Sun Valley after GA. - -To get a jump start on Sun Valley, we recommend that IT professionals join the Windows Insider Program (WIP) to deploy and validate it in their environments. - -If you're an IT administrator who's interested in exploring new features as they're being created, we recommend using the Beta Channel (available summer 2021) - -As an IT administrator, if you who would like to validate the Sun Valley release (and Windows 10 releases) before broadly deploying in your organization, we recommend you join our Windows Insider Program Release Preview Channel (available in summer 2021). - -Commercial customers can begin validating and exploring Sun Valley prior to GA. Sun Valley will be available for commercial customers to deploy beginning in the summer of 2021 via the Windows Insider Program for Business. Customers can deploy bits from the Windows Insider Pre-release category in WSUS, by configuring Manage Preview Builds to “Release Preview” with WUfB, by leveraging Windows Virtual Devices or Cloud PC*(will this be announced when this paper goes out?) and Azure Marketplace images, or even through simply downloading and deploying ISOs from our Windows Insider Program ISO Download page. Note – regardless of which way you choose to deploy, commercial customers have the benefit of free Microsoft support when validating pre-release, simply submit your support cases here. - -To learn more about the Windows Insider Program for Business, click here. - - - -Like Windows 10, Sun Valley devices will receive regular monthly quality updates to provide security updates and bug fixes, and at times, new functionality when deemed appropriate. Unlike Windows 10, however, Sun Valley devices will receive a single feature update annually. Knowing this will help you define your servicing strategy. - -For devices on in-service versions of Windows 10 that do not meet Sun Valley hardware requirements, they will continue to receive monthly Windows 10 security updates. -Servicing Duration: Sun Valley vs. Windows 10 -The duration of support changes slightly. Today, Windows 10 feature updates are released twice yearly, around March and September, via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. For Sun Valley, we will support each annual release for 24 months for Home and Pro editions, and 36 months for Enterprise and Education editions, beginning at GA in October 2021. +This article provides IT professionals with planning guidance for the recent Windows Sun Valley announcements, specifically: -Windows 10 will continue to receive twice yearly feature updates . We have committed to supporting Windows 10 through October 14, 2025. + - Adoption guidance + - Infrastructure planning + - Servicing cadence and lifecycle + - Application readiness + - Functionality and coexistence with Windows 10 ecosystems + +## Deployment process -For more information, see the Windows Release Information Page, which includes information for Windows 10 semi-annual channel and LTSC releases, as well as Sun Valley. - -Potential section from Michael Raschko (pending as of 5/31): Windows 10 currently runs on more than 1 billion devices around the world, representing considerable time and investment from consumers and organizations alike. While we expect the migration to Windows “Sun Valley” will have less overhead than previous legacy Windows versions to Windows 10, we understand that organizations will need time to complete their move to Sun Valley based on their individual situations. Further, they will want to maintain and grow the value of their Windows 10 investment in the interim. - -For organizations who cannot move to Sun Valley immediately, Microsoft’s guidance is to standardize their devices on Windows 10 version to 21H2. Windows 10, version 21H2 will be the last feature update to Windows 10 but will receive specific feature enhancements to ease any growing pains there may be in migrating to Sun Valley. These features aim to provide compatibility with Microsoft existing and future products and services. - -It’s important that organizations remain in control and have adequate time to plan for feature enhancements which could affect the experience of end users. To facilitate this, feature enhancements will be provided on a quarterly cadence and will be provided with management policies to enable or disable those features. [some of this, once we get it locked in, will belong in the Feature update section below] - -Alternative sentence coming from Ellie’s deck: We will release Windows 10, version 21H2 in the second half of 2021 to keep your users productive and secure while you chart your path to Sun Valley. this is ‘we have your back’ language, and would be great to include it -Application compatibility & readiness - -Application Compatibility -Understanding that applications will work following an OS rollout is critical in the planning stage. Since Sun Valley has been built with compatibility in mind, it’s undergoing and passing the same application compatibility testing requirements that we have in place for Windows 10 feature and quality update releases. - -Microsoft is committed to ensuring applications work on the latest versions of our software. Our promise states that applications that worked on Windows 7/8.1/10 will work on Sun Valley. [This is where app compat info goes, as Test Base and AppAssure go into the Prepare section] - - - - - - - - - - - - - - - - -Consider using the following process to deploy Windows Sun Valley to existing devices: +Consider using the following processes to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. +3. Update devices to the Windows 10, version 20H1 or later. 4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. +5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. + +## Phased deployment + +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. + +Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. + +## Infrastructure and tools + +You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). + +## Configurations + +Assess your current [configurations](/windows/deployment/update/eval-infra-tools#configuration-updates) such as security baselines, administrative templates, and policies that affect updates. Then, set some criteria to define your [operational readiness](/windows/deployment/update/eval-infra-tools#define-operational-readiness-criteria), Define an infrastructure update plan to: +- Review requirements +- Identify gaps +- Implement required updates + +## Windows Sun Valley Servicing + +### Cadence + +Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. + +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. + +### Lifecycle + +Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
+ + +| 24 months from the release date | 36 months from the release date | +| ------------------------------- | ------------------------------- | +| Windows Sun Valley Home | Windows Sun Valley Enterprise | +| Windows Sun Valley Pro | Windows Sun Valley Education | +| Windows Sun Valley Pro for Workstations | | +| Windows Sun Valley Pro Education | | + +### Features and applications + +Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. + +## Application readiness + +Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) + + + + + + + + + + + + + + + + + + + + + + + + ## See also diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 7e9f6b1e5c..3d7fa0815a 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -22,79 +22,45 @@ ms.topic: article ## Deployment readiness -Organizations will vary in their pace relative to transitioning from Windows 10 to Sun Valley, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. With the new Sun Valley experience, it’s highly plausible that hybrid environments of both operating systems running simultaneously will be the norm, at least initially. +This article provides details on how to begin testing and validating Windows Sun Valley in your environment, and prepare for deployment. Links are also provided to important resource locations for more information. -As you prepare for Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are on -premises, Configuration Manager’s Cloud management gateway <- additional Configuration Manager content needed here . +To prepare for deployment of Windows Sun Valley, you will need to implement your [planned updates](windows-sv-plan.md) to infrastructure, settings, and tools, including: +- Test your critical applications and management policies +- Update devices to Windows 10, version 20H1 or later +- Verify hardware meets requirements for Windows Sun Valley +- Update your management tools, infrastructure, and policies +- [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. -Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. +When these actions are completed, you can begin your phased deployment of Windows Sun Valley. -The IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10: +## Application compatibility -Analytics -Content on Endpoint analytics needed. +Two Microsoft services that work directly with you to ensure application compatibility with Windows Sun Valley are [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure) and [Test Base](https://www.microsoft.com/testbase). -Application compatibility -Two Microsoft services that work directly with you to ensure application compatibility with Sun Valley are App Assure and Test Base. +- If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. +- Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. +You can use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). -Test Base is our intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. - -Management tools -The management toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Sun Valley. There are a few differences: - -- Windows Server Update Service (WSUS): For commercial customers using WSUS, they will need to sync the new “Windows ” product category. -- Windows Update for Business (WUfB): For commercial customers using WUfB, they will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows . Feature Update deferrals are great to move to newer versions of your current product (e.g. Windows 10 21H1 to Windows 10 21H2), but do not enable you to move between products (e.g. Windows 10 to Windows ). Quality update deferrals will continue to work the same across both Windows 10 and Windows . -- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows ” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Sun Valley prior to release, simply sync the “Windows Insider Pre-release" category as well. -- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage the “Feature Update Deployments” to easily manage moving between Windows 10 versions or to Windows 21H2. -- Autopilot: Autopilot works seamlessly in a Windows Sun Valley OOBE experience (out of box experience). It’s plug and play. -- In an Intune environment, a Sun Valley boot image needs to already exist on the device for Autopilot to work with Sun Valley. If the device comes with a Windows 10 boot image, IT Pros can use Windows Autopilot to deploy Windows 10, and then use Windows Update for Business to upgrade to Windows Sun Valley. - -To use Windows Autopilot to upgrade existing, eligible devices, Configuration Manager plus the task sequence ‘Windows Autopilot for existing devices’ can place the Windows Sun Valley boot image onto the managed device, allowing Windows Autopilot to then deploy Sun Valley. - -Windows Autopilot cannot downgrade a device from Sun Valley to Windows 10. - - - - - - - - - - - - - - - - - - - - - - - - - - -Consider using the following process to deploy Windows Sun Valley to existing devices: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. -6. Update qualifying devices to Windows Sun Valley. +## Management tools +The following updates are required to support deploying Windows Sun Valley: +- Configuration Manager should use the current branch. + - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. + - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +- If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. +- Windows Update for Business (WUfB) users can leverage the Target Version capability (not Feature Update deferrals). + - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +- No action is required for you to use Microsoft Intune because it is cloud-based. + - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. +- Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. + - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. + - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. + - To use Windows Autopilot to upgrade existing devices, Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. + - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) - -• Technical documentation: Prescriptive and authoritative documentation on Microsoft Docs can help you plan for, prepare, and deploy Sun Valley — and to service and manage Windows devices effectively across your organization. -• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. -• Windows 10 update history: For every version of the Windows operating system, we publish a consolidated update history documentation experience, offering quick access to the knowledge base (KB) articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. Want to see an example? See Windows 10 update history. -• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. -• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Sun Valley effectively. - diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index ddb8bf84c1..e33c0381d6 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -24,6 +24,8 @@ This article lists the sotware and physical hardware requirements to run Windows The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. +If you are running Windows in S mode, you will need to first switch out of S mode prior to upgrading. S mode is not supported on Sun Valley. + ## Hardware requirements To install Windows Sun Valley, devices must meet the following specifications: diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 96288250c3..ac2765847b 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -44,59 +44,11 @@ Windows Sun Valley will delivered as an upgrade to devices running Windows 10 be You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. - -For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. -- Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Settings** > **Update & Security** > **Windows Update**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. +For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). -## Windows Sun Valley lifecycle - -### Updates - -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -### Servicing - -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. - -See the following table. - - -| 24 months from the release date | 36 months from the release date | -| --- | --- | -| Windows Sun Valley Home | Windows Sun Valley Enterprise | -| Windows Sun Valley Pro | Windows Sun Valley Education | -| Windows Sun Valley Pro for Workstations | | -| Windows Sun Valley Pro Education | | - - -### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Windows 10 lifecycle - -Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. - -Windows 10 will be supported with security updates until October 2025. - -## Management and tools - -Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. - -## Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -## Application compatibility - -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](/fasttrack/products-and-capabilities#app-assure). - -## Licensing +### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -104,12 +56,42 @@ Microsoft 365 licenses that include Windows licenses will permit you to run Wind If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -## Rollback +### Rollback After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. -## See also +## Compatibility -[Get started with Windows Sun Valley](windows-sv-plan.md) +Windows Sun Valley is based on the same foundation as Windows 10. Therefore, it supports investments that IT organizations have made to support Windows 10. + +### Management and tools + +You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). + +### Hardware compatibility + +Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. + +### Application compatibility + +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. +## Windows Sun Valley servicing + +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). + +## Windows 10 lifecycle + +For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, but will receive specific feature enhancements to ease migrating to Windows Sun Valley. + +Windows 10 will continue to be supported with security updates until October 2025. + + +## Next steps + +[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Prepare for Windows Sun Valley](windows-sv-prepare.md) + + +## See also \ No newline at end of file From 7f56a2952658469dc42f84edfef33467bd2bc04b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 11 Jun 2021 10:57:19 +0100 Subject: [PATCH 284/415] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 28a1cdf6e0..c7611518d4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -741,13 +741,13 @@ The following list shows the supported values for Windows 8.1: In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. -The following list shows the supported values for Windows 10 version 1809 and older: - -- 0 – (**Security**) This turns Windows diagnostic data off. +The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): +- 0 – **Off (Security)** This turns Windows diagnostic data off. **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. -- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. -- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 4bee7439bbe2fbf69ca199e666301f8f9e1e0d04 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 11 Jun 2021 11:29:53 +0100 Subject: [PATCH 285/415] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index c7611518d4..4d1e1393b7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -745,8 +745,8 @@ The following list shows the supported values for Windows 10 version 1809 and ol - 0 – **Off (Security)** This turns Windows diagnostic data off. **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. - **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. - 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.) + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 13ca837b40cfe77998c0319819c76763d9a980a5 Mon Sep 17 00:00:00 2001 From: Mark Stanfill Date: Fri, 11 Jun 2021 10:51:20 -0500 Subject: [PATCH 286/415] Update policy-csp-storage.md Correcting OMA-URI value --- windows/client-management/mdm/policy-csp-storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a3d2099a3e..e55afed42c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -719,7 +719,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,4 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 571ca43d6a97e7d2c419e8ae53f880c1dfed2fb8 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 11 Jun 2021 10:22:00 -0700 Subject: [PATCH 287/415] Added the suggested edits for the 2nd note under the 2nd table. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ace22beaca..1f5068600a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -110,7 +110,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > [!NOTE] > - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. -> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use From b7fd5c5eaf4a893f6f24a648b43662041cbd43df Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 11:59:36 -0700 Subject: [PATCH 288/415] tweaks --- windows/hub/index.yml | 4 +-- windows/whats-new/TOC.yml | 4 +-- windows/whats-new/index.yml | 2 +- windows/whats-new/windows-sv-plan.md | 24 +++++++++----- windows/whats-new/windows-sv-prepare.md | 6 ++-- windows/whats-new/windows-sv-requirements.md | 13 ++++++-- windows/whats-new/windows-sv.md | 35 ++++++++------------ 7 files changed, 50 insertions(+), 38 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index e9086a6765..60a1b71261 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -30,8 +30,8 @@ landingContent: url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - - text: Get started with Windows Sun Valley - url: /windows/whats-new/windows-sv-get-started + - text: Plan to deploy Windows Sun Valley + url: /windows/whats-new/windows-sv-plan - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index d611e4787f..fb7a0de80e 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,9 +7,9 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Create a deployment plan + - name: Plan to deploy Windows Sun Valley href: windows-sv-plan.md - - name: Prepare to deploy Windows Sun Valley + - name: Prepare for Windows Sun Valley href: windows-sv-prepare.md - name: Windows 10 expanded: true diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 7e3ba4fc82..bf2243760c 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -33,7 +33,7 @@ landingContent: url: windows-sv-requirements.md - text: Plan to deploy Windows Sun Valley url: windows-sv-plan.md - - text: Get ready for Windows Sun Valley + - text: Prepare for Windows Sun Valley url: windows-sv-prepare.md - title: Windows 10 diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d7fda86414..bdc60ffec4 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -18,21 +18,21 @@ ms.topic: article **Applies to** -- Windows Sun Valley +- Windows Sun Valley, version 21H2 ## Deployment planning -This article provides IT professionals with planning guidance for the recent Windows Sun Valley announcements, specifically: +This article provides you with planning guidance to deploy Windows Sun Valley in your organization, specifically: - Adoption guidance - Infrastructure planning - Servicing cadence and lifecycle - Application readiness - Functionality and coexistence with Windows 10 ecosystems - -## Deployment process -Consider using the following processes to deploy Windows Sun Valley: +### Deployment process + +Consider the following order of activities: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -40,9 +40,11 @@ Consider using the following processes to deploy Windows Sun Valley: 5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. -## Phased deployment +### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. + +A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. @@ -57,7 +59,13 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools - Identify gaps - Implement required updates -## Windows Sun Valley Servicing +## Windows 10 lifecycle + +For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. + +Windows 10 will continue to be supported with security updates until October 2025. + +## Windows Sun Valley servicing ### Cadence diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 3d7fa0815a..14f8b5e369 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -14,11 +14,11 @@ ms.localizationpriority: high ms.topic: article --- -# Prepare to deploy Windows Sun Valley +# Prepare for Windows Sun Valley **Applies to** -- Windows Sun Valley +- Windows Sun Valley, version 21H2 ## Deployment readiness @@ -31,6 +31,8 @@ To prepare for deployment of Windows Sun Valley, you will need to implement your - Update your management tools, infrastructure, and policies - [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. + + When these actions are completed, you can begin your phased deployment of Windows Sun Valley. ## Application compatibility diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index e33c0381d6..ddd412c1cb 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -18,13 +18,17 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley requirements +**Applies to** + +- Windows Sun Valley, version 21H2 + This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). ## Software requirements The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. -If you are running Windows in S mode, you will need to first switch out of S mode prior to upgrading. S mode is not supported on Sun Valley. +S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements @@ -49,7 +53,12 @@ Hardware Internet connectivity is required for the Home Edition +## Next steps + +[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Prepare for Windows Sun Valley](windows-sv-prepare.md) + ## See also -[Windows Sun Valley overview](windows-sv-overview.md) +[Windows Sun Valley overview](windows-sv.md) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index ac2765847b..0513369d68 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -19,34 +19,34 @@ ms.custom: seo-marvel-apr2020 # Windows Sun Valley overview **Applies to** -- Windows Sun Valley + +- Windows Sun Valley, version 21H2 This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -The following articles are available to learn about Windows Sun Valley. +The following articles are available to learn about Windows Sun Valley: 1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. 2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. 3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. -4. [Prepare to deploy Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. +4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. ## Introduction Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. +Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. +- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. +- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). -You must be running Windows 10, version 20H1 or later, and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. - -You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). ### Licensing @@ -62,7 +62,7 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb ## Compatibility -Windows Sun Valley is based on the same foundation as Windows 10. Therefore, it supports investments that IT organizations have made to support Windows 10. +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. ### Management and tools @@ -74,24 +74,17 @@ Most accessories and associated software that worked with Windows 10 are expecte ### Application compatibility -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. - +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) ## Windows Sun Valley servicing For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). -## Windows 10 lifecycle - -For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, but will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. +## Windows 10 servicing +Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv.plan.md#windows-10-lifecycle). ## Next steps [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) - - -## See also \ No newline at end of file From 023aae766a37db24913c591e833acc941e85b2d1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 12:52:51 -0700 Subject: [PATCH 289/415] draft --- windows/whats-new/windows-sv-plan.md | 46 ++++++-------------- windows/whats-new/windows-sv-prepare.md | 4 +- windows/whats-new/windows-sv-requirements.md | 6 +-- windows/whats-new/windows-sv.md | 8 ++-- 4 files changed, 21 insertions(+), 43 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index bdc60ffec4..8e49a77cdf 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -42,9 +42,14 @@ Consider the following order of activities: ### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates. With this method, you define the time and scope of devices that will migrate to Windows Sun Valley. +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates and includes separate groups or 'rings' that receive an update at different times. For example: +- Preview: Windows Sun Valley planning and development +- Limited: Windows Sun Valley pilot deployment +- Broad: Windows Sun Valley rollout -A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. +With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. + +A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. @@ -59,12 +64,6 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools - Identify gaps - Implement required updates -## Windows 10 lifecycle - -For organizations who cannot move to Windows Sun Valley immediately, Microsoft’s guidance is to standardize devices on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. - ## Windows Sun Valley servicing ### Cadence @@ -91,33 +90,14 @@ Most features and applications that are included with Windows 10 will be availab ## Application readiness -Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) +Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +## Windows 10 coexistence +For organizations that need to maintain a mixed enviroment with coexisting Windows 10 and Windows Sun Valley devices, Microsoft’s guidance is to standardize on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. +Windows 10 will continue to be supported with security updates until October 2025. +## Next steps - - - - - - - - - - - - - - - - - - - - - -## See also - -[Get ready for Windows Sun Valley](windows-sv-prepare.md) +[Prepare for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 14f8b5e369..754df4db9d 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -31,9 +31,7 @@ To prepare for deployment of Windows Sun Valley, you will need to implement your - Update your management tools, infrastructure, and policies - [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. - - -When these actions are completed, you can begin your phased deployment of Windows Sun Valley. +After completing these actions, you can begin your phased deployment of Windows Sun Valley. ## Application compatibility diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index ddd412c1cb..5be3c8bf06 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -22,11 +22,11 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). +This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). ## Software requirements -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. +The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. @@ -51,7 +51,7 @@ Hardware ## Network requirements -Internet connectivity is required for the Home Edition +Internet connectivity is required for the Home edition of Windows Sun Valley. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 0513369d68..e8354606db 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -42,8 +42,8 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. -- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update. +- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. - You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -78,11 +78,11 @@ Windows Sun Valley preserves the application compatibility promise made with Win ## Windows Sun Valley servicing -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](sv-plan.md#servicing). +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#servicing). ## Windows 10 servicing -Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv.plan.md#windows-10-lifecycle). +Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). ## Next steps From d96023e5dadcff575dc1f57518d014822c93246a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:48:49 -0700 Subject: [PATCH 290/415] draft2 --- windows/whats-new/windows-sv-plan.md | 16 ++++++------ windows/whats-new/windows-sv-prepare.md | 4 +-- windows/whats-new/windows-sv-requirements.md | 3 ++- windows/whats-new/windows-sv.md | 26 +++++++++++--------- 4 files changed, 28 insertions(+), 21 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 8e49a77cdf..8904cf19e3 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -This article provides you with planning guidance to deploy Windows Sun Valley in your organization, specifically: +This article provides planning guidance to deploy Windows Sun Valley, specifically: - Adoption guidance - Infrastructure planning @@ -32,7 +32,7 @@ This article provides you with planning guidance to deploy Windows Sun Valley in ### Deployment process -Consider the following order of activities: +Consider using the following process to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -42,20 +42,22 @@ Consider the following order of activities: ### Phased deployment -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is identical to the [service management model](/windows/deployment/update/create-deployment-plan) recommended for Windows 10 updates and includes separate groups or 'rings' that receive an update at different times. For example: +A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: - Preview: Windows Sun Valley planning and development - Limited: Windows Sun Valley pilot deployment - Broad: Windows Sun Valley rollout With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. -A [calendar based approac](/windows/deployment/update/plan-define-strategy#calendar-approaches) is an effective method to plan Windows Sun Valley upgrades that includes scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. +Use a [calendar based approach](/windows/deployment/update/plan-define-strategy#calendar-approaches) to plan Windows Sun Valley upgrades, and include scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. ## Infrastructure and tools -You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). +You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. + +As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). ## Configurations @@ -68,13 +70,13 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools ### Cadence -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. +Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. ### Lifecycle -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
+Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
 
| 24 months from the release date | 36 months from the release date | diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 754df4db9d..5b3b15b817 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -50,7 +50,7 @@ The following updates are required to support deploying Windows Sun Valley: - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. - If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. -- Windows Update for Business (WUfB) users can leverage the Target Version capability (not Feature Update deferrals). +- Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - No action is required for you to use Microsoft Intune because it is cloud-based. @@ -58,7 +58,7 @@ The following updates are required to support deploying Windows Sun Valley: - Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - - To use Windows Autopilot to upgrade existing devices, Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. + - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. ## See also diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 5be3c8bf06..22999267a0 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -28,7 +28,8 @@ This article lists the sotware and physical hardware requirements to run Windows The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. -S mode is not supported on Windows Sun Valley. If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +S mode is not supported on Windows Sun Valley. +- If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index e8354606db..50c3f38aa3 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -26,14 +26,14 @@ This article provides an introduction and answers some frequently asked question The following articles are available to learn about Windows Sun Valley: -1. Windows Sun Valley overview (this article): An introduction to Windows Sun Valley. -2. [Windows Sun Valley requirements](windows-sv-requirements.md): Hardware, software, network, and licensing requirements to deploy Windows Sun Valley. -3. [Planning for Windows Sun Valley](windows-sv-plan.md): Guidance to create a Windows Sun Valley deployment plan. -4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley in your organization. +1. Windows Sun Valley overview (this article): An introduction and brief overview. +2. [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. +3. [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. +Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment and to be the most reliable, secure, connected, and performant OS release ever. Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. @@ -41,10 +41,10 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new devices that meet the hardware requirements. -- For managed PCs that meet requirements, the upgrade will be provided using the same process that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. +- For managed PCs that meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). - For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -- You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +- You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -52,7 +52,7 @@ For more information about eligibility to upgrade, see [Windows Sun Valley requi There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. -Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. @@ -74,7 +74,9 @@ Most accessories and associated software that worked with Windows 10 are expecte ### Application compatibility -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. + +For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) ## Windows Sun Valley servicing @@ -82,7 +84,9 @@ For details about the Windows Sun Valley servicing cadence and lifecycle, see [W ## Windows 10 servicing -Windows 10 will continue to be supported with security updates until October 2025. For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). +Windows 10 will continue to be supported with security updates until October 2025. + +For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). ## Next steps From 2f475267baeea249e5c50f3650ff48ce34f11653 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:53:01 -0700 Subject: [PATCH 291/415] draft3 --- windows/whats-new/windows-sv-prepare.md | 29 +++++++++++++++++++------ 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5b3b15b817..5c5f1687db 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -40,22 +40,37 @@ Two Microsoft services that work directly with you to ensure application compati - If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. - Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -You can use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). +You can also use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). ## Management tools -The following updates are required to support deploying Windows Sun Valley: -- Configuration Manager should use the current branch. +The following updates are required to support deploying Windows Sun Valley. + +### Configuration Manager + +Configuration Manager should use the current branch. - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. -- If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. -- Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). + +### WSUS + +If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. + +### WUfB + +Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. -- No action is required for you to use Microsoft Intune because it is cloud-based. + +### Microsoft Intune + +No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. -- Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. + +### Windows Autopilot + +Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. From beb49f84712f572ce319e480a1d6952b9bf9c583 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 13:56:14 -0700 Subject: [PATCH 292/415] draft4 --- windows/whats-new/windows-sv.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 50c3f38aa3..c1c31de0c4 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -80,13 +80,13 @@ For more information, see [Application compatibility](windows-sv-prepare.md#appl ## Windows Sun Valley servicing -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#servicing). +For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). ## Windows 10 servicing Windows 10 will continue to be supported with security updates until October 2025. -For more information, see [Windows 10 lifecycle](windows-sv-plan.md#windows-10-lifecycle). +For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10-coexistence). ## Next steps From ed7b18112ed0e515ef463044c6341429cae10b9a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Jun 2021 14:00:15 -0700 Subject: [PATCH 293/415] draft5 --- windows/whats-new/windows-sv-prepare.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5c5f1687db..9bc3e59982 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -50,18 +50,18 @@ The following updates are required to support deploying Windows Sun Valley. Configuration Manager should use the current branch. - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. ### WSUS -If you use Windows Server Update Services (WSUS), you will need to sync the new Windows Sun Valley category. +If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. ### WUfB Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. ### Microsoft Intune From a7248e6d9cafecdc29fe8b25fbbf47ed878bfa63 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Fri, 11 Jun 2021 14:09:12 -0700 Subject: [PATCH 294/415] Update media-dynamic-update.md Additional information on Flash removal --- windows/deployment/update/media-dynamic-update.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..5b33d7c287 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. From fe45e657bf13c815e40ef7c1e7893f7e8aa37281 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:13:45 -0700 Subject: [PATCH 295/415] FAQ Additoin This additional question and answer was requested to be added to this FAQ document by Radia Soulmani . --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 0e4406aaa5..abb97cebcc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -51,6 +51,10 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. +### I’m trying to watch playback video with HDR, why is the HDR option missing? + +In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. From 611dc0328fe7cdf684864aec19db3d13b099758f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 11 Jun 2021 14:34:51 -0700 Subject: [PATCH 296/415] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index abb97cebcc..c37d466af5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/12/2021 +ms.date: 06/11/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -23,9 +23,9 @@ This article lists frequently asked questions with answers for Microsoft Defende ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4-GB RAM? +### Can I enable Application Guard on machines equipped with 4 GB RAM? -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) @@ -51,7 +51,7 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. -### I’m trying to watch playback video with HDR, why is the HDR option missing? +### I’m trying to watch playback video with HDR. Why is the HDR option missing? In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. @@ -102,7 +102,7 @@ Yes, both the Enterprise Resource domains that are hosted in the cloud and the d ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why do the Network Isolation policies in Group Policy and CSP look different? @@ -114,7 +114,7 @@ There is not a one-to-one mapping among all the Network Isolation policies betwe - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? From 1464230d8a9f035ff6dc317c890fb15955901cc1 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Fri, 11 Jun 2021 15:03:48 -0700 Subject: [PATCH 297/415] Update media-dynamic-update.md A few small changes for style. --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 5b33d7c287..81b0cd7857 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions @@ -459,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` From 237301056a6c8112fbaca4532a276f881ae3aeed Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 11 Jun 2021 15:03:58 -0700 Subject: [PATCH 298/415] Changed numbered list to bullets; added missing period The list under "First rule (DHCP Server)" appeared to NOT be a sequential list, so by style guidelines, it should not use numbers for its list items. --- .../faq-md-app-guard.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index aef33b9815..cb0bff0dc0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -52,7 +52,7 @@ sections: - question: | Why don't employees see their favorites in the Application Guard Edge session? answer: | - Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard). - question: | Why aren’t employees able to see their extensions in the Application Guard Edge session? @@ -148,13 +148,13 @@ sections: - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) ### First rule (DHCP Server) - 1. Program path: `%SystemRoot%\System32\svchost.exe` + - Program path: `%SystemRoot%\System32\svchost.exe` - 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - 3. Protocol UDP + - Protocol UDP - 4. Port 67 + - Port 67 ### Second rule (DHCP Client) This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: From c79468fa89db03a73db421805d3b77f58597e752 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 11 Jun 2021 15:29:44 -0700 Subject: [PATCH 299/415] Update to deal with production outage issue If a customer running a failover cluster removes Authenticated Users group from this policy setting, the cluster goes down. --- .../access-this-computer-from-the-network.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) From 875fc889a1780ff8a2fe413bbea8ca55a1b107fe Mon Sep 17 00:00:00 2001 From: JoyJaz <76192344+joyjaz@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:29:45 -0800 Subject: [PATCH 300/415] Update configuration-service-provider-reference.md Changes made per Lavinder and Task 33226532. --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..f076fe16e7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,7 +2555,7 @@ The following list shows the CSPs supported in HoloLens devices: [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2636,4 +2636,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 57e1b9eaaedab70491466dd1199d20c5058d880c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 19:07:04 -0700 Subject: [PATCH 301/415] Correct bad link added in the public repo This commit corrects the bad link added in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646/commits/1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 in PR https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646. --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index c3f6909aaa..9c79336c9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From 83d688e3f2ea31d4c1b4dc8965dc2c6c82b264df Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 22:08:07 -0700 Subject: [PATCH 302/415] Remove the Markdown version of this file, which has been replaced by a YAML file in the private branch. --- .../faq-md-app-guard.md | 214 ------------------ 1 file changed, 214 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index c37d466af5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 06/11/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4 GB RAM? - -We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### I’m trying to watch playback video with HDR. Why is the HDR option missing? - -In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 6506a888b45aa5764c3fafb4d79f3c87af7206a8 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 14 Jun 2021 10:30:40 +0200 Subject: [PATCH 303/415] Update vpnv2-csp.md Update information on NRPT applicability. --- windows/client-management/mdm/vpnv2-csp.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 15c30be7f5..e21af0bff4 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +> [!NOTE] +> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. + **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. -> [!NOTE] -> Currently only one web proxy server is supported. +> [!NOTE] +> Currently only one web proxy server is supported. Value type is chr. Supported operations include Get, Add, Replace, and Delete. From c7161c13338e271240a06a7653e4c9a108ce3da3 Mon Sep 17 00:00:00 2001 From: Per Larsen Date: Mon, 14 Jun 2021 13:27:20 +0200 Subject: [PATCH 304/415] Update enroll-a-windows-10-device-automatically-using-group-policy.md Device Credential Is only supported for: - Co-management - WVD (Azure Virtual Desktop) - Autopilot deploying mode - witch is not using GPO for enrollment --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9e1150cd20..775e72cacd 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -128,7 +128,7 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." From f07b4f01f30e6e85aa162856ae32936b6ad82f10 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 14 Jun 2021 08:39:15 -0700 Subject: [PATCH 305/415] Update windows/deployment/update/media-dynamic-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 81b0cd7857..85d236c15d 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 17db40a3eb6f99a7ad7d4f06edc1e1fea0e58274 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Mon, 14 Jun 2021 09:08:56 -0700 Subject: [PATCH 306/415] Update media-dynamic-update.md Corrected comma. --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 85d236c15d..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 86d8af570836ff725714dc4296572c51a294e83e Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 14 Jun 2021 10:25:05 -0700 Subject: [PATCH 307/415] Added additional text to the ApplicationControl CSP section --- ...ultiple-windows-defender-application-control-policies.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..f3935c6b4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+ +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. From 036fdabfce26f39a91fbaf7bde5fa7977f464a8d Mon Sep 17 00:00:00 2001 From: v-hearya Date: Tue, 15 Jun 2021 00:59:11 +0530 Subject: [PATCH 308/415] Broken link fixed --- browsers/internet-explorer/kb-support/ie-edge-faqs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 7bc45c1ec2..50862d688d 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -114,8 +114,8 @@ sections: - question: | How to improve performance by using PAC scripts answer: | - - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) - - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) - name: Other questions questions: @@ -124,7 +124,7 @@ sections: answer: | For more information, see the following blog article: - [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) - question: | How to add sites to the Enterprise Mode (EMIE) site list From 9354d35287519d34b15260b94fe232c63e31b670 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:44:22 -0700 Subject: [PATCH 309/415] Update update-baseline.md Update the link of Update Baseline toolkit to the Security Compliance Toolkit (which now contains Update Baseline) --- windows/deployment/update/update-baseline.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 4438c95e54..91ea05a2e5 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,7 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. From 3f9c194f35c6a682b974ee07af0a064b819d41d3 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 15 Jun 2021 08:12:48 +0200 Subject: [PATCH 310/415] Update windows/client-management/mdm/vpnv2-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/vpnv2-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e21af0bff4..1fed240483 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -391,7 +391,7 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. > [!NOTE] -> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -1603,4 +1603,3 @@ Servers - From d36f937b2b902896a15ce6c7f6bd2d47394dc089 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=20M=C3=BCller?= <85677225+amueller-tf@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:18:00 +0200 Subject: [PATCH 311/415] Fix Defender for Endpoint link --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 39371c3da0..31d34345c4 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 9ef8502ee4b2e602b09c4775b306e8ba73e9a3e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT <18405051+denisebmsft@users.noreply.github.com> Date: Tue, 15 Jun 2021 07:14:26 -0700 Subject: [PATCH 312/415] Update fileless-threats.md --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 31d34345c4..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 3b02d8ff9dd952b9f7baac5f0cf8923522515135 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:08:15 -0400 Subject: [PATCH 313/415] Fixed error in documentation for wrong value AllowWUfBCloudProcessing is a DWORD, or Integer. Not String. It also must be set to "8", not "1". This is correcting an error in documentation. --- windows/deployment/update/deployment-service-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4c034921b7..256bbb7d4e 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **String** - - Value: **1** + - Data type: **Integer** + - Value: **8** 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. 7. In **Review + create**, review your settings, and then select **Create**. 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. From 0e3c630f274313fc7bb39bacea59b053dc18c5a7 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Tue, 15 Jun 2021 09:50:15 -0700 Subject: [PATCH 314/415] Update windows/deployment/update/update-baseline.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/update-baseline.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 91ea05a2e5..2e4ab4fd64 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. - From 00d940e661cdf570067ac61ae2bad4b5daaa5da7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 10:52:39 -0700 Subject: [PATCH 315/415] edits --- windows/whats-new/windows-sv-plan.md | 28 +++++++------ windows/whats-new/windows-sv-prepare.md | 42 ++++++++++---------- windows/whats-new/windows-sv-requirements.md | 7 ++-- windows/whats-new/windows-sv.md | 15 +++---- 4 files changed, 50 insertions(+), 42 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 8904cf19e3..ff388e1c4f 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,9 @@ ms.topic: article ## Deployment planning -This article provides planning guidance to deploy Windows Sun Valley, specifically: +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. + +This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: - Adoption guidance - Infrastructure planning @@ -30,9 +32,9 @@ This article provides planning guidance to deploy Windows Sun Valley, specifical - Application readiness - Functionality and coexistence with Windows 10 ecosystems -### Deployment process +#### Deployment process -Consider using the following process to deploy Windows Sun Valley: +Consider using the following processes to deploy Windows Sun Valley: 1. Preview Windows Sun Valley and create a deployment plan. 2. Test critical applications and management policies. 3. Update devices to the Windows 10, version 20H1 or later. @@ -40,7 +42,7 @@ Consider using the following process to deploy Windows Sun Valley: 5. Update deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. -### Phased deployment +#### Phased deployment A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: - Preview: Windows Sun Valley planning and development @@ -49,15 +51,15 @@ A phased deployment model is recommended for rolling out upgrades to devices in With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. -Use a [calendar based approach](/windows/deployment/update/plan-define-strategy#calendar-approaches) to plan Windows Sun Valley upgrades, and include scheduling of future Windows 10 and Windows Sun Valley updates. The calendar based approach can be very useful for update planning in a mixed Windows 10 and Windows Sun Valley enviroment. - Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. ## Infrastructure and tools You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. -As part of your deployment planning, you will need to [evaluate your infrastructure](/windows/deployment/update/eval-infra-tools) and tools to verify they can support deployment and updates for Windows Sun Valley. For more information about updates to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). +For information about updates that are required to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). + +Also see [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) for a list of tasks related to deploying feature updates. ## Configurations @@ -68,15 +70,15 @@ Assess your current [configurations](/windows/deployment/update/eval-infra-tools ## Windows Sun Valley servicing -### Cadence +#### Cadence Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. +Microsoft will continue to provide one cumulative package that includes all latest cumulative updates and servicing stack updates, if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. -### Lifecycle +#### Lifecycle -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. See the following table:
 
+Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. This is a different servicing lifecycle than that for [Windows 10 release information](/windows/release-health/release-information). See the following table:
 
| 24 months from the release date | 36 months from the release date | @@ -86,7 +88,9 @@ Windows Sun Valley annual releases are supported for 24 months or 36 months, dep | Windows Sun Valley Pro for Workstations | | | Windows Sun Valley Pro Education | | -### Features and applications +A long term servicing channel release of Windows Sun Valley is not planned at this time. + +#### Features and applications Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 9bc3e59982..85f8bd4b1b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -40,35 +40,18 @@ Two Microsoft services that work directly with you to ensure application compati - If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. - Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. -You can also use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), to test application compatibility. To determine the impact of a potential application compatiblity issue, [assign priority to apps](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) and then perform a [compatibility assessment](/mem/configmgr/desktop-analytics/compat-assessment). +You can also use [Endpoint Analytics](/mem/analytics/app-reliability), to test application compatibility. ## Management tools The following updates are required to support deploying Windows Sun Valley. -### Configuration Manager - -Configuration Manager should use the current branch. - - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. - -### WSUS - -If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. - -### WUfB - -Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - -### Microsoft Intune +#### Microsoft Intune No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. -### Windows Autopilot +#### Windows Autopilot Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. @@ -76,6 +59,25 @@ Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. +#### Configuration Manager + +Configuration Manager should use the current branch. + - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. + - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. + - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. + +#### WSUS + +If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. + +#### WUfB + +Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). + - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. + - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + + + ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 22999267a0..1ec42163e8 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -22,14 +22,15 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). +This article lists the software and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). ## Software requirements The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. -S mode is not supported on Windows Sun Valley. -- If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +> [!NOTE] +> S mode is not supported on Windows Sun Valley. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. ## Hardware requirements diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index c1c31de0c4..21147d17cf 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -42,13 +42,13 @@ All upgrades to Windows Sun Valley from Windows 10 will be free. ## How to get Windows Sun Valley Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -- For managed PCs that meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -- For unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +- For PCs that are managed by your organization and meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +- For personal devices and other unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. - You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). -### Licensing +#### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -56,7 +56,7 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -### Rollback +#### Rollback After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. @@ -64,15 +64,15 @@ After you have upgraded to Windows Sun Valley, you have 10 days to use the rollb Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. -### Management and tools +#### Management and tools You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). -### Hardware compatibility +#### Hardware compatibility Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -### Application compatibility +#### Application compatibility Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. @@ -90,5 +90,6 @@ For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10 ## Next steps +[Windows Sun Valley requirements](windows-sv-requirements.md) [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) From e627e8b1daeee9f0fe8bd27b8434e37b5ac211d6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 11:07:22 -0700 Subject: [PATCH 316/415] edits --- windows/whats-new/windows-sv-plan.md | 12 ++++++------ windows/whats-new/windows-sv-prepare.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index ff388e1c4f..76f9576c7b 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations working with a mix of Windows 10 and Windows Sun Valley devices side-by-side. This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: @@ -32,14 +32,14 @@ This article provides planning guidance to help you begin depoying Windows Sun V - Application readiness - Functionality and coexistence with Windows 10 ecosystems -#### Deployment process +#### Deployment processes Consider using the following processes to deploy Windows Sun Valley: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. +1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. +2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools, infrastructure, and policies. +4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. +5. [Update](windows-sv-prepare.md#management-tools) deployment tools, infrastructure, and policies. 6. Update qualifying devices to Windows Sun Valley. #### Phased deployment diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 85f8bd4b1b..0c7db4b32a 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -49,7 +49,7 @@ The following updates are required to support deploying Windows Sun Valley. #### Microsoft Intune No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - - If you are using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. + - If you are using Microsoft Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. #### Windows Autopilot From a69125e9db70b097b651f720b7c51fd66641cde8 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 11:21:17 -0700 Subject: [PATCH 317/415] ms.technology removed --- windows/whats-new/docfx.json | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 04908deceb..16f6364ce9 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,7 +34,6 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", "ms.topic": "article", "audience": "ITPro", "feedback_system": "GitHub", From d517852fea164ac95a94868f2a46f49f483a3c3f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 13:03:47 -0700 Subject: [PATCH 318/415] edits --- windows/whats-new/windows-sv-plan.md | 7 ++++--- windows/whats-new/windows-sv.md | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 76f9576c7b..9afc2d8cc7 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -22,7 +22,7 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. As you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations working with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. When you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations, as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: @@ -32,9 +32,10 @@ This article provides planning guidance to help you begin depoying Windows Sun V - Application readiness - Functionality and coexistence with Windows 10 ecosystems -#### Deployment processes +#### Deployment process + +Consider the following steps to deploy Windows Sun Valley in your environment: -Consider using the following processes to deploy Windows Sun Valley: 1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. 2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 21147d17cf..3f327156fc 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -90,6 +90,6 @@ For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10 ## Next steps -[Windows Sun Valley requirements](windows-sv-requirements.md) +[Windows Sun Valley requirements](windows-sv-requirements.md)
[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) From 662a4e02ecbe21196549f980a36787f47f543e41 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 13:18:29 -0700 Subject: [PATCH 319/415] edits --- windows/whats-new/windows-sv-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 9afc2d8cc7..d6b6b7cde3 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -36,7 +36,7 @@ This article provides planning guidance to help you begin depoying Windows Sun V Consider the following steps to deploy Windows Sun Valley in your environment: -1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a deployment plan. +1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a phased deployment plan. 2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. 3. Update devices to the Windows 10, version 20H1 or later. 4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. From cd204dd5cde3599646391b705ba17ff7857cfa9d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 15 Jun 2021 14:06:10 -0700 Subject: [PATCH 320/415] edits --- windows/whats-new/windows-sv-plan.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d6b6b7cde3..95f8c84268 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -89,8 +89,6 @@ Windows Sun Valley annual releases are supported for 24 months or 36 months, dep | Windows Sun Valley Pro for Workstations | | | Windows Sun Valley Pro Education | | -A long term servicing channel release of Windows Sun Valley is not planned at this time. - #### Features and applications Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. From 727dfe92ff3a817a49565fdcc874cda9a8e2a495 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 15 Jun 2021 16:29:59 -0700 Subject: [PATCH 321/415] Substituted because for that per the feedback. --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index f3935c6b4b..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -103,7 +103,7 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. From 4d33f48dd97275341b6023a2317c48eff9098e18 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 15 Jun 2021 16:42:32 -0700 Subject: [PATCH 322/415] Acrolinx "Bitlocker" and "Powershell" --- .../client-management/mdm/healthattestation-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9df5a62fdf..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [HealthStatusMismatchFlags](#healthstatusmismatchflags) \* TPM 2.0 only -** Reports if Bitlocker was enabled during initial boot. -*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\* Reports if BitLocker was enabled during initial boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. -**BitlockerStatus** (at boot time) -

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+**BitLockerStatus** (at boot time) +

When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled**

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode**

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

From d2955fe82fb7c463a3cbaa1702cf0d586fcad5f4 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Tue, 15 Jun 2021 17:03:49 -0700 Subject: [PATCH 323/415] Added a question and answer Added question and answer to lines 40-49 as requested by Radia Soulmani . --- .../faq-md-app-guard.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index cb0bff0dc0..10ada92e34 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -36,7 +36,18 @@ sections: `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - + + - question: | + My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that? + answer: | + The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. + + To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + + - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - It needs to be a FQDN…just a simple IP address will not work. + - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. + - question: | Can employees download documents from the Application Guard Edge session onto host devices? answer: | @@ -232,4 +243,4 @@ additionalContent: | ## See also - [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) \ No newline at end of file + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 3e7c3664aa0c586d4a1302d9eafd15d71dec17d5 Mon Sep 17 00:00:00 2001 From: Shaun Pearson Date: Wed, 16 Jun 2021 09:30:04 +0100 Subject: [PATCH 324/415] What's new 21H1 Small typo noticed when looking the Windows Assessment and Deployment Toolkit section --- windows/whats-new/whats-new-windows-10-version-21H1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index c56c65dac3..99f122b717 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
From d8af561f11b372e4647544b91b790a89b71a09bc Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 10:17:59 -0700 Subject: [PATCH 325/415] incorp white paper --- windows/whats-new/windows-sv.md | 64 +++++++++++++-------------------- 1 file changed, 24 insertions(+), 40 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 3f327156fc..eabaaffd5c 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -24,69 +24,53 @@ ms.custom: seo-marvel-apr2020 This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. -The following articles are available to learn about Windows Sun Valley: +Also see the following articles to learn about Windows Sun Valley: -1. Windows Sun Valley overview (this article): An introduction and brief overview. -2. [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -3. [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. -4. [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. +- [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. +- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +- [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. Windows Sun Valley is designed to support today's flexible [hybrid work](https://pulse.microsoft.com/the-journey-to-the-new-normal-driving-innovation-and-productivity-in-a-hybrid-world/) environment and to be the most reliable, secure, connected, and performant OS release ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers a fresh experience that is flexible and fluid, designed to support today's hybrid work environment and to be the most reliable, secure, connected, and performant Windows OS ever. -Windows Sun Valley is built on the same foundation as Windows 10, so you can deploy, manage, and secure Windows Sun Valley using the same tools and solutions you use today. +Windows Sun Valley contains many innovations focused on enhancing end user productivity. It is built on the same foundation as Windows 10, ensuring that the investments you have made in tools for update and device management are carried forward. Windows Sun Valley provides the benefits that commercial organizations and IT pros need and rely upon every day: best-in-class security, simplified manageability, and high availability. It also sustains the application compatibility promise we made with Windows 10, supplemented by programs like App Assure in cases where additional support is needed. -All upgrades to Windows Sun Valley from Windows 10 will be free. +In summary, because Windows Sun Valley is built on the same foundation as Windows 10, you can deploy, manage, and secure Windows SV using the same tools and solutions you use today. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows SV. ## How to get Windows Sun Valley -Windows Sun Valley will delivered as an upgrade to devices running Windows 10, beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -- For PCs that are managed by your organization and meet requirements, the upgrade will be provided using the same processes that you use today for feature updates. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -- For personal devices and other unmanaged PCs that meet requirements, the upgrade will be offered through Windows Update using [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860). Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -- You can get early access to test Windows Sun Valley by joining the the Windows Insider Program [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. + +For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same, familiar channels we utilize for Windows 10 feature updates today. You will be able to use existing deployment and management toolsets, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot and those commercial customers running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see Management tools. + +For personal devices and other unmanaged PCs that meet the eligibility requirements, the upgrade will be offered through Windows Update using our intelligent rollout process to ensure a smooth upgrade experience. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. + +For those interested in testing Windows Sun Valley before general availability, we recommend joining the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). +## Before you begin + #### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. -Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. -If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. +#### Compatibility -#### Rollback +Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. +Windows Sun Valley also preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). -## Compatibility +#### Familiar deployment process -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally deploy, manage, and secure Sun Valley using the same tools and solutions you use today. +Windows Sun Valley is built on the same foundation as Windows 10, so you can generally use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. You can also use your current management tools, processes, and settings to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). -#### Management and tools +#### Servicing Windows Sun Valley -You can use your current management tools, processes, and settings to manage quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). - -#### Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -#### Application compatibility - -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Programs like App Assure and FastTrack for Microsoft M365 customers will continue to be available to support IT efforts to adopt and maintain Windows Sun Valley. - -For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility) - -## Windows Sun Valley servicing - -For details about the Windows Sun Valley servicing cadence and lifecycle, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). - -## Windows 10 servicing - -Windows 10 will continue to be supported with security updates until October 2025. - -For more information, see [Windows 10 coexistence](windows-sv-plan.md#windows-10-coexistence). +Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows Sun Valley update history page at that time as well. ## Next steps From aef7333ad599c711065ba4a41c54fc8def5733aa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 16 Jun 2021 11:26:46 -0700 Subject: [PATCH 326/415] Update faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 10ada92e34..03baa2d537 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 05/12/2021 + ms.date: 06/16/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +45,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It needs to be a FQDN…just a simple IP address will not work. + - It must be a FQDN. A simple IP address will not work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | From d8e7613d44998aa49989e83f8aa3c68b3aa8c381 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 12:30:35 -0700 Subject: [PATCH 327/415] incorp white paper --- windows/whats-new/windows-sv-plan.md | 165 ++++++++++--------- windows/whats-new/windows-sv-prepare.md | 63 +++---- windows/whats-new/windows-sv-requirements.md | 42 ++--- windows/whats-new/windows-sv.md | 2 +- 4 files changed, 133 insertions(+), 139 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 95f8c84268..1eed113eaa 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -1,5 +1,5 @@ --- -title: Plan to deploy Windows Sun Valley +title: Plan for Windows Sun Valley description: Windows Sun Valley deployment planning, IT Pro content. keywords: ["get started", "windows sun valley", "plan"] ms.prod: w11 @@ -14,7 +14,7 @@ ms.localizationpriority: high ms.topic: article --- -# Plan to deploy Windows Sun Valley +# Plan for Windows Sun Valley **Applies to** @@ -22,87 +22,104 @@ ms.topic: article ## Deployment planning -Windows Sun Valley is developed with Windows 10 as its foundation, enabling you to plan, prepare, deploy, and manage Windows Sun Valley with the same tools and methods that you use for Windows 10. When you integrate Windows Sun Valley into your environment, there will be some unique but familiar considerations, as you work with a mix of Windows 10 and Windows Sun Valley devices side-by-side. +This article provides guidance to help you plan for Windows Sun Valley in your organization. -This article provides planning guidance to help you begin depoying Windows Sun Valley, specifically: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: +- Create a deployment plan. +- Define readiness criteria. +- Evaluate current infrastructure and tools. +- Determine application readiness. +- Define your servicing strategy. + +As most organizations will have a mix of Windows Sun Valley and Windows 10 and SV devices side-by-side as they integrate SV into their environments, there are some unique yet largely familiar considerations for this new operating system to help in planning for upcoming deployments. + +#### Determine eligibility + +As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [LINK NEEDED](). However, in general you should expect that if your devices were acquired within the last 18-24 months, they will be able to run Windows Sun Valley. + +Analysis tools will be created and made available to evaluate devices against the Windows Sun Valley hardware requirements. A standalone tool will be available, and the ability to evaluate upgrade eligibility will also be integrated into your existing enterprise tool sets. + +When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. + +For enterprise customers, analytics tools will be available for administrators to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. + +#### Windows Sun Valley availability + +As with Windows 10, the availability of Windows Sun Valley experience will vary depending on whether the device receives updates from Windows Update (unmanaged devices), or from a management solution that is maintained by an administrator (managed devices). + +##### Unmanaged devices + +For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. New device messaging will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. + +> [!NOTE] +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience, or they will already be upgraded to Windows Sun Valley. + +After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible Windows 10 devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. As with all Microsoft update managed devices, the Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +##### Managed devices + +The innovations and end user productivity improvements in Windows Sun Valley are exciting. However, the "right time" to upgrade will be different for each organization. For devices that you manage as an organization, you can choose between Windows Sun Valley and Windows 10, and decide when the time is right to incorporate Window Sun Valley into your environment. Initially, it is expected that enterprise environments will contain a mix of Windows 10 and Windows Sun Valley. + +Organizations will be able to deploy the Windows Sun Valley upgrade to eligible devices using their existing management tools beginning at GA. Environments that use Windows Update for Business (WUfB) will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for SV devices just as they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. + +> [!NOTE] +> If you use WUfB to manage feature update deployments today you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley). +> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new end user license agreement on behalf of the end users within your organization. + +Some additional considerations about upgrading: + +- Windows 10 Pro or higher can upgrade for free using existing management tools. +- Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. +- Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. +- You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. + +##### Availability and upgrade path + +As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for eligible devices already running updated Windows 10 as well as for new devices. + +To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, as well as exploring new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. + +You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: +1. Configure Manage Preview Builds to **Release Preview** with WUfB. +2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. +3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. + +Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. All you need to do is go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in summer 2021. + +Your Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. + +Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. + +##### Servicing duration + +Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. + +Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. + +For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). - - Adoption guidance - - Infrastructure planning - - Servicing cadence and lifecycle - - Application readiness - - Functionality and coexistence with Windows 10 ecosystems +Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. -#### Deployment process +A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. -Consider the following steps to deploy Windows Sun Valley in your environment: +##### Application compatibility -1. [Preview Windows Sun Valley](windows-sv.md#how-to-get-windows-sun-valley) and create a phased deployment plan. -2. [Test critical applications](windows-sv-prepare.md#application-compatibility) and management policies. -3. Update devices to the Windows 10, version 20H1 or later. -4. Verify that devices meet the [minimum hardware requirements](windows-sv-requirements.md#hardware-requirements) for Windows Sun Valley. -5. [Update](windows-sv-prepare.md#management-tools) deployment tools, infrastructure, and policies. -6. Update qualifying devices to Windows Sun Valley. +Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. -#### Phased deployment +##### App Assure and Test Base -A phased deployment model is recommended for rolling out upgrades to devices in your organization. This is is described in the [service management model](/windows/deployment/update/create-deployment-plan) that is recommended for Windows 10 updates. It includes separate groups or 'rings' of devices that receive updates based on their role in your deployment plan. For example: -- Preview: Windows Sun Valley planning and development -- Limited: Windows Sun Valley pilot deployment -- Broad: Windows Sun Valley rollout +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -With this method, you define the timing and scope of devices that will migrate to Windows Sun Valley, documenting and validating each phase before moving to the next one. - -Also consider [assigning roles](/windows/deployment/update/plan-define-readiness) within your organization to groups and individuals you'll need to carry out specific tasks, if you have not already done so. - -## Infrastructure and tools - -You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, as well as using them to move between the two products beginning on the General Availability (GA) date for Windows Sun Valley. - -For information about updates that are required to support the deployment of Windows Sun Valley, see [Management tools](windows-sv-prepare.md#management-tools). - -Also see [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) for a list of tasks related to deploying feature updates. - -## Configurations - -Assess your current [configurations](/windows/deployment/update/eval-infra-tools#configuration-updates) such as security baselines, administrative templates, and policies that affect updates. Then, set some criteria to define your [operational readiness](/windows/deployment/update/eval-infra-tools#define-operational-readiness-criteria), Define an infrastructure update plan to: -- Review requirements -- Identify gaps -- Implement required updates - -## Windows Sun Valley servicing - -#### Cadence - -Windows Sun Valley feature updates will be released once per year, in the second half of the year. Quality updates will be released each month, on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates and servicing stack updates, if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -#### Lifecycle - -Windows Sun Valley annual releases are supported for 24 months or 36 months, depending on the edition. This is a different servicing lifecycle than that for [Windows 10 release information](/windows/release-health/release-information). See the following table:
 
- - -| 24 months from the release date | 36 months from the release date | -| ------------------------------- | ------------------------------- | -| Windows Sun Valley Home | Windows Sun Valley Enterprise | -| Windows Sun Valley Pro | Windows Sun Valley Education | -| Windows Sun Valley Pro for Workstations | | -| Windows Sun Valley Pro Education | | - -#### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Application readiness - -Windows Sun Valley is designed to work with the applications you are currently using with Windows 10. If an application compatibility issue is identified, Microsoft provides services to help you remediate the problem. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). - -## Windows 10 coexistence - -For organizations that need to maintain a mixed enviroment with coexisting Windows 10 and Windows Sun Valley devices, Microsoft’s guidance is to standardize on Windows 10, version 21H2. This release will be the last feature update to Windows 10, and will receive specific feature enhancements to ease migrating to Windows Sun Valley. - -Windows 10 will continue to be supported with security updates until October 2025. +If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. ## Next steps [Prepare for Windows Sun Valley](windows-sv-prepare.md) + +## Also see + +Learning module diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 0c7db4b32a..c617d105a9 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,64 +20,51 @@ ms.topic: article - Windows Sun Valley, version 21H2 -## Deployment readiness -This article provides details on how to begin testing and validating Windows Sun Valley in your environment, and prepare for deployment. Links are also provided to important resource locations for more information. +Organizations will vary in their pace relative to transitioning from Windows 10 to SV, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. We are committed to supporting you through your migration to Windows Sun Valley whether you are a fast adopter, or will make the transition over the coming months or years. -To prepare for deployment of Windows Sun Valley, you will need to implement your [planned updates](windows-sv-plan.md) to infrastructure, settings, and tools, including: -- Test your critical applications and management policies -- Update devices to Windows 10, version 20H1 or later -- Verify hardware meets requirements for Windows Sun Valley -- Update your management tools, infrastructure, and policies -- [Prepare users](/windows/deployment/update/prepare-deploy-windows#prepare-users) for Windows Sun Valley. +With the new Windows Sun Valley experience, hybrid environments of both operating systems running simultaneously will be the norm. Windows 10 and Windows Sun Valley are designed to co-exist during this time, so that you can use the same familiar tools and process to manage them, as well as continue to give your users the best Microsoft 365 experience. You’ll have one common management infrastructure, and support for common applications across both Windows 10 and Windows Sun Valley to simplify the migration process. You’ll use the IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Windows Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10. -After completing these actions, you can begin your phased deployment of Windows Sun Valley. +As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are exclusively using an on-premises management tool such as Configuration Manager, using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions -## Application compatibility +Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. -Two Microsoft services that work directly with you to ensure application compatibility with Windows Sun Valley are [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure) and [Test Base](https://www.microsoft.com/testbase). +## Analytics -- If you experience any issues with your apps and are enrolled in the App Assure service, Microsoft will help you identify the issue at no cost. App Assure works with you to troubleshoot the issue, determine the root cause, and can help fix the issue as well. App Assure is subscription based, but subscriptions are free for eligible customers with 150+ seats. -- Test Base is Microsoft's intelligent application validation service that allows software vendors and commercial customers to test their applications. The Test Base test and validation environment runs Windows Sun Valley as well as Windows 10 with a matrix of updates and environments in a Microsoft managed Azure environment. You can get started by enrolling in Test Base for Microsoft 365. +If you’re a Microsoft Endpoint Manager customer, make sure you’ve onboarded your devices to Endpoint analytics. Later this year, we’ll be providing a hardware readiness assessment directly in Endpoint analytics so that you can quickly identify which of your managed devices meet or exceed the minimum hardware requirements. -You can also use [Endpoint Analytics](/mem/analytics/app-reliability), to test application compatibility. +If you’d rather start exploring Windows Sun Valley readiness within your organization right away, take advantage of our [hardware eligibility assessment script](add link). By following the instructions to deploy and aggregate results via Microsoft Intune or Configuration Manager, you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. ## Management tools -The following updates are required to support deploying Windows Sun Valley. +The toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Windows Sun Valley. There are a few nuanced differences described here: -#### Microsoft Intune +#### On-premises management -No infrastructure update is required for you to use Microsoft Intune because it is cloud-based. - - If you are using Microsoft Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley. +- Windows Server Update Service (WSUS): Commercial customers using WSUS will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see the feature update to SV. Please note that during deployment you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will note there is no x86 (32 bit?) payload for Windows Sun Valley as such is no longer supported on Windows Sun Valley going forward. +- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows Sun Valley” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Windows Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. -#### Windows Autopilot +#### Cloud management -Windows Autopilot works seamlessly in a Windows Sun Valley Out-of-Box-Experience (OOBE) environment. - - In an Intune environment, a Windows Sun Valley boot image needs to already exist on the device for Windows Autopilot to work with Windows Sun Valley. - - If the device comes with a Windows 10 boot image, an administrator can use Windows Autopilot to deploy Windows 10, and then use WUfB to upgrade to Windows Sun Valley. - - To use [Windows Autopilot to upgrade existing devices](/mem/autopilot/existing-devices), Configuration Manager and the task sequence: **Windows Autopilot for existing devices** can place the Windows Sun Valley boot image on the managed device, allowing Windows Autopilot to deploy Windows Sun Valley. - - Windows Autopilot cannot be used to downgrade a device from Windows Sun Valley to Windows 10. +- Windows Update for Business (WUfB) Group Policy (GP) and Configuration Service Provider (CSP) policies: Commercial customers using WUfB will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using WUfB through Group Policy Management Console (GPMC), MEM Intune, or other 3rd party management tools. +- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley, version 21H2. You will be able to continue using the same update experience controls to manage the behavior of the device once updates are offered for either Windows 10, version 21H2 and Windows Sun Valley, version 21H2. -#### Configuration Manager +## Deploy Windows Sun Valley -Configuration Manager should use the current branch. - - You will easily be able to sync the new **Windows Sun Valley** product category and upgrade eligible devices. - - Configuration Manager will prompt you to accept the End User License Agreement (EULA) on behalf of the users in your organization. - - If you would like to validate Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +Since your familiar Windows 10 toolsets are meant to be used with Windows Sun Valley as well, then managing, securing, and deploying Windows Sun Valley devices will be well known procedures in the plan, prepare and deploy process. -#### WSUS - -If you use Windows Server Update Services (WSUS), you will need to sync the new **Windows Sun Valley** category. - -#### WUfB - -Windows Update for Business (WUfB) users can leverage the **Target Version** capability (not Feature Update deferrals). - - Feature Update deferrals are great to move to newer versions of a product (for example: Windows 10 21H1 to Windows 10 21H2), but deferrals do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. - - WUfB has the additional benefit of two safety nets: offering blocks on non-eligible devices, and [Safeguard holds](/windows/deployment/update/safeguard-holds). Safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10. Administrators will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Windows Sun Valley is no different. Further, in your blended environment of Windows 10-capable devices and Windows 10 + SV-eligible devices, you will be poised to roll out an update to a select number of devices. Once you’ve gone through the checklist of pilot deployment tasks such as assigning the pilot devices from your prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth, you can deploy to your test group. We recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +Using artifacts from your Plan and Prepare phase (such as security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Windows Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Windows Sun Valley as well. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) + +• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. + +• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. + +• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Windows Sun Valley effectively. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 1ec42163e8..469fe1924c 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -1,7 +1,6 @@ --- title: Windows Sun Valley requirements description: Hardware requirements to deploy Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: laurawi ms.audience: itpro @@ -22,38 +21,29 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the software and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley is also supported on a Virtual Machine (VM). - -## Software requirements - -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or later, on eligible hardware. - -> [!NOTE] -> S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. +This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. ## Hardware requirements To install Windows Sun Valley, devices must meet the following specifications: -Processor -- Intel 8th generation, Intel Celeron N4000, Pentium N5000 -- AMD Ryzen gen 2 (Zen+), AMD 3xxx -- Qualcomm 7c, 8c, 8cx -- 64bit architecture -- 1Ghz clock speed -- 2 cores - -Hardware -- 64GB drive -- 4GB RAM -- UEFI, Secure Boot capable & TPM 2.0 -- Monitor size 9” or more with HD Resolution -- DirectX 12 compatible graphics / WDDM 2.x +- Processor: 1 gigahertz (GHz) or faster processor or SoC; dual-core CPU or greater + - Intel 8th generation, Intel Celeron N4000, Pentium N5000 + - AMD Ryzen gen 2 (Zen+), AMD 3xxx + - Qualcomm 7c, 8c, 8cx -## Network requirements +- RAM: 4 gigabyte (GB) or greater +- Hard disk space: 64GB, 64-bit architecture +- Graphics card: DirectX 12 or later with WDDM 2.x driver +- Security: Trusted Platform Module (TPM) 2.0 chip, UEFI support, Secure Boot capable +- Display: 9" monitor size or greater with HD (1366 x 768) resolution or greater +- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. It is required for the Home edition of Windows Sun Valley. -Internet connectivity is required for the Home edition of Windows Sun Valley. +For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. + +> [!NOTE] +> S mode is not supported on Windows Sun Valley. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index eabaaffd5c..1e9127bae0 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -76,4 +76,4 @@ Windows Sun Valley will have an annual feature update cadence and receive monthl [Windows Sun Valley requirements](windows-sv-requirements.md)
[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) +[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From 2a9e697360c9000f9c25ac524752e0e3e4d07371 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:37:14 -0700 Subject: [PATCH 328/415] Update from meeting --- .../hello-aad-join-cloud-only-deploy.md | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 0536abfc83..cc8ce73b29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -16,36 +16,30 @@ localizationpriority: medium ms.date: 06/03/2021 ms.reviewer: --- -# Azure Active Directory Join Cloud Only Deployment +# Azure AD Joined Cloud Only Deployment ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. However, you may wish to disable the automatic Windows Hello for Business enrollment prompts. +When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. + +You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD join, you'll see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use Azure AD multi-factor authentication (MFA) during the Windows Hello for Business enrollment and there's no other MFA configuration needed. If you're not already registered in Azure AD MFA, you'll be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites for are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. -> [!NOTE] -> It's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This tells Azure AD that the federated IDP will perform the MFA challenge. +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -You can check and view this setting with the following MSOnline PowerShell command: +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. + +Check and view this setting with the following MSOnline PowerShell command: `Get-MsolDomainFederationSettings –DomainName ` -## Use Intune to disable Windows Hello for Business enrollment - -We recommend that you disable or manage this behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you're not running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. - -To disable Windows Hello for Business, run the following command. - -> [!NOTE] -> This action impacts **all** Azure AD MFA scenarios for this federated domain. +To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -53,40 +47,51 @@ Example: `Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false` -If you use this Supports MFA switch with value True, you'll need to verify your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. +If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. + +## Use Intune to disable Windows Hello for Business enrollment + +We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). + +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. ## Create a Windows Hello for Business policy -1. Sign into the Microsoft Endpoint Manager admin center. +1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. Select from the following options for Configure Windows Hello for Business: +3. Select from the following options for **Configure Windows Hello for Business**: - 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + +> [!NOTE] +> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). ## Disable Windows Hello for Business enrollment without Intune The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). -These systems are Azure AD joined only, and aren't domain joined systems, so these settings could be made in the registry on the device(s) when Intune isn't used. +Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -These registry settings are the settings an Intune policy would set. If you're not using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable the policy. +Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) + These registry settings are pushed from Intune for user policies for your reference. Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** DWORD: **UsePassportForWork** Value = **0** for Disable, or Value = **1** for Enable -These registry settings are for Local or Group Policies for your reference. +For your reference, these registry settings can be applied from Local or Group Policies. Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** DWORD: **Enabled** Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. Creating these settings could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios @@ -95,3 +100,4 @@ If there's a conflicting Device policy and User policy, the device policy or com - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) - [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) +- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md) From 42615359a75080bbdb4049fa7c888e54efd490c4 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:42:56 -0700 Subject: [PATCH 329/415] Update --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc8ce73b29..d4468e7fc9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -55,7 +55,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business policy +## Create a Windows Hello for Business Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. From ebb0962a44d53607b21c310bd28a85b80ebe6e20 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:48:42 -0700 Subject: [PATCH 330/415] fixed link --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d4468e7fc9..cc20211379 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -76,7 +76,7 @@ Here are the registry settings an Intune policy would set. If you aren't using I Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. From 1d175118dc6de3a2bf6e591b558768cacd5fa707 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 16 Jun 2021 12:54:08 -0700 Subject: [PATCH 331/415] Added indents. Removed spaces. --- .../hello-aad-join-cloud-only-deploy.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index cc20211379..b5aa653cdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,9 +27,9 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom > [!NOTE] > During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. -## Prerequisites +## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). @@ -49,7 +49,7 @@ Example: If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP. -## Use Intune to disable Windows Hello for Business enrollment +## Use Intune to disable Windows Hello for Business enrollment We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). @@ -68,7 +68,7 @@ However, not everyone uses Intune. The following method explains how to disable ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). +The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. @@ -80,18 +80,18 @@ To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/ These registry settings are pushed from Intune for user policies for your reference. -Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** -DWORD: **UsePassportForWork** -Value = **0** for Disable, or Value = **1** for Enable +- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- DWORD: **UsePassportForWork** +- Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** -DWORD: **Enabled** -Value = **0** for Disable or Value = **1** for Enable +- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- DWORD: **Enabled** +- Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 835cf8dc25c0e514e9b259b18879fcc74dd056df Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 16 Jun 2021 17:26:38 -0400 Subject: [PATCH 332/415] Updated error AllowWufbCloudProcessing Should be value 8, showed value 1 --- windows/deployment/update/deployment-service-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 256bbb7d4e..b7bccbb684 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **1**. +- The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy From dadbe6af01d60574508e5d36f41a0d262a1ce1c3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:35:00 -0700 Subject: [PATCH 333/415] incorp white paper --- windows/whats-new/windows-sv-plan.md | 56 ++++++++++---------- windows/whats-new/windows-sv-prepare.md | 2 +- windows/whats-new/windows-sv-requirements.md | 6 ++- windows/whats-new/windows-sv.md | 22 ++++---- 4 files changed, 46 insertions(+), 40 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 1eed113eaa..310e572df1 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -31,86 +31,88 @@ Since Windows Sun Valley is built on the same foundation as Windows 10, you can - Determine application readiness. - Define your servicing strategy. -As most organizations will have a mix of Windows Sun Valley and Windows 10 and SV devices side-by-side as they integrate SV into their environments, there are some unique yet largely familiar considerations for this new operating system to help in planning for upcoming deployments. +Most organizations will have a mix of Windows Sun Valley and Windows 10 devices side-by-side as they integrate the upgrade into their environments. As such, there are unique yet largely familiar considerations to take into account when planning your deployments. -#### Determine eligibility +## Upgrade eligibility -As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [LINK NEEDED](). However, in general you should expect that if your devices were acquired within the last 18-24 months, they will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found [here](windows-sv-requirements.md). However, in general you should expect that if your devices were purchased within the last 18-24 months, they will be able to run Windows Sun Valley. -Analysis tools will be created and made available to evaluate devices against the Windows Sun Valley hardware requirements. A standalone tool will be available, and the ability to evaluate upgrade eligibility will also be integrated into your existing enterprise tool sets. +Analysis tools will be developed and made available to validate devices against the Windows Sun Valley hardware requirements. A standalone tool is planned, and upgrade eligibility will also be integrated into your existing enterprise deployment tools. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. -For enterprise customers, analytics tools will be available for administrators to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. +For organizations with investments in enterprise deployment tools, analytics functionality will be available to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. -#### Windows Sun Valley availability +## Windows Sun Valley availability -As with Windows 10, the availability of Windows Sun Valley experience will vary depending on whether the device receives updates from Windows Update (unmanaged devices), or from a management solution that is maintained by an administrator (managed devices). +As with Windows 10, the availability of Windows Sun Valley will vary depending on whether the device is unmanaged and receives updates from Windows Update, or a device is managed using tools operated by an IT administrator. ##### Unmanaged devices -For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. New device messaging will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. +For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. > [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience, or they will already be upgraded to Windows Sun Valley. +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. -After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible Windows 10 devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. As with all Microsoft update managed devices, the Windows Update Settings page will confirm when a device is eligible, and users can choose to upgrade or not. +After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose whether or not to upgrade. Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ##### Managed devices -The innovations and end user productivity improvements in Windows Sun Valley are exciting. However, the "right time" to upgrade will be different for each organization. For devices that you manage as an organization, you can choose between Windows Sun Valley and Windows 10, and decide when the time is right to incorporate Window Sun Valley into your environment. Initially, it is expected that enterprise environments will contain a mix of Windows 10 and Windows Sun Valley. +The right time to upgrade will be different for each organization and environment. You can choose between Windows Sun Valley and Windows 10, and decide when the time is right to integrate Window Sun Valley into your environment. Initially, it is expected that many organizations will operate with a mix of Windows 10 and Windows Sun Valley. -Organizations will be able to deploy the Windows Sun Valley upgrade to eligible devices using their existing management tools beginning at GA. Environments that use Windows Update for Business (WUfB) will have the additional benefit of two safety nets: offering blocks on non-eligible devices who do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for SV devices just as they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +You can deploy the Windows Sun Valley upgrade to eligible devices using your existing management tools beginning at GA. If you use Windows Update for Business (WUfB), you will have the additional benefit of two safety nets: offering blocks on non-eligible devices that do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices the same way that they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley). -> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new end user license agreement on behalf of the end users within your organization. +> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
+> Additionally, Windows Sun Valley has a new end user license agreement (EULA). If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new EULA on behalf of the end users within your organization. -Some additional considerations about upgrading: +Additional considerations: - Windows 10 Pro or higher can upgrade for free using existing management tools. - Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. - Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. -- You can downgrade to any version of Windows Pro/Professional that has not reached its end of support date. +- You can downgrade to any version of Windows Pro that has not reached its end of support date. -##### Availability and upgrade path +## Availability and upgrade path -As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for eligible devices already running updated Windows 10 as well as for new devices. +As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for existing eligible devices as well as for new devices. -To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, as well as exploring new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. +To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, and to explore new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: 1. Configure Manage Preview Builds to **Release Preview** with WUfB. 2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. 3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. All you need to do is go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in summer 2021. +Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. Just go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in the summer of 2021. -Your Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. +## Quality updates -Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. +- Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates. +- Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. +- Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. -##### Servicing duration +## Servicing duration Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. -Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year. +Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year: - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. - Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. -For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). +THIS SECTION DOESNT EXIST: For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. -##### Application compatibility +## Application compatibility Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. -##### App Assure and Test Base +#### App Assure and Test Base You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index c617d105a9..8da15603d9 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -1,5 +1,5 @@ --- -title: Prepare to deploy Windows Sun Valley +title: Prepare for Windows Sun Valley description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. keywords: ["get started", "windows sun valley"] ms.prod: w11 diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 469fe1924c..d9c0d22b1a 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. +This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). ## Hardware requirements @@ -41,6 +41,10 @@ To install Windows Sun Valley, devices must meet the following specifications: For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. +## Operating system requirements + +For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. + > [!NOTE] > S mode is not supported on Windows Sun Valley. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 1e9127bae0..b1b09d27be 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -32,21 +32,19 @@ Also see the following articles to learn about Windows Sun Valley: ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers a fresh experience that is flexible and fluid, designed to support today's hybrid work environment and to be the most reliable, secure, connected, and performant Windows OS ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. -Windows Sun Valley contains many innovations focused on enhancing end user productivity. It is built on the same foundation as Windows 10, ensuring that the investments you have made in tools for update and device management are carried forward. Windows Sun Valley provides the benefits that commercial organizations and IT pros need and rely upon every day: best-in-class security, simplified manageability, and high availability. It also sustains the application compatibility promise we made with Windows 10, supplemented by programs like App Assure in cases where additional support is needed. - -In summary, because Windows Sun Valley is built on the same foundation as Windows 10, you can deploy, manage, and secure Windows SV using the same tools and solutions you use today. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows SV. +This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise we made with Windows 10. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. -For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same, familiar channels we utilize for Windows 10 feature updates today. You will be able to use existing deployment and management toolsets, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot and those commercial customers running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see Management tools. +For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same channels that you use for Windows 10 feature updates today. Existing deployment and management tools such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot can be used to deploy and manage Windows Sun Valley. Commercial organizations running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). -For personal devices and other unmanaged PCs that meet the eligibility requirements, the upgrade will be offered through Windows Update using our intelligent rollout process to ensure a smooth upgrade experience. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +For personal devices and other unmanaged PCs that meet the eligibility requirements, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. -For those interested in testing Windows Sun Valley before general availability, we recommend joining the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), or enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +If you are interested in testing Windows Sun Valley before general availability, you can join the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -62,15 +60,17 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley also preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). -#### Familiar deployment process +#### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so you can generally use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. You can also use your current management tools, processes, and settings to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools) and [Configurations](windows-sv-plan.md#configurations). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). #### Servicing Windows Sun Valley -Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows Sun Valley update history page at that time as well. +Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). + +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page. ## Next steps From 6ceaf03326d07c9cad486be76f8f654af46deeaa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:50:02 -0700 Subject: [PATCH 334/415] incorp white paper --- windows/whats-new/windows-sv-plan.md | 6 ++++-- windows/whats-new/windows-sv-prepare.md | 9 +++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 310e572df1..87cefa2210 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -110,11 +110,13 @@ A consolidated [update history]() is also available for every version of the Win ## Application compatibility -Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Our compatibility promise for Windows 10 is that upgrades will maintain compatibility with apps written for previously released versions. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. This great progress will not be lost. Windows Sun Valley has been subjected to, and is passing the same app compatibility validation requirements, that are in place for Windows 10 feature and quality update releases today. +Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Microsoft's compatibility promise for Windows 10 that upgrades will preserve application compatibility is maintained for Windows Sun Valley. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. Windows Sun Valley has passed the same app compatibility validation requirements that are in place for Windows 10 feature and quality update releases. #### App Assure and Test Base -You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. + +With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 8da15603d9..db5959e103 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,14 +20,11 @@ ms.topic: article - Windows Sun Valley, version 21H2 +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -Organizations will vary in their pace relative to transitioning from Windows 10 to SV, and we expect early corporate adoptions to consist of smaller test environments before rolling out to wider groups begins. We are committed to supporting you through your migration to Windows Sun Valley whether you are a fast adopter, or will make the transition over the coming months or years. +As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect time. Or, if you are exclusively using an on-premises management tool such as Configuration Manager (Note: Config Mgr is part of MEM, need clarification here), using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions -With the new Windows Sun Valley experience, hybrid environments of both operating systems running simultaneously will be the norm. Windows 10 and Windows Sun Valley are designed to co-exist during this time, so that you can use the same familiar tools and process to manage them, as well as continue to give your users the best Microsoft 365 experience. You’ll have one common management infrastructure, and support for common applications across both Windows 10 and Windows Sun Valley to simplify the migration process. You’ll use the IT Pro tools that you are familiar with and have been using in the past to prepare for deployments also work in Windows Sun Valley; you can analyze endpoints, determine application compatibility, and manage deployments in the same way you did with Windows 10. - -As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect scenario in which to make that leap. Or if you are exclusively using an on-premises management tool such as Configuration Manager, using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions - -Additionally, policies related to deployment may need to be updated or re-evaluated respective of update compliance deadlines, device activity policies, and the re-evaluation of older policies. A servicing mindset pointed at keeping current means that, as with Windows 10 devices, you will create a deployment plan in order to build out your servicing strategy. +Policies related to deployment may need to be updated or re-evaluated, considering update compliance deadlines, device activity policies, and the replacement of older policies. A servicing mindset focused on keeping current means creating a deployment plan to build out your servicing strategy. ## Analytics From b0191eb0f632c0ff5a95d53789ef550dd6f51362 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 16 Jun 2021 14:54:50 -0700 Subject: [PATCH 335/415] toc and index --- windows/whats-new/TOC.yml | 2 +- windows/whats-new/index.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index fb7a0de80e..71e18303ee 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -7,7 +7,7 @@ href: windows-sv.md - name: Windows Sun Valley requirements href: windows-sv-requirements.md - - name: Plan to deploy Windows Sun Valley + - name: Plan for Windows Sun Valley href: windows-sv-plan.md - name: Prepare for Windows Sun Valley href: windows-sv-prepare.md diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index bf2243760c..fbea14e982 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -31,7 +31,7 @@ landingContent: url: windows-sv.md - text: Windows Sun Valley requirements url: windows-sv-requirements.md - - text: Plan to deploy Windows Sun Valley + - text: Plan for Windows Sun Valley url: windows-sv-plan.md - text: Prepare for Windows Sun Valley url: windows-sv-prepare.md From eff900dc59988d59668fc3997ed761dcd46d2a56 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:41:57 -0700 Subject: [PATCH 336/415] Update fod-and-lang-packs.md --- windows/deployment/update/fod-and-lang-packs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 193b4d95ad..fc45328c40 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 -As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. +In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features. As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. From 50cdba229bad471d1e5e215c7e9686e9eb9285a8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:48:44 -0700 Subject: [PATCH 337/415] Update windows/security/threat-protection/auditing/audit-other-privilege-use-events.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/audit-other-privilege-use-events.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 9883e2ee86..2e147e1fde 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -23,7 +23,6 @@ ms.technology: mde This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. -This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985 - (4985(S): The state of a transaction has changed. used by the file system transaction manager. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| @@ -36,4 +35,3 @@ This refers to : https://docs.microsoft.com/en-us/windows/security/threat-protec - [4985](event-4985.md)(S): The state of a transaction has changed. - From d43d7a8504a3676dbf0107d6d0ead84b090846d7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:50:33 -0700 Subject: [PATCH 338/415] Update audit-other-privilege-use-events.md --- .../auditing/audit-other-privilege-use-events.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 2e147e1fde..7e8dea77c3 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -21,8 +21,7 @@ ms.technology: mde - Windows 10 - Windows Server 2016 - -This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. +This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| From 7647aeec7f20705366ccf52ccbec19b42918e75b Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 17 Jun 2021 09:56:55 -0600 Subject: [PATCH 339/415] Pencil edit to fix Acro Line 63: casue ---> cause --- windows/whats-new/whats-new-windows-10-version-21H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 99f122b717..70725f4a9b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf WDAG performance is improved with optimized document opening times: - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. -- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle. +- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. - The performance of Robocopy is improved when copying files over 400 MB in size. ### Windows Hello From 4be947cda64690349d761a581161a80dc5b6040e Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Thu, 17 Jun 2021 14:51:38 -0700 Subject: [PATCH 340/415] Update enterprisedesktopappmanagement-csp.md Fixing Typo Timeout -> TimeOut --- .../client-management/mdm/enterprisedesktopappmanagement-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 60cff29616..20cd2f1e44 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -401,7 +401,7 @@ The following table MsiInstallJob describes the schema elements. Command-line options to be used when calling MSIEXEC.exe -Timeout +TimeOut Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. From aa92580204aca962bbc54ed0ebe7e2d972814f64 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:01:09 -0700 Subject: [PATCH 341/415] Added MEMCM clarification --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 73357d0809..a8d37771c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,6 +35,8 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. +Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. + For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) ## Deploy custom WDAC policies using Packages/Programs or Task Sequences From afae51855042cfe4c59a72fab5c65086cd0cf566 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 17 Jun 2021 16:23:28 -0700 Subject: [PATCH 342/415] Added FIle Rule Precedence Order --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1f5068600a..e03aed4e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -120,6 +120,9 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. +## File rule precedence order +WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + ## More information about filepath rules Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder. From 4cac115392ab4615a65e85638331d198ff23d265 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Thu, 17 Jun 2021 16:36:54 -0700 Subject: [PATCH 343/415] Adding Question and Answer Added a question and answer as requested from Radia Soulmani . --- .../faq-md-app-guard.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 03baa2d537..98fc46090b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -70,6 +70,11 @@ sections: answer: | Make sure to enable the extensions policy on your Application Guard configuration. + - question: | + I’m trying to watch playback video with HDR, why is the HDR option missing? + answer: | + In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + - question: | How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? answer: | From bbc34e8734653f6fa1c720a0f1a200df6d10123d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 17 Jun 2021 20:11:47 -0700 Subject: [PATCH 344/415] Acrolinx "preceed" and other minor corrections --- .../mdm/enterprisedesktopappmanagement-csp.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 20cd2f1e44..78f0b5cb28 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). The following shows the EnterpriseDesktopAppManagement CSP in tree format. + ``` ./Device/Vendor/MSFT EnterpriseDesktopAppManagement @@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement --------UpgradeCode ------------Guid ``` + **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. @@ -194,15 +196,15 @@ The following table describes the fields in the previous sample: The following table describes the fields in the previous sample: -| Name | Description | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| Name | Description | +|--------|-----------------------| +| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** +**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** ```xml @@ -292,7 +294,8 @@ The following table describes the fields in the previous sample: -> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . +> [!Note] +> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). @@ -550,21 +553,18 @@ Here's a list of references: ```xml - 4 - 1224 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall - - - Reversed-Domain-Name:com.microsoft.mdm.win32csp_install - int - informational - - 0 - + 4 + 1224 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall + + + Reversed-Domain-Name:com.microsoft.mdm.win32csp_install + int + informational + + 0 + ``` - - - From fd05fdfcbfcb588e46dfb9e3a89117cb6763352b Mon Sep 17 00:00:00 2001 From: 38cat <85171837+38cat@users.noreply.github.com> Date: Fri, 18 Jun 2021 15:57:40 +0900 Subject: [PATCH 345/415] Update policy-csp-localusersandgroups.md Windows 10, version 20H2 was already released. Is this warning need? --- .../client-management/mdm/policy-csp-localusersandgroups.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 68938fa3b7..5f21ba8658 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - LocalUsersAndGroups -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
From ad30fcef294b1f0efa6b8853b0efdc0d49bef2e9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:03:16 -0700 Subject: [PATCH 346/415] Added the suggested edits. --- .../deployment/deploy-wdac-policies-with-memcm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index a8d37771c9..c5fd34e870 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -35,7 +35,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. -Please be aware that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot, or wait for the next reboot. +Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) From 503f2da0abecffe98fe95c5f564311dc13949ce0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 18 Jun 2021 10:18:23 -0700 Subject: [PATCH 347/415] Added the suggested edits. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e03aed4e50..99f5695221 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built in file rule conflict logic that translates to as precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From 7cc627275eb7ef939abb5f7a37dc94d2a5e978a5 Mon Sep 17 00:00:00 2001 From: Guillaume Bordier Date: Mon, 21 Jun 2021 17:13:49 +0200 Subject: [PATCH 348/415] changed screen capture to remove double quotes --- .../images/pinreset/allowlist.png | Bin 33880 -> 33638 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png index 097b1e036df4ddd9e2f4dd657f4a9aef2a97dc1c..5b1df9448e00e4ddc1e45396eba1bba735ef6533 100644 GIT binary patch literal 33638 zcma&N2UL?yyDl6XhzO{N3J6$UK|w^N6PgvJBLdPDq=pWmgeIc!DFUz3gb;c!iPS(s zKtw@GLQhBnp%Wk^0Rn{1AHVP0`|Pv#I{!J(S}ay(&CD}%&&)mdbzS%K!ProT?}W$+ z006-E^vT0#0KgFp0C0$QoQqR(BxT#1^Y4)VGoAYYIPT&C=f_c(dj|IafT~2^-B-sr zzj=I~So#A1f6f2-JM`A^*hK)~?atGO_nrsa(Z_hh&d%l@93VQfT-{7m`~3#-#-ZBQ zSJDm-Um61JYinF6&AW2Jq;yvDtrgzODyap zJV}KQ0O&h=3UcVu%)Mq-S2#R>z@@KaVi}D&~@MQ_U@UmLjY~l2lL0?JcgHD6190e z@u&0t%kL>ccAIe#RonhRp_-s|elgY$J0Li~veB0+6U>Wu#Hjq&lF2t?u%*Y8ZEv z^Pa~^r3-WdBKyRN6a05(#1LABdsSEVZ%?90O?^Bq;8V-iPJur4>?3v6gM16i2|RD| zQ+VoiG?!D|roAB#+nfpHwDO@_Zf7@U7bGLc1!J?q6=zaoYv+yXK2QLFi6?H)uuw$P zY8Q$pqqZ8 z{HktYIji<}Lg#f*^V#0RTiE znwzKAdsQ|&^3^0*BH?0w^I~WDEUR7_wK&qBbx36|3>zg7Bw~-k&G%M1A^XX4b!snY z#5-m|*J@j3OODwRhvBQ}*T?_^4J zWZ8>?L-hd)mJ%(wX%>+Dg>Xdw1Vu^Q%RXnAjOlN`RcLJw^X{ngwWw6X9|q)*|ha6#3?&Cs3Pg!nRt9N$UhG7C;%+IwwcIsz^URodR_ z*XTF4@n_9pO?NivDW5;TqF&6%!_0~dEs}9B6n6r<1Oh-hT1(8~MfTxV&6mt(1WX~+ z=GSc->_)Hfs^eb2>Z~7C!ojEy4Auu+923c_M{XK`?Y)fK#q z1)7(Ji`M!~#iMQx(i9dm4-p~33;ZeOL1P{vrGfCTa58+c+<%n67_v}pJ?B2HiEe_Y zgy+r+b&rv53@1EJNh|SLxH+cb{&xf;=uL|1la>q>J()nsfQ34LI2Q>VQKwRcYtTPt zN@t-*3x|1(6tU%dP5{8gN;U9eK~qzcZZtw77^~(yhBA-LB^(_wYJN&euGH&(Q2JrF ze!x)Gyw~U-2-^gGdd}tI5i|FR!Zf>QR2)n|Yczbd1)?BgS3a(68b??1-S5@{8+9<} zFM0=Nn#&%HJ#DtX##5;{(kvK;ZPI}47vk$qHiHB80ouUYD}=bFMS_m7lxkwJ?fg4? zZ*yO-EG4dO}S;FVA{zm9y28*C)1ly%%-37TwEf-5I54;!^@eCRx8DMFA&4o zLT=O5jVLnD+ym$H?e|&28sMj*-T~8S!|&|J8neLKSLtFF&Gmc330A-pX`xqz$1pko zK*F<>W8>TWO^^59Q%ns9dG+xg71YZWJPM}dON z{Bh*1A*~^&c>&Mh%GT!eA`)}YRKR2B89Upy>K4HXzcnKvA~yezMcA-2)Xek1AG3Vl zqggZ)l#5H?0bC#x+&aDFzvQ*1ZJ786Ir}@UiA^Ldd}o@9}1jPuv2& zwhzx8=+zy|ooTyY`PDxkjpJwN@)N zCcjgik?&lZ8#VKEh6mfSBhVNb;oR)_ONo9Q?;iQ>UZhXr2a_T#4}N?y(|A&%scOw` ztm!nzcn%+0k(Uo6OgNj1$Nhn1W*L=Daz;A8xW4CGCUF+jJ36?LSh=5z@0V=G8Mh@= zn8R%rV$g$zKrF754-s8C5896$_X8%cA|5G~jVlk5S!pO2?`r;vu*v}T&~q?Pz?ndX z9iq{HmaNsUs&TSMxuYS5y{FOSczD8cn=+!x*(xc); ze2xEOnd!CX9HR~mhPn@BrUiuRc&}Uzb*qTTB6f@2x{zFncJVfLt9kD9Da;BX*K}_o zN=(L1$$)q4J2dZ8=J|E zXib3Oh7A(0$ZD;F6tq|%FFtSDe9YH0UQQQN^NwpL%p44dhoIcPzZM$le7Ha~qV?Yy zOA$e4D+Ws>jQGyOKOnR!Z?dS@v4k;<_wWgq+C9X1+ItxT=DBNKqGSux6YxI4ZuCO@ zA?GcCM)ll1CpGUun_dt@aH$zj!+}(L0f3x4%b?)+nB$oB7lXV2SKTfpc;FF)iTaK- zx%HXH^4qM>h+VB?G)UZfGtbAzq)s)}r^Z87ML`E2bw36+L=jvE%N!;Y6AsJ=)TT1J zal=Je>sq&IE6g%2%PZdh6(b(C()k_S2p4G*=;)N)V~8l1%rgUPLxR>9nDLC8qqD>B z(!7QrC!uzNOd;KYYGlm1=@N>PN2hq^KHCOMEguGm#J@~(ZfPgzYEu@jwWn)8(yvmO?b;&7r@Iwc5r|yMURj4X@9iXw z=}Z_GUJrkr0M{D(1SRtr47!sCYm>_qTC_^@_DJ@fo~aHygQhNAsOL`%m~J2sf}4&> zdc9E7+@~Pp-T-FI6FT}es;-9t#_R;TLPIr}g^LV4;0VAcK<{KzbIkGPca#Tz2ajb6 z_pJNvFJqO*=V^!*yoG(ZQ}!XiqFMMMV7b1D*tox*Hi_}!0 zF4GBm$=g1s=`Xf|v|TzC50P}IOnQV0ymaf=^Da@j<0?LqqbxnTvvIqyfEHuz(P71% zN@Ec1jBtjdgmev$l5q{4-b(#vykRe4oFl!rFk&het-Ps$L069gtSfe95pL7ZT*^JS z=RK5P0&#w+(2lo!UH0f!G-X5~T(bvH1^|YTU562f=4iQGB>&ew8mj}Fzo5<8?HIC?nvO z%C|`8j<<+x37SJcp06JTOOwuzW?L_Td)-j`c)e*RQ`GavO?sGy5luh#W!h$4OG0wZ zFc!l=8pqkK!Kw7fh@epG>m287r>d%&!ey5&5r##98v1!Gi&0e1w5mnHT1SN6SN3MTl?K zDEk^g-L>;rzIwNBjpiGVF#AJC*O|%gY04I)t+uuAag8G53rB+tpLuf4f4(NS7`3FS zTQjL#=!Du%47EZSbw5LUhp-k$7t-9r>MP6leBcc0c}0Su>huYh$aAz0zDI^CF$Z>; zLH-bKCugI9-Pt(BD*G@o?;%T#6erM+BwGZOw7>L%{;h^Vl%=Zx03~PH3zhGGJ`l=O zn%gbh^11)Y^hMw~x!|w6 zD--!zUuknaFByX%I1D(OY&r@CMF1(xq9R%Oz^xzbJt{~6W9 z@2hL#F=i^sD|ijj1SP(?g&|Q$?(Iqi&j0pgG}I;O~nCm-86|rZREQ zoh^>N*{-IphblV!{KvcxlNP#k#xXI~AYe`lLp1Cl?*>#mK^4hF+>&fy^@+Ky547~X z4~(`{qVJB9!_-}u#IQNAGw?uinjU@7l(D2Y+_S+LuEqqO;T&e*eQyo-e@s|c2clxu z80D9PGzuO?j^uJe&%@I-SLnNgei}6aP+fWjmx*1`6urC7b+HoVVVDc!xzscIrm;De z0hQPBU;5i@>D@%bC9+lJL4C7B!zfxmB+@^X*jXY=tD_d%*1GuK&JmBvPWZ$i|2AbQ z0BCSx%o`Ht&3o+YVZn{ zx0dxrS?bS5wAZ*NC=qJa629oB;X~y^?XPOOkMF8@zmKUt;L}iFyQQ(K+x&5<`Oxt@ zQnfg{0jsOUHfPV}ZxaL|!Eiw)gP@jZDqvxk?1#;*cg>&&rYy22iAcn1V;8-l}g1*3g`dZv% zZL3`g!-^`QTaoUD6MGBJ*aXlCu~Qy*Jqf-b@HkjJdv$JBN}uTqRo*cur3b$Rwu(%> z^j`_Jw@+PG_ufCAp?d^iT=`fO;@!fCasMa$LFGQHzh`7%=Y<$F80?esS8P6Cb?*D; zSMK`O$jUwyqSIW*a7lgh6U*Yc8@&QSMLeu)mO_VFSp-&XvCetqTtl5;$#nGUWr*^* zTZEwO{LlR&qg~)e-vkD&%8s2uJqC4$=Ad$QY8z`UI~3BCXo#b|$Wh~%K5(}`vDRm?ErrWo zYdHhlgVMPlKD?0%w<~y5PxK*w7H|(MKI@&wrJI@%9~hwMSPm05o?RWdA~ZuOwC7tC zvZYd^;RBwgEHjT(X7`|h^ZuJoX`k$g-`E6r=-|K^;NV?y=W4Uy7K zYUqUv)`B6s_55eueoZ4uI5cGbElvCx1vfI>eJ#=|2aTv9Gl&*#Qq2`VxG)XEt|HP$ z$wxm#jSPLu$S{{`b|X${EUpaxyxyP#CCDhXn58vH;=GD2l$zRuQqA~64Vd9+we<*l z`AWHs!*fqm?-97{*?U~~*D!h;LphBBcWo6`AB%1Q*~V!YyLjZzgZmR5Z}8{2+p#Nl ze%@jMWyb*8gMB54h02?o;(Sra{bcuPQW%hO@4*iE+w^+52lX(Y#O)`_8qGGMTA!|U z3z(}TvpjNt&E&4y-cdCeFZmMzeexlT2FzD;w_hGRQyW)&fFBY;${GPv#k*l z!Z(c3hPi`3S4-RMxI;7pf4Em0%P`f(nu=G4)H=a+MUFDpxVmmw4t#0)tCci89Kn@} zhJlW`$4%GbA4OZqc$;4%EIw9c-WVw$@=*4-h3pUsjdhbzcI5_1b3X}wP&@l)Yy$8I z;FMCl=9)$%0+w>-2 z6J7PtM(OBo0n%C;xNt(_&aaTM!AxqMzUhIr_)v*b;AHG0X*8rr9D^f!EiN1h*xAb; z#^185!u(E9{3M{YYfR0KY~Gpg?(FpCwyy@iY5$8svaklCn_~rSWJ>n}ptSm~XXfu| z?t&RgJNklDb7)<2wIl|nqjt#0s3N-fgJF)i*{^kYQN88xSba%cHEE8>cC2r-(10Dw!4j+uX(kKd>? z*OU$JNElAAZv$O4ocH|fn;^#eOFZjk10O%PfOvpJcX#*LN_F+!AlJcmBL{Gyu{`QE zC>N-y&r&w}cBsm^M-hE~roz7?7DvuofsOW;%yjG3O>NkrLJNhx;a*oIhUjVR=NZ;l zq3;^&2`zACpar!382g*C(RvSFUUF?C)Yw}?{X5YiZ-T}*=&fvMtSnfKRm2cvZ_5t{ z_QY91Y{Lc_@q=nKi(Y6|y~z3$4b_YRl1=Lk1r9ta&ZV!EXXA^kQRo`cw>;GZyU@z4 z@C{2?1j=G|iQDer4pB|pN#9a%#%O2uvzCHQ<2wj4D4hW-Jb`?F7yuaNePrPM?P-nu zG-&Re^5-3rX{S_kc1SpF6D*Kk?0qiKq!&)cjQ&34S2Ayx#k^)(?`jG0j- z{1w$$3i)|_HaYOT6vmD)B*|ohzCppp=u}P^knz#{{6h0f9Xs%dyaGo+Fv#b_q#U!e zFNtPaTFlSw*VnVZs~HH(t1|X$eRYGb%PDJ-GLa$W_5IGxkt3+K1WOLt1~K{3q+5`Q zx6Nm?$dmN^{v$FyxG&b*we^Izg40W7#U6w7KQZPz6V96idZE^C z6YE>8gbLAH*p!goi+u5v7%3xD4pqtvN9)PkS;FHZNjdQ{cKA;ph^Uv}%`#TKE}cR$ ziz=Kct}9FEwdIdjQo_v31`>Jemf`m9jPboE7hk8!8n?z?lV(Bhq@}o0NnxHfNqfB? z@#DJKj1Ks)?N*F=vUNdmM0%yL9|3MQSS0LIphq}&X#b3dMpJc0(J$eowYi>~MD$GAe2S>z z>qV{<;zG$_tlN~_M+GM<2PU>vJYPn4LGfuzc4}dLKUpfpecd)3O#ZlO@%y)Bp%fP+ z)a2Q1TSpEihD8*cf5<2V4Ke5Dx98Wp6SO(4J-1FsFe@e-ohynZZ)KNOG&uK1vH$i_ zf79Nctaxv~)?R$;2u7KsbiFHJ&qD+b&Okg zwwX}WH(1kS>;;*6R{H672Y@&2ZhkLv*6-s*%(*)R`m~rPlbX@niBJyH*c&g<^v7C0 z$4eFr`byj(hZLR`Rq(79@2&opxSsaMj(;!-XS5go=w|@HDJu@;!FjY@Pec9*dvYKB z5#=})&i(faVqo@y2I((x@ko+77dIo8Cnxu7wdC*Yjqa%r^8f__@PWye+3ua)D897V_W$NTc2M|-8~)8ne3Z3U*S1dbfQmD3q(W@I2z{jrC$DS=$p$;4Mq4U$>A7lJ<)L6gT^|yyBHk_x@RT6a;YF6OvbM$l2St| z=bNRL+As+3Kxibod&=E0ddI9yWM<;d>Uf-WH?&wIlr`#jR$XZyRW;X78Go6MZef!+ zIurn~D42`v_kBB28d|$=D_EceOq9F;VQJp2(f4E5%*JRUQt?Nb8VF$2 z@|T?@f9Bw$r)=7CZS%8DNPVw1e@Yb=Kzl=oan84K4WEZwK@h35AZ!tG9^=Fo8 zDXzY>PWW-1IpvI$G!pfMZP4kr&t-|~P1mZfIUh_2Lef+bWJio(K>n-o-SD13M$O=V z%;)r7gS4@4jX_3BB-;Zkdw&gPsp0VrbA!G|SG{Yo?}5NxGOYsC4x`S0`CO$?_7u3Mj8CMa#YVKwd)>!aa)`!Bq1ZE2n0q9J&rlZe1e9`&|FXlS5< zTgmu@jgg6C-!qiGy(*bVzr(LzhSy|EKJ1W>QZ^cAgYtBSCooV6-X<h=x_9!tdsU z(y=-{X?L-5MPzj8p+AWPeaoD~@#Xw+0x%ufVdS}1eJCJ&0z%2~19_y)sIK&rzMKb9 zmfpF^e(=tMB7a8Onubb;*Zw4)R(1vM_$)%Oc1=?C_NnB!+RDptVQ;dRpo1gx?ktAp zp>;{S~b2b-gvU)gI zQ1%Fc0eK}8VaHd8dU92cC`cP|YhycNp;*Q8xoxu+OXfd_10^GMjgq&SAq1XQrB8ti z6g4l2w=n%NbhA#*Q{Qz?1pmx3vIeHpNDxX4Z~z}Bm)Eo~X)^H74?(sHq|w8jkw&!j zJ$I;bC>FIheH*RP_ii-CwdHF0EoI7ivUiY*u6G?rmUelD@Z!^d`>j7Y3#i1| z*;z&~Cu;#%>o(YKD*;&icmwoy*R4f;mAmU2rxC|*{+ZC_$N$|I+6-F9|7@E!f_6-N zuk#0p{BP~RvzVq9clsw!wdIAhKz_hQRjk!Tgxz$nc}Il=N!9G?n)%h0<;}slJ1RbY z|IK?ETR5-VRoM3|R+?))<@7x9o47+ggHeOTKSl_@raq6K<46{Ok}su`*Om{fSbbeB zQIa*{q(X3>H+@&uINlckxF5&KoZvjiW&gz{U8?0&cwo1SKwf}*=TVAspn8!tgi2J6 zP2kLsip}iXvNoo1C<;eQ={&FlKB&cmX=@G45C_xQjN0qI z*@9z_b37LA;&0S6;icRB3*Tloo>7blTmHMhs6dOs$2Xr=v@YV$`qX7HQ(rmGOA@W z5KFp7!MrY-g{C{12!6uJ;ZS)OawA~TbTZ?Z2nlGrI7HZD;7V6xzg>{}2mjZK+7Jqx zlzci}W(P7J8U!rQyI0%rq^s{%$a&f1d3wq-=fpCRTioeypt6tbU5cu$iljkBrl~45 z@_y#3EJ>9@;Wyj0;p5hU6?rKBCN9oRZXBd$(6=iu4VqheH|4uu`nn89BMc^l-u0`d ze{e=^H%Mi#3_g-b_f(Ur=v9##B6Ps9dQ1)dV~;2c-p0i9h1*`_dNpb;_mJ<>^}6{! z3XD5PoZdY+I{IpHuv7mllc82=m%Xb~n)9X5zxFoJVtR}!YTB^5h720Su?}y zhbK1HA(z!!-16jYklNcXE#8x6lLa$?QS1nI|4CbB^H}&%<49dRwfqtqvDeylLja!n zS7jLb3tnR7?f{8&ryLA)Y8dxq>fBW>@v<$j=qZJ7a|(N;gLHl>Mhb5D=Ub46>n;q}&WU z%R>rB2Zw@TGj>@oBa=mLTOK=>v~I(vR$JER;MjXhXha)I%1;!{;?=4)NQY@J8JrI> zCBYMUe3k#&)fQMzIxMBqE3 z;!r>5{!#J~0?FoP9kBq5S*068Pd5dQZ^fX~?ruiaI{^!YWl-2_{S|kUS+5X)J?|_mWZHdBXxQSA8{(R8Fv0H27)DW z%b+irQ5hl=zvabVIIRH@_seS=Lf}51IjIcW zhychK1FtE3gvVeI4YI%(84IJ6Ya1h;9}SpT?P&Q{q~;NXul~N&c8CUosRWb5OmH(RuE?pUyB1v+IyHS2T ze`aA_`R}XnRBBSUOLjOuylI038q;|W_hF`?Hi?OAD^xqI7uXQEGQPfDH*NtbpQc}& z==;wFzO;6@M20DJ&Yhm2HUB;8$iME)3`J7}g<9?iLBUKF?|Unr5lGbX6pwyz!SI&B zgqUVnLv>9}{^a@2bWk8rV?S!Yi75jtc8(ZWRq+%Hib>FD#{u}G{_{S+FZTv@7c@7$ z{mUtOxC{&easv`FF`*mt!{c%T^HtMJnPvT-g=~&eNa>q%;~=qMKGsDR2XTrBnzrdp z9P_EYJ!|4=m30c@dm#$>FvJm94odreTd6laRON(X8xi-ZGH~_!Yxj`sFsV-TQV2>D zw(a<6bn+y&u11g}ucCse17cPyo0TGWb7F%sLpO&19Y+!ZS> zU)Ije5(eixpB*B~48`YzTii>6iMAqs-QCjC$UnQwn0XvyU}HP9%nw6yXh`U*6iN4L zNjZ(o5h#2GSKl5~ourd11U$$cK=6}F-?Dn;8m{5uq3wt@bIz#2YT0zc%3DDKlD@ z*SokV#Q&(uT))XA4SS<@Fd^Te<;!*Ok4;(JxU1zvjr}XTbX`qSF6_~cneLyU$@O-J z$9OZQ9&DH!IG651x|7%_ev5+@5$UYh{8>_CujWoqxcWjt(r8E7#fS+-MNGI^K={pq z)SF`EydNLC4mM=iKBrvJSi?)9SO?{0ANl%Ebs&%p~)&m565%5Y$Ee|J0Gqy9~j2MDt|__ z?5j;>YCmq?UM&CJvcHb_9d(5JN?~E)=U%M?_0>+P?1vxY;^^ighD-|PDohRhF>ITI zMGgH})Lvzm&eKxMB-L1l$eFr3uq%Vek{btaS>K3)`&|R-_4oYz90pa9D+hH;rj{-WfWyI$8$12vHUVD9U+J9MZaupYP zU`b_sj-_mM;huOM#89sU@iC_>Xcyx?X?_MtgvnOZvI8e6ge#7)El2yYbC&E8#m^Mn zX76_5hnt&mNNmHjYfMLG%e#ZjYx^d9($%2Oq2F~>C>ZBo-y*$A%6A^!ACs6(+zg0fL6%$o5A>J?y51etz}-MxpFA|qx8uORIp zSxCxO+GDT1vF+dc-b+*Nl+a`2VW){3OR}Hs8<;hw1?)o8tF-2C-5ZF+o^|$c6Rw5{ zL@=IghM}0MTAk|DJxB-Xpn~kUIzs+z8^`#x*6q{Y+akHz2aWVkL-l|XSo?5Bgj^&p zR4XJq*lB=jeYN*d;&{mCd!~ek`^@V%(*Oz)Eg|#wfLs8bSW>c{f;WG9hj^&|qeqX_ z4t81jb3KeiXh|L|zMtqx3A4zV96YMX+bx{0uYZ z$WG9?b#S&xD}G@S0&}3rW)~;`BR9E|9LUYhFf`y0eq2+A-BGnmxquLe3Mfm9On^%cZ0m;QvOacG%iuRyr+7 z`00BX)aE^>@KBiZ?zSpDV6HgvMfv%Nu`yv9oNUj@5`FxbVoyG6;lXL}mxX$N@jD4X!ON)>&$a#b0Qc zMq~ZqnWf0g*?b_%`X8oEYv-up@If96jm0GbEkkS7LkQb!qP!2k4POXyVrrNyES8Gw zZ}NkonML z14W~+M6&278_5`7>dF%`#;=-TxAg&b*r((;=JH^vsT77oDW`CabE4(POBobdRBnm) z#LOKt%jxRONc!_c&93Vsg$_VjAvc01kaWXVDBt|UYL?}MN927E%kG;_TZA31`jkcW z7BA7i&Ebya-sGyIX?4bPEA|WNof7UDFtc=BqzUMn)!x!!A#i5Sjt;-^&fv2YJg7FS zp*XP%uUWh+KzC0tg^M6ev_R!UgWRt3#!@p3N)a2o;*GbFQkKtEdvrre(Sqg7SUhx1 z`bE8s69csN+^V}?w`JEbzGd_lJbphP{2(Vj(EWf1)ohXR3`X!IgWknBt6biXwv|>@ zdW1DnYb9Ro@Rd@T#-{jH>?FUrFS~_RlR7(|%b_d1*q|@s7l`JM{3(6y+S}!87>mh< zInQCwnWO7LKioSd=3FOZ!xe5&PtQDVsuD-^tC`-DropXW|F>zjtXzm|Ugg#CDFE3BuPJya4ZRf5?mc-T?8%zPv#l zEg+Xz>{z(1EH;ZIp|x2xz0U|9%+uN`ryvhXswb=^qLfXx8#t)UcJ}A#?xCS=sn#Qs z9qy%>%iBL!HLWyq%95rXgoIQs%MiuRaPU!4$be4}*)he!;7zIC9y!tin^?X%oW8R+ zof(-pxL(gqHIiBQ-K9?O$d}A0t_SbSK6|>V7cKUSv<_$W&FZHshGVVMK}ta-D$CH0 z1zAVJDT#y1E>MDu?uLkAN%^S+(05{NL-!Z9XJ4LM(1OJS#DG(JxZ*YQcuUL|2fE57 zFm3sP+(m0Cq=M(6kL#Vqlv)!`=9xO{++N`8j8!SS3V#TD*r4&fmjLmXgvzAV7792R zk&0d$@RZ54oULo|G&|-=YES5FA?w60td-rDJwPU!R{UsayeqY9ezo^EK_e|I{}ZqG z0E;QnX;&HQKD9a`@Di#-)h!Y_u2`Zi=pRG6Zc!uRNS_fPe}vvWH2H9zuk`1{&gOI? zA#?&vC(k}q=srquAw7a#f);fO2Y&88I{v-W_tym3+)bGFytczo@@^|(49?TbcRnmp zdFKZp zw!)jfNSt(+HS>&EQvWLQ!aFAaIXYUaHM09?gxf)s+^EiUw|AMFt9AW7frF{XvNwT7 zNTVItT+2R6vOQe8>@&$+EOP?m+hISQvBnsuh8>0$mfAXDKa~4)_gsP)Spe`68U=Qt`aC zj0*POiHCR$nL^klZsQ*A_SnRi{)fj65W>~$wtKrl_<*8wdr>zpBu8syrjy-NYevBm zy)|{+&RIlwiw3Y+(MWl#H;$r<7ZZPRJ`5h$ZZFW4$ zwDP=W;Q__l<*%B^6o!()2l@ozFjQo6GO^;zeg^GUBQ*zE|uH;eZE2R*kudo zQkWY$t0$}CVBdcNyf@cfk`3Y@8t~4?*-Z;RjV7t z&0K2ZV%~mP->S;6qdrtR=V#DRm+$)wY}b;7>vWqa@Xz+oqp2faFRYF5_;&|Vz|DNF zUB|`;jjSN|5K2A%J^rAZg=nv@UkYpA#wvUpkB4lg%#t>X`J`W{=>-`n5|)ajr}GZ! zhIpeG=@=WJ)-99%?72n84l89qOD}w}Kx(dj5l`5PJEuQ96JmILr{Rex)d2sX)rvTz z02_NuYMfV{^^`MN!8byJx4F>Y&J^Mx42@r=$$mEJ8wlH+_pP343G#KF5+25rvAE?Z zWjRUPaJZf+QBOd%;};PT{)^POc6m$#{lbl4Te8-bA!w2N`j?IDs8z+lvjwy)xeFm- zxVP}W%eCIdKaw5uakOhl?s;usLTaQd=#}UE!Ll4K!Xs#7c&7L@%YAw&OJuY{pO+c> zTeawyG$pGzwz$V+>1@SAnYo+BlO2W9X8y3zRpVz7;r{!NiL_b>CWKXF>03Wz&p)~U z!l{L97~<2~HL`xtU(_zS%*iZ^l$Y|MM|d>{B&JI=>|S<<6{%k}sP2VEw!gNWh%puX zY0;i*g~$SM0~B}&UA8&aL7LM^6ktR^L0Zvmer9d2tAlN zfb{w!L!oQ0ZR8gOYJ;m3NVXBhD0tT5`{C@@p#55py3!>@*eTI4Oh4pN9M=#Z?gf~$}?_UfMGzKhrF}Pg^A4h z`oOu!ah|Mtx7r15J(kFZIk2c`V@t+p*iDLylyBZv0m?ERw6e2b+`{pEj}vfrr5e?S zE!u7mmxzLCOJHgL`{^HSusa$hglv)ABn!jgzxB2ktI?D`UrtK)`i<}@=oyKa`sgAW z@+unC(Ig7C3`{W3R<{!P3W7klT3e!H_MG3|-CvI>I*BoEJFiF(x@tgo6?(Sgy4H}j z?MJK>30@J(uqK&W`f5cK(7rsibZ>D=jS;};i5@t)aM$+YhIv)T>Ohniwn`HYw!ocm zaCe9as|Glt=q@!|fJly{UfNTyNxQX!-Rb%r@^m_K?&56fk+u1nq#=5~Dr)769d5Ne zU|fXSu-U?iunW=6!Lzq)l_ZTAi5ndB^H?`1KFH4B$KPL{+ijD%A;W?L$8c3MT-#?0 zBT^9Lm^E|f@$R+0gS8j_kG0D(*QMYTIHe{?nex zykR34X%M;iz2e1pthmXqpypypiXd<8f`#F;$II1mxzNc%^(ARBE3$ZIF~oyBUrT*GQ)swWl=Ki`_BxPG&KbotDdyMf`)QPM)Er;c^w zYcIufk?6bGjRr}f=+YC&z}1*}dS_mDG*V8l*?=ARVh(R*(n>BgYXWB|BUZ_I>EUZ$ z(Ly$IlH1~6JjhFW%jUM)FNT-!mm(8y!ZHOdw?Du>?Owaf67fcDVl#i+dZXBDaiWRa zubpP#oibOwc-AR3pFw*oCwi2!>CE)1k><^*jjNm6{48~E%c;=2 zQ`BE}ZFhGLmh4AOSR(rk-8a$BuJ2pbwTQk?Ar*jz2B*_~+J@er^9VJO6Z{WwnkL1t zv*lZg)6Q8fqZMRV3{u=D$Vc(nff!z6Kbu3n_NHc;CZ_L7aD|y7a@(LV?>^02&G_x7B7cD|W zeF}_97%4k5Z$>f8vy~VcUSH8R6$H&?Zkkarz}y(HcU9m)jzL9gy{;YB_0b2GRzKrF zMpOn(`4VfOb69O#4%q~r$m1UeLvKX} z>_jd?xg(eUXc6+=BABEMTHG&H)W#P()XTmX*fFAEeiq~b(nVqFQsj`H$zqkLV$hFE zwtt6I#q3Jjci1XCl~WISKfpf;ndPD$r9ip#%`?W;8%@VEY!5^{7j0HD_P-Q{D7xl( zR17Ak<@G+J>?IXOP=_bDMVKNpH`v_pNifuj-5n_>vX*Uv6zUTh50}BC!i;?bbHlYp?H3yVLB*8aElMgXE-*=QAQYnXy?>e3 zxy%P>^z{awc7@zf(vS=_U4&SFJ9482#^dE;vchs46;ImJc6B$TYk;Tcpb4dnb;K{l zo#l@aw`J?Si>AvhMP}(qLffV_3Qq;Sgpo?~icB_JEwa zQYhNUtJoSXm)Jt}{t=o;HX3BrNMvx>6Wk4-x9Bk)fUmpxt&jv?!+#vdB>Y!e@uJbc zS#Hk0bG`nbIT#tvjnD6VJ**N|r`mW@OVCew@gh>$8K9%<*>x>L*}BpSiH|zM*fZr& zes2ntW(|jndc2O><($6!Pl+$(wn1{Ni$EMd1M?;tn{w#l`X4I))KkJHR>70YIEb_c zJv&bJTT^=lh(Gqf5Nl1R@K)w;0m$_2C(_3J3*tnP?b90EK7@0F@1kick<)v&beBT?8dtUM0{IAb{ zgfT$LjeizsJHGti8Dh}?Nk;u&2_pa0S^v*DC;!)^l+%z(j@3&nYn(ZZ9p^d4)v-I5 z%Y8Ml>8X4a(t^nvzN0aQTX}e8oM??^IEI8Y0`1Jr=lDHIwY~)IHz(!waxy6htIV6uM5mcvKdOT#GI#{ zuYr^g8$F|61gQ9J>^D9{B-rKmgSd#QX8Hfr3(8)*2lF%m63!K=ml<>m{ujyi&)Wad zbf2Epq*&TY$km$anBTh>C25qk#E%@0K<_lT4@--w_>T0Liqnj2HwTK%YA`usZy-wAdF&?v{M9oNn}mFSW;ULWQ7r#3P1sp< z5Edy@1%{0JgKF&=p>g9yJdLf?qC|3@!Sqz)jk#;W(dFQi{mxn!T-4V$PZ@^|mJuD|(tifk$@(NlUs_n+V)N=!i7 zQcdR(v8^D*oBQp;F-q6vZZ1MR}j9_#Hg z=6x4cKcrk=&u5IY`-gtqNsmkockbX9%T*4@l=}gGWcZKF(u&l;)c(7AMm?fM?|YB( z)+;z|B$*?OHvJeJX;VPb&7mHaAl*-vDeRG{f%&8(kV)@mQGZiHzn=K$e!;G0N7`Hh zT2>JiMY6QErVk$`AMB1w9M#XU&zZ#SLQ^9q@CpLGDJT549}~)#CEl8zYB=^5UHOhg zo1m#2_?}gxb)0B=F=d*O58ccF4CaO}@jnQUtNdUHaQ;;I>!9pO@x-zUdxc> zj&7Uwwz!$JWV{l*wUb3tm-?&y{=fFlGpwntYu8xWii(QBmTCp*Dxp_F zM5Rjah)9jpP(z7|fPlbOngl`-2%Si;0W5&D&v(T;k-EaBM`L6Th z{5W6!u`aHaxmM;{bB;0Y=NV)E%eBwtc%;>@4d@)xlos@$o)K;{a{A1efMAh$JQZB~ zM9FV==2$0QpebfUuFx zVO%Z=gfk=G`iI&muX>`{ZiaUBa3eWSGnt0-hIPLhR$c7oH&fKse5d z>DJ7#-U$xe+&^=5y_DY8YG!zOI7W7k&HTU|$B|0-yE(&Qvyaw1fhAbDP|q;@FnGHw z_N#WSkKI)6*We%!$Zy#;nVeO@#bR`zz&XO_)2k)@crpi;v7@wxTz1!aggY2q^?J)z z!WP_OcEb&yz%4|lhdhJG%+W)>^+7s2=sbNcjLsdjASu`k016y3BaHT_O_9&gWv+Iz zfZgJ_R5_mljtb1e7A#FwqgG=9QqN-xPEIyc{=32a0f@*IIoJB##!G>R8#Z4CHleYx=#VLo7j&x;Y{}<(6XSm(M2=@M z`y6WYyU`*jcw4{z8Lo9rh+hq?JI0Zax}u<*R8$L(*btI9-4+{Lfr_DEOo2^0l^o)beFtDws&kT>gm?YT2OXj*N|O#M=2Z|^TQkTgM^CUpq zoI>2{qQ>A$$gmta7_CG(N}a#g+TlI8yGm*&!FPW%$1EpOR zw~!}}L(k=+*tt7|L zZn6b;?VZnt+y|0@X3#;akX}yNg}PSCTkW%dxbL60vi`i&#fNbKkO~ffBxww ze=M`5`N(UN;Ib)T?{07Ojr{!l<&zJGWj4nkq%-aZC0?@e3Gjn__pi{Fv(5q}SUvT( za}f_E;`ly(+UZ?>Q4jFfa7XDVy2rRnhgrKFqszdKM#PIqJI&OOC+*E18Tz-!ZK|eD zev#F-kTFoRdqR#(sJf|9gRFk(gL8S&kv>fpS%Ne1tK2{-8R|^XnJnwUFNva;&l>oV@ksTUSVLG^?CQr7x`Q` z_@Ex+hT*-?O~;h_*KyMyZKvFNcEe}aCze{kK^IkF7c2aVR7QYxqa$4<6La^X9xx}8hx9rH-U^scCyI&U002U z#%t9CI!%f?Xe&Q>d$ltzK|`^+RowLQg|7%h}kgFa2#&dBXI!?(+RVVsmp^!EAS8gyuHE*c?| zK2IeTysutaQm2(cJivu_+Qo>?T*I)TH0A zH+9D!AztPQX%60|o*8G~RA{ZTNu+j;@t*oTVf$Y3kae3tgF%J1)1*{S<;n+Zqbz!j zZAtyI?51LaMv`bWc=1tdw|se5kt*4q%U>%u^vGkuB_t)An~Ehrg? zIpXu&uH<-(k#sWoNe%I-t>#zSji~Z*vxy(jT%HCd3F>F3^~SkUZ`%OxhSlD zx>z?8BM0(deb^0`=yV~-JN0MRP`CE0>*+fIvnTA;u%_9DZ1>Y=EKUQItXh(G#j*V9 z%I%1r&K2&Wq3cQpbAsJ2-LoR;DOClliN@{lhsO7v6~iy1*+%lpF5@!u`VfflT?LWPxgV9YddEPIXra>I&3xb`uT^LixGcPQtn@;Zfuq| zG>mbJ2?;^MC0%ee#EaQoC>&DY1!4_eGPr?L$?*A=b zQH+<)43*wHXpl@@HRe3Y+1pp96G8O=@f1oExVn$v<5HWA0xMR8PTT>q3C_?bA5OWj zk(dtxKqZSY9^RgHiWAVIJ;?G8c}rtvo4HS0b0lX^XI69kOen-@FdT3B zrI49D{kTqL9-yf*f3R{4C%(tK1%pK`-*D8q#qHcfkHc&_F6xU8o$3CI({sG_+uubd zy2cZo)WTuR2=YLBu+to%sJGqkhWh4EXgkbIN-a3`*YKrl5B`1l04CpX7Kl_CPX2>F z<^MkY@Z${Ln(h453qD*ibZJU}PZ!I7%&q-f+?;<+mjC9n3BjM*8g0>ipfkU?r0<9x z$ZZew2V^@E=%Js9hrv9Cf5TH|B@ViE-QXn;m5nRAy1I|2}S z?_czK`{l=Bf6sa(4+WG4Un{IOqg@)>BOo1C(lyo==OsAM_J05*9(+&alyMgsmekBN z#@eal86|(R=6s@)Z?sZq=Z)(`-QRPbUK#Uj!rR64^R*u4Kp3Y|iY0cnal*S$>t#HRUeaYJl zJ&`(XOO#4z4A05Y2khlg4}g?45FzX;rcOVboxf8C+0R{+3FkkK${zLl zmssPmSz4~NW~?Talw6A-i(3 z!E`yN;Hi#8&19QKR0>saa);sYRNfGP-~gfw!?WKnPMnCntRkjj^X1b^=yWLi(wWDA zn6V@5 z@DY8Sb;F}iHYaGZRdZmc*Dc1xrC9Ur!h;iK6-9U^alE=dmf=Bvo4>?c*RA5h7{ci$6i|fUeS9e6 z+t-klN~~4k9)pW8p4{6VzPTs<1X}|jiV^`EkDiLTgGQ5bYimCYw(ZdE_OFPO-gKvo z+qWlNf8ra{{{}JrWw-{3Eq1C?>~_&3NxCfiTFvseQhoBTWFc_4_7|y!8|ynZ_C*AC z<>H)J^PGs?SY2-s+?x;jtM^`VA8@Y_f45OwJ<$)C5f!z^@dKpD-rcC!X$HS9@%S9U zU#FECcgR|wWv5q_c~pR59piOW;(l2_LCYPL>#cM9fP{D`xFByq!p6YKd5#fNT z%zVV!c`)l@ZK}5qm$K~?<0OSV_j5oPxs?XTsrBTk6lvx>DLXYYM7{E%dXkq5_cA$F zP&j>?a;v3>a+X0DlZ;S@wMuRi3e@=lPOzRiNMiQIn8}kOq4gHN&TI*e)ys^yb<1|BbQdZ{*@a1Jg) zSf<}4BmMxHLfw=3HVSs@FrQg{7t$){7Wx<&{Up*V0~>pOuI#Ea0!fQ$wcQa5>qE@r zrF;V*)59lPE-r}8SG_;)vp8>yvEdWq_ZRDBP{{{22oh*5qfDN(wX(<#(xqM#OBsE) zVynU&CI@E~`Wcr7x}c@IMp`82=koD}SiTZ-^OWPZcT;D9fw3=}Wl34oj5JKC5xs?bEc-0LFN^|LZ=5F{J9;vEK_r@tqB7 z1TzJPi5D#tsC0c&c|%fIkAT5~E37U&Y%HCZiF-Cj5HS5?f&#udX+hotsmBG+KgufM z@_h8w+{CsMHhp1nYV+6$ed-FA+(7nq zckl%U8uWYI5EDa=hvcLV5)CCla}ry>ilf_)G!*)v-3-0{Af~^=<+0D1BFaq~tlBEY-sp5eRoA_V zCqf|dx*>EriT}#VMt#M+tw7L6GX;;FazNV!wOKb)=vA5?ot0bD^r^Csx5~>+3P9m) zvRKj(_cFAG!`UpRa-aS&`0utkHQOF+1CM{@=Oj$Lq9!OA!pqBO7B(u5LBZI$sAb_G^yC3 zn_Oopp>j4?!WeIrEIXMjx?687m#BogeHJU*iIc`VkE$QomVq!GopF`Wwbo?rNr&y$ zB357fhlYCTvRLt7$q6+e*uN80gw0yZrt9Ue4T!DHR_n#%77ia@p4Vh=$PVST2c9xF z-8!2p1dT&R0 z=M*%h;*8yk6y!T|FD;olAYabES!J8V<;scNyKU!Ljn z|87K~Xe^X`Yf8zGgw?1WfDLPW$c1W!Mk#(uszVeHr1+a_czKqyESX$Ry~;^De6WdW z=!yW&CRkPv=j0QXMG@eaqbDvhHAR%a{EEhJd8qCL9?ZxG|Iqo&9)Fw_A`q)tYoHIf z1pJg}_Rd4y6fXiU8U8__Bv$$CiE4K6$ZWrOE%2V@-u=?WX;{?91o3J=n=fd7YJPOo z!hGIJ$u@=MvUWWd_ptDa15ltgS&CT+b}!~xfIXBYUh7U3tDC>T4e7d8_w_wfZO%PM zgB@YcPCK93v(N=e zB@G%%O|*k<){4=^0pw96m*++xCb_w5NkzoMIv-k!4 z3IIOHoL6B@WofB-C*$uG?$$`*TV2OmtEaMj`ULm~vQn^3yR0(qQ_9&D6`)nhT)Mg< zCOF)CD5X63;^aX!4}L*+=0~`u6V*ftp`t>68nrEfbp; z#bU)f(RMGjCipVw%K`m1v8H5nV4LXH4NO{Xgrl% zKTrDcbWy{kV7cH+ZzxV=M6q)??qFn5({zVGLr)j%2`BdPp)QUR63Ma5y z?jcr-qPD2Jsq=UuVc!NN=PW;>hzaWE7Y9-oM8&JZz8fIqDS_O=E~=fq$ZJ4XhF}KC z>fk`sri87#7!CU+S~k<%w?4Z{FJ6)0q|obzMZtzu=PV?&tnGRRNk~ZkpS)MG zV_n#>`J5>A#>{@U2=*zX^D}ytlm1D&LgWYI+u>Cl^m;D4v@asgldy_yDVSEZ3?A*R zrXv2%R&IV#Exs}}dsoA?Nu9DGS*c(`z z_Dja~!~Ef*(BA7r`T5V1y?0mrN}~pu@VLaX9+3Yyar_QA$8Q)Rn1n#agDcZSwZ z1J3Y3=<4L;*`0EvaqoDq7buy!#uqj|HfABmhAN%R-K1~O$7A;WCiFAxK5j2tYO!r* z4YNd+2ftb_0qpvE&w$!{%}u8yI0EJmoeciPbbR;KfZrz*3if|D?K@`yH<$-x+Q1hn z5A;7&5qt987XzNghy9U(==A~&@b|{?ui!)5%`Ppjd-*>#=CrFsvrK!h_C$h9-tl20lsu_dRL`d!v&TSVqWK#1+b3*V@30kM;J^72hf>$+AqzVG9a zmVY+Em;YUt%_%swH^SyqD)TOHuCKHknrX+ZZj7F7uc<^KhK5cU4((4ddjLb1#I`Mh zY%Zv$ONSJE*$Ku@COWI%g-7KK)Kp}@JBuc*J%48?!dDI z4ozHG3Hl-gsU5HGW=Zuu0gNCc|J<6S9fHqs_iTHLOp-7nD|EE>3D{Xb!J7tX#N)El zDgc@AnI*ka#9I87mE=Pl(4a)JrVez)M(|3cb)n>SPtW+FeoiTTKVyBWasHNU{s9Q+ z+6V2t;{NNy`Hr!OJ+pz{?32)xnl+CEDG25^7~Cez;yRv@oMD%k_L{%i$@2kuIuuLk zjzqizIcaa~sM>6_#K6Jv17`TXqp5Ed#f{6TFDsB7z=@O{Jv!ew|MV#hU+0U0QLb z1a|zyNDk+l?pVMJ3KCy67SLFW^mWA*m<%|S@6!4&ZF+AP%x~Y<>G{?Zo&QL&x8~P_ zJ(Z}&u-Fmc4;#Xr#d}Q+h<%4y;FZ!==+^Y&7*nMRNWrc7;-BvZ$H7djjmqp-i-Bh& zhc%?0L9uI4n|^t*YZiQ`enYuvxl3Yk+wUavFe+||@n2^#7zFJ;CztCCykK(yI zNu81l!f*znl#P#E^y<^Xg|{6R;*X$?8%gRZ?7l#JHad~gEkC#JdKIBBGf;^(cK=M& z9Dd#`f##E^q9%?D4Se*e`(Q9-%L-f=BJm>-=6 z{1^iSk<#;~ZKit%;g^8S=+vjH=(qf1`1+D1vxbk{3?Q!R*`bk!4^6yH=8}7ek6d)G zhmue%R(&D%>bAqEgU`};%Z2ckF+E`?6cOpLStq@(B=m1dw8z`CRSgAE!vOYlIwdwH zVA0sDG4l;{=REl>S1~n|!<3A5kZ{pTM9BWIfw;3L{}-ApIqAxT74GdNa&CBr{0lO{ zzz`kvcXWZB!QD@GeW>?oAe#G8WQ~{(1QMRFllu`v5TsU)k2wnmC+FKlOyKc0NE*q& zi0nE2YO)Yp)VAL9d3^akP#t0L7FrH)Ny#^IEL$9YJL=s^$nP~>hWXOGZ6}G!5JC-H zMqg68v+8h_p;P$?@b+7;W*6pvy1As|*GM-*+T9%^H@F=Cj@`(TZD;iZli4PZ$&Gqk zD}ZV@sKS{2`><6YB~iGfsy$=}pZ(PwBjphk~cj z)syDi+8uX%mTjJA+y(64UT}5*_HWZbx0HxL+B)`SSy|ctZp(F)VGxm3YJuA@$^A5P znMyLaR0eB*eLJbGD!KF%I2KLVAzmZ;leq(|qh65YMLuh}L}>y)YggSswckuBsaF3b zw)JD;Whi96@@4g{nCON8y6VdW)o{Rf;zXO9tfE^RmpM|c?nOipD(Ks!J{iHo;_re& zcr~q*dcL>BCdW`?sQ4mXN$J^JYwHaQk&`f##q$JJ`~_6)OavKSc3IYCQ>f7*lH~hf zl+d_&-;{L>dpAZSp(g_3xAHE1Bi3cCqRIMQkY?b@5fsa&{KaM3Xp_cTZOqY?PSe~1 z7shm=hO`kiseuq}?0>9~^5PO6HRW0FHsR$ip9gQc(L3G1NPk^Jg^U(o{1A$@ znIB2IZe@IovcVnVGpqzT4J$Yo)uzN~DK-Fm$k}6jbJiQj&JT<}KwGsb{3a7f>MK;d z#QeUP*0tGXS*=>7uOVUhkJYi5!s+5{&5Wp_JZKX7l3g&DH|$)VU(ww}g3L^%^s>ZM zkYxD*Zq-p_+cNdUQIK~D!R@~6(yDVPCqdy^#F0iNM~^D=&L7aieul*`G+W6zcfEMo ztLiLDpJF84I*sil&>QdqV#9h}$wDDz)aT^~kQ9?EeN%*A4jh5v)GC5zdVA zbz!dFPjVf3Gzq)hmeVo!F+Y9tWZRPM81wTF@%gDE#Mz=qDt#+d z@aDA-h%T7a@Z7GMQk=`1f3Zm4jc8kZnn2+1!*PAMbb6zc_DD26`vRSwA_~|S(AcPr zXx{S;z$h$gH>9yUZn|PC=f7xvE$(RsbJ;@6%Vut0_|pK2OWvHX?YojiBOHXWd_5WvzXVk-1j(f6z>uyM$U^(i;TEmKWX;ggW zz6^V3%K_r>1#P1z2rsv`vOxPKwp-GxzDsK~oz!?Mt z8Fil{g~n!qJEXPmFEA&wtQU{e;`9w-$P@a*3hQPVM zTor+h-hbp~elAG=kjr$;vw!wC_o+qIa{KPV!cEHJ>onK7!LA)&r6DakT8Dl`s2ZZn zGN~nFq_bnJah&eNB*$p@mwy=99=ORWZk0css#Fmc7&xUS*kkm5rSmurb0cV^-XYeC zM!OKrBZtA{Cllg)PWmywJkppGCpRKs@E0ewH%cJI86C6d^Ej*odBL0`iD(X(m-Yd^ zA&>dL&`llBExKI@Vb8l?jo2fF9z$=fy}X??*my!tqBvMER9d9|(t@%7<7 zznCw-RpO;hRhN5=5v>D+Adttnnby+K7^Znzqc4LltHqAXuY0w@JK2AS?#jP6lv^)) zqh8Nw>yqQ(do8=X$e;EJn!iLvYcGnJ${JbL%V#^JHQiHM={FUxk|ic46^8p9di@SAfg% zS$)FVmGpKQ9L9Mo`!)nHYsI;O14Z#TvlQN~(p_(TA+-E-Tixy%hly{KeOVZYBKJ$@ zVc^mjH~>!Nm2AoA5udJ2cvTS93SH?R)$04ohhPuhdQ}Cla70h|uWMIYdSY}6|X*3hN z4bR~r*YWK}NSB^YFHL(9ZPy#IScF>JSw%w~DU%g7AN`k;7(p(5lU_lJ-F-khy4UX% z^j@EXT*Z7&5+GL1HwWcg6$pvCg4>u9zLz*-bZ@1c$*EY%+DA*RJrpYF6r3j7U}5%c zSu*)|vnqeYD$pIS%T-`PKdZr|f>-=TNY7nEavV<3_KV}X(pw8k@coj(BthzX|0^^V z`W1*3{lz{GXz)OBbZXTWeGMZez~R}K&kC1`RixsbXP=E4vy=M7>lLxZ_{KqpyZ7c| z`Z>jxu$(z<^Qp^9{qqB{hJDr>i(&MaRSoo7MFqz+?!GjUbnv$lzU`2`)V9hKVBU>A zLR~EEDg=S)R~5by_dUUlo{`vu5F0IV9?F8B7Kp_w$AH>9W!74To}Fio63R9ncCs~1 zt||`F;&`23&LWN)zg5kP96cLD$en*Um$_y=6k1fpA-{gl4k+HKUJsamn!@hrVCh>o z^g4dW(ikO|A*Qd>o0Zfe1z8U4FU2&qEo_^+kO@(ZS#e$aH&f{OtvfB06vXQ{6>cZy zli7D|?DqznsWPwjg7j&zSc15YiDHSrXFBWD>2v+wUWYhbg}=t5*U6X3@$s(79Airo zE+bWj#KgNHV)M&4rw?KzWkGS0yOp0X?(xBIXc$%ept9;bij<{z@6LV0%7rXE1iOg9 z@*1QwBZ)YRfMPcm!-_JK0mWAs`T7J5EfKNc*HmF4yOm?Fu+7d5aR7|HHtn656eu$@ zsWZFLiW*MHLNOp4#08A=oaS%n=cU}H60t@LM#zxuht)%ilUl|T8>bV3jS4;&GgW+6 zsF%)(yUutQ=I5EX>)!vHX;fiv3=`Ay_9 z{rbrMg4;zm<*ea_hx))lOqK39SytXFkd4t%>*~d_e4zn_s0|__q-~*#%_q?oN3~uo zhsjwPGs_wJ`YPU2#n93cqouX75O(Y*WK7v5>9^c=U}{i%osY-6VsX5(iquxh+!hR5 zJC~NBxm^m}a^;J+=3CC+zPJ54cU`&K61tcav`+47i;T}bDLM2Ex-qrV{a&Tm zlFZ00-5Vb;Ux>EvhUb4*;UW^17#{lpPLn?&R~5IdlTc2c%xe2zK`+Rlb}+F2#Qv4@ z*WXopc{0k)CQFb#XrIg8ISi*^?GRdiy6@6ZtX2}_#i!KrM%Fx(Q7aq zCGtxAr&VaL?(Avq8t$}@C&u1S+Su%s=8W!P1Qo7b9l{iHdTsp1a69a;IJsAsKZ)U& zCi;AQ=4O|XndHrRhndi`Ik;NS7{acoPN9;pw>=1G zr^d3jRUurtKJ0jI5BL1=2B4=iUOHylB_S8zvuXE^ulZV{=U3qCN_N|WqH3%iQI(%d zqCj7Eqwm&!(WY(W=OU)H?YNB#PS*qKXq&y*8gzQn$PBVj9=kytYe}CE6-jsOD(B6M zweG}|4P2V$gsTaI$LQPZ%w8G=pfB(Zj8}jN(HT47yS9izcrR~1De*K0 zDZBz&U9Sw(DrLz?A-7po4%fuZhP(PkYynKs2h=)J;KfW(_}oVS*QCe>N=~SmAH*6l z^Jpb?pY3|rtZ%pxaLpuFx&NGgfD9nA!)+gD~aKf1p8;MCP?yO)CX06ZC=OkX@t`Ovxx2 zZAPT<`WJ?Uus9lj(MXEzof2OvI@;K4>{8MP<_kth=NU zD;jJWYhh5(fM?Ik=t{PyMSzbTpPaeBi{~0usTfOa zaxJ_prQQ1`7G1oLq4$qHCI79@>2)?YN|B^(vtm3goDd_gQD35qJ%nHRi|AQ!x)Wc+2d@ARGE zzls`&-)99`D6uT7>=n+i4FIa&%6lV~Rja@2wQdU=_}r6YG^uni%R4fSH@<*L|HOP> zL#)^GczT@#x^ak;o^v5*z6&EVC}Rkve`o?%iqmO&{Gr@CdgVN{C_Gc8QtEoZivM)4 zk;8_g5V}g)e?xZsW=m9?`;UJwXIePdqFYazK|6S|g#b-vedhP2jzRb7Q zl4FKKRhzPEI@;(IgO&K(4!c_i5ev`8hG1VgmbC-u8bKRwZNx>J+{I-Kzw@Ws$$_#{ zxiaTvEpXP9jIdxg1o9YW_(cw};+qaUeZ;PJKz4U*n2ZsTLr&a>l);QDu2|J=HH}gT_xRTI&6fc9=@0lHt!O(mmFAu&9C~LU{cB3S8@H z+H#?|sgZpQuYfXg3>ScmdBg&%HPEs#7Wi?2&p+DquRlj(_KvwfJOw2l`N50C04uMA zGmF)cItKU~V3h^8>6*94SOOtxg|E)e@g!XZNLN?s0fuv@s)Y-lOr2kC>$WXB|84kO zv3a%6FH;Ly6Sm~cOjlD7eO$+T0Jbuq)X_oW8hm!7;a4czMz*ra94?`RoZynaKbOI$ zIYk)u2Glryi`TQO2vKrjt*w*9i?k?RV$fD3P+!J5lJ_PW1 zcl!16WZgOT%eI$-bULcV%El(cwjSh4!Cz z6tjOY`MdG{Q!!Lb?tX1}^M;~^aBT!bUYxxft})zD;fS}D2wQuLEQ?9nx7KNy>Q$G2 z+OXdX+cNb}8tdL4uD%V@4}AzwvQ3S#kHF0znb0LHj95|#H?&P8VLrf=>k>?@-g9o= z7)9=TYx})G2;LKaZxO$ z59U?hYTX#+rQY)1gQ7e}7sJVhsU%6@m*<+4X=cc;zNVH~%5GlTZna9k7yxko8lfzh zm1^y1qk4%s#H6RrmtvU|ll9#Wn4^%Td&i+W$$d{+Fb5P%m zmT>POhwtEm?w%RM3}tjrazd5)$5+*t0^K_-r_-6L(&uYG*K|(ogi|Dtxw!dY%cISA zHkG~PP!?Df6Qjk3;z!r^AA5CVy}#y8C)CsNPsffUb`!5dy?)BcI)oKpu)UkWoyml; zQ!lB7<@=&XpHTZ?&}EvB5OuGtocysp^RVE)wS$)8rIKd55B2ULUHg4o$B}d|_X-ke z-6YVF_9QS&Xq)7-U$imCV2CZJ_Gm>(wL^th2T12pg**H6iPp`K2~)T9DJVPfbNJp? zUeyQ&%1L4brog)$=lwI;d&r-H4me3mJR6g%&_8luFTi+Eu97lVue*FWGm&&?bP~%i z5^7|*yb}tk(@(4ES$%Lk-TTp7RZ?BH?>pO^@c}Vo=EpZ(#d8@pSB9wa@{d>2GCi_+ z0eN>_TwOhPHWoBSZqVOD=_GC+FZKT|EVjXan<@_t-7R(8+Puek`gjsFERp+xX3WtA zzo^eannTn1BWT%SA6U#dtRzc=`bHwch&_KzxUs%1*ORf~PhsyrBetM_XxgyxJ4v?0 z4bhhZ;sY-w!aa%;t%i3-idd@3S3l)Kn47wK*lhb1bw{yS+9q?t&$wvJZJkLGoRD(K zWlfE;zy&@@e35SS0^<4r2%?1FR~97^+uM+@>tMyIq@lvKITVZ0pu#M*?6Cd40@c*i zhL1SuEN4RLwj5>19+_y1SWr!Ilh&Fr%}getFO+=TV!&JSFA3*N?G%fJGgZX@x(`k_ z3WO`2A&y5KK0Z|KtncdLGODIuNhBNJ_(LSOkR^F z1W2&c8`?O#zXBD;I&%WQMJhqh-`1U93am~O zUi9yfg+56>Ytn3*?utM@Kq~%eCnz^jIIvKaC8sdFWT^Gm!jqIuwLSmrXGbfsgZN( zrBAS7;TVm2m7k?W!SyXC0FmuwM(OgMU0vl$o7>Nc70x4-;B^rMFp{%L{|Fqz)@#4Z z{0@<23{9<%f7~R^d|xvbg_SuJ9&rp^xesNK*5}$N9sA|_AAZ(vhbh*N`Uuf<_VwWK zy|kVcw+_$2Z71aPj_bQV+ZPOtR$@1qIFk#q>zcIVu6973QMo_UgN+i{+J*S1hYjB9w{h4pJP}+S_80~T; z#o<|-M`?Vxj(*GLR*=??PAYEF^iRk2cdLs*i2V!wMLkvctxQ;OL_&84$}-}5{JJg2 z^Q{W%J*p}DiME%|)9XsPV|M9vtOu$sQ-?w!L*~s!SyrQdGvE%V#gh7R-$K=Q{evNg z0C{iAu5XUOCzTfz)^ZRv;o%D+E5z}=Ed_NVUwnpem1`wmfOkdU`iCnm#g%+;snLu` zxW#x+@m`frTf~z#F#iTYX*irMfsN=8!7>-)p^fsjJslCm(L4GU5R@{x0<@DmzeRIq zQ6}w=LtzgApGO<-c5P(7J;RT$%eBQS+Q}B|UxYt=={QWPG|-(Z-pW+>X@*JM67uZC zUa{_?^b|M_e$lA;IDWtX?+g$4QV^w{^g3R~!KZJ^h}eKM##aZTtM=JI+ud;~_}HnP z)qvD++XVqhi8G*KoEQ|^b40bSDDZrFT>7EQ%zRyfDE#%R_6;GqVdph3j!z+xZ)Ei_ z=32RPykg74CR)OPMN_YOb28$@4VHL0%)|PV)eZ-^jSqSF<`yR${HZ83{a6Gup^!cQ zGl3f|Ur8RBh&_sXz=?5`F5%A#%*-J}vM8BPtJhx6hd-*&3NRt-)NM799%OB*>+x&U z*y0iOVoSz4oIs6Y6`TP218QqOtc~%gv*qkqN%+J=NUzh}66c5dr`7s?he7jUxjuu@ z#vS}@Pby?zqi6ob zs<&IL{Eea+#kkn4cdqg#%W=pXiT|d*_-$p|#!Uj=@Z>M_Qf8Aup`2Oj&21Sxdha+8rJ}Y1-qCVPzgbpU2@B5WPc=Q@3d@B|m#&0RVlu z>QRAM@}%$P@>6y-4mU2YaP3;aOBln;j)a{()c5ihWazXs4lTinN=sUB5eb6zHa%{e z%{)ppVWYzC@c;+it>dgXH7!fF%r|JUa#}hiFY$T!DTkRXrSgshTd#J-qPc`I8!EJp z+0(B!#-i8~yLm_GKc72N{2#3hh$(MsqtNipDDTY2$@|uV)AL1l%`Klu3l+NS6zaFH zTY$#HM<&B=KkLXZmTK8Zsp-xwP;!E=KBImri(XzEaRw>?^3-I=xDkHbgO%}e zFJ7bS*5il=&8z!=RM6!{LZto_^(>xCxq8>MBa6zpCM!dlIpSF0kQM)&czZ?6fc^?B zuVHP6_8Ckg(ARfSh$iKpm`2rwcIkt}87yd7`+RZTMiY4adX%5^BBstOl~IQ&w^wHEcPp9|%~10oC9^G9aLAuP1S zdJ5UkyymBB!D4+ev$-lN31=!aZoFz|AF*1fjVbUm)ET*}A)2yEc+Bt_)A>br2;&u$ zYD)V2*3fi&?z}@p>^W78P-cETy4X|3(lb25>^?8_(>wC@ZyUv!@H2B}mz43C%4$lU z!+lqh>2jGO)c`+;7rP8yOq(CM)kIvsFj^?Sw2n(JE4Je~0k|`j_D4_{|0%AK`WIKQ zYKrgaGrK>z@O#ACDXdVTWp_ZE2k@mbX#KSF4pw9h|o-Go0p($72`j`mb2UB1HH(EUbs8mOapfPWN2bB~$ddf*w)zu>B% zQ=+C)0zZGtl!rsjV4g3u3s5bYyW<<-gC=Sf&u`nwC$zLc>iBBwcIq{~Z-_@Z{37nD zoAp=;vau7oa>1=lIq=CXErxeKmyY24{rzS6aoReYT!18+k4cL|df)Lp zn^C;k>xud)k#&n=Lv>$&@!YELbn;0oJjaopOI#79D3&ExYRL@^ww(WPoZFov{QbZH zoe@cs?!HIxZ};R<)#UXv(9&}sW&}agl2k^_5hr$@BP8tQh1{V*yT`?5%FF4=UUIcU zL&d!TsJ7uB9Hp5IGGp(IC&PIPI+i!OH_cGFRwzTy9}^vHeD()B>js!6&w#b}Fi$NW zAh#@G9^aRE&seic3cSqq0W0P5%iFt?cEqE2eVNC#Vxd>p4tmJLP`v@q-n)C`=KKJ= z@C@v1v&ZEI->IsM6}8UVj)|<1l9QD_8I?Iu%{*yIeH?{p(6jX9aW#W_v5zm)@p(J7 zJ2HgWiIkCf(c3>|@G4h~#G8K-$^+c(%i_k+RU0q1u<&Z4y~a%UwQP<}S%>rqv!ukm z5I-v695N+C>;7?T`QhmUD^Q%N`?^(HC7%fl?*r{c!# z;!@67{kh8guK>CUufz-bRbwt~1pq`ZkQOWxORzT%S7P^6UM=*!OM)jDMKxM=u1OJ#Sv4-qF=~s^)B0TSTDzXB;UpE z@yN#N^d+RK32X6h%f;x)hKpn??|p3bvxe~&-QWml+Srd0Z?Sr&G^GyWc_Z&aOzxY+ zCGy1sw{o0Lic)YBxRzh(vIwm6zYV%dUuW zyau|WAmYis1Ti+G2lC?(@1%6LQ^Hx(=Ggs2u|UoYXQ+CHk9v%MW|EHZ*hC`cW z!gx+TGxk6>Ra8DOY5G&X0oJtQ=*m%6sIsbMc8GGsHo=ETE0ybba4|O0R>Mx!8~Oq=oc(zxxiV9Xct-u=s0*oTYGk2#N>h8D&}H(TN>hPsWSNmy zKEtAvzqZc)V&l-4e+E-`O_frQ0P<{sDr;02h5z5|P_NJ{IVT%C;8>hh^wWgv10{6@W}EI;55lsoi{-8Ko(%Gyg= z{^syWWiCliirFq>$T>9KGxDnaxltg|_f=kodXJwg@JKM`KqD{>#k|g$!uzt{@#Zam z3`k>pdSmSi?TTsTqt|u*F3#%S<)XAn?bf$h;tuSh8A(`?E1JFf0=r(er`}N&&~vdC zpI)~W=^*W~)4k~}E;~@x;Zu!-uMZq1YL(z9)#d3%dkufV9o#XLrj`fB;RZ4M2tUO> zO^c&wzSBI_rB9WWD~&@3;|q6&=+befzPV^03$O4jA3tC=#Texkl)$`RF1nFP4N>p} zJGHox92XCF_xndx@i#B+@JG*uq%q3x2F$x)J=YRcR^g07pB=m?g#9x5bJ78C1%WqN zQ~1Rk^*M{;NNIB_VZix>s+u!oEvCtT?!sKgVMzyhm{SJ*= zXjav&RIdnw!K%)YWM*3FC?8WKDWlYq%s>mKmiT^qA)2A39~0=xKU9gHFek&`1wL|Z zqq9#ddK0fRZ700#>R0M2;+0c(kXt)!nclUH#n{e}6xzcbU^dXZ%(`p-(CBM?g0%?l z1<6qp`=!2Jxu4PAzi>7v*Sny;61Ln17WdVId`UWN>VRLSf|KE19#k%@8qN&Ww~A|3 z9e+;z)5^3?Z~B6v1|@N%{Mn4w4fB{HSmS*N1s#+?rQ(3UAuhSgA4>k)96xN__=t^i zK&d)4P{tJLonwf>?ts`GUXs*k2rIBFLha`u#ZlUo^0s_tNgce_q~B52@x!gqtP-i| zXu?#P686r~aOeuZZE!qYt=F#6g6)*ymVRb_Ud9@v+atC92hE$EP$=jzcMi6~%UT~$ zFAI6DK0JHb)v{q@crA1>de|l3iVDRBo6MGazoUbI9ae@XQU+^2x&|9W)pwM0PF#m; z5RVO=?eHvr9b0Ef%{HtWPVlFie=?{Q!g1EG;T**Sz->Hut1Kx(9BM`d-~4e21wR6~ z=#?2drySMFetg)mMJ6B&{=^leq%#557neQ{(Oo6vS z9B^*26I-BZm=@jnO7ltCl^*6BMwU` zd2eJ$^?0K}&aOa2QzGo(Wbzzs-yKp&>ry(-OUn@z678iLJx!j-uY+Ca(1B-=TJ?vf13WGSqAt zEnY6(5=*?D*+>2j5@roFHCuhf&I?FrFKVZyr#DTxy1Fj)RUvb~E*R#!LAyqt!9%0Z z`XF6+o)O-IVG7^JCKCmnJ^_WA8VXE*q^E<1y~6^DAVsQ~)&re9vOKd=3G+aOE0&-l z93ZeN^uwb|PxEsYk(I^3Iq~I4YN*HGwcqZw62(2@?N6TRG9=Y0pvDx(&yc zHA?zgACv>NF>a3UqSyc;u}?rSZy`5SFl)}E*nx}MV3~n)z!SLUPrMUr2MRtAi_h+= z>jysvhn6R=67EnItT%2>vh)nfEW8P#rf?sxTNsS=;c}IresKJ^99- z(k)#w3^`*2zN!?cJx6?knfoYE$+!(r67iNFz_%vi7CyOq005a;Qeuc}TvqgmccQkc zPl1<2qUwn$d5;e@>yI!=Xk;dO zC=isF&M$0A%r8ENg|2JLjd^yw&<=8VZ53P~^CG0=sZZx2E@Zs;h8qLJJX&`Rc~HHA z&2AK5&(iKDnrG0Oie_*o%re5kmx9b(Up4gJo09V8ih*vxo{_^Zss`%d2cI`M3%b@X zKX^@}mcFzSE}b4UOAWUu`3B!hpWP=UeZA{8c3C*|(T7_t=K^fvxV(WVprN*0;lZgK z`rx`~OBqIi8TvgNf@eUM&*P{)&F)F{_4xaU)s`A%aBzM+K|9p;!-sX&`fK`yK*#?6 z511ks_8W)S{~+-CGnv#Zy5STPuQvJUZQ4V^h+cWQr)~Dl`;hLQcX*?!c*kbbwjzjG z1~O6IIa+ET_t&7?)eY+T#hcg4bZo#UHa*@S!OM`ltF z0n3U+?$o+;W?qaSDJ1Pa_vhm>hD^ub-`{!lTTtO1`S*Y4-~fQ=v%m9c0KiFGZbprJ z-0}F|Z?Gz8GJ!ZJ2L;VAR!eQ`|SVLwD&W#wz6RWW{i)hUHLxy2IRNL09B#Y z3*0y%j$|4Eb+eWbQunL{>2=ah8E)|_gtZZoqBwCPu4`eSnYd(t$d=9e&6M&yFRrQF zq#$5}BS5Jh+Z_z3K**Ra%o{b3Oe9ntrtsXpVPNO#?8 zz7Ajv-z;l3!Ae1cF;-mJW7mcK+MJ{!B14xp{*3A%{WD5G_2#@mq`-hLKOcD41C!Xo zMtJ!j$GQU!t~ikwLeT!IBj-s<5;^6S}0a`!D~o z#r#$|Ll|u41TWn@c0nwH@|fkpgnar!nFv|b{5^r|aed_J+jp1i!bqEmd}ek?eW4Th zV2MndqQ+XG=S_#dJbNRARasxnJf1XPRB7aWRH>EmBdjyi4P=kZr@icCwUvr3WXo-L z%_gMftQ~Z^5sg*u@y_P>>*ZP-fuq>X#OymkTwvYEUik2F2O7x5osfu}CA>@S>Otb< zl3ki~!n&h|QE+GN4(8eF_~-ETftOv+dP^;=$wQlAvo z1ZDU*PAr79o=s%b_w!-?4Wev@s{feiH>wHsyVPKWJ8@l0PLF^mV!X2f=N?Zi7W4J5 zJe(v9vUfA*ZYl>cXFCpR*akQzjYtSoqntr-#=Ce@JBYw|0*d^-h?O*TA<5H+za$vX zGS-E}@LmAQ9}PK}qH$5OYp`)>9eUuT>8ztO*T1^sSg}RPA&!|FGxhL&>v3b;oYBTNbr@+4|Cr?# zKqzYrABK!*fU1(-ru)4kKNE?@l8(M&9A-;oRfm zS8l1n?>71_uO0mTkM3(QqWtZDIY5}e9lihlTwWC}i!D-_Td((0d+STjfk@}#`{hEz z?!U$sve$Vuib2s-(A5hUB1oD?c#Y)`D4j7MIkYtx9y~3WVgy*|%x*SXXQ_n^&+3>l z&I4}4Hug*Jq24$YSJPuh)hr8wxgiEn<^l@h!vRE(n_n0%n&JDudFV9GZiZ0RVsKbZXZ->nC!>uG@x^onjNp^L&MB z{c9%bVkBuM!(U?G(SA`NR!8s-cm2CzGRj*1vePJi;STOvyly$XA9&*`kH`5D&dfQ& z<8;^J#Pi%2KjKAP(=%7DKZU%}9JWJ2GTV!L~dJ^xCaa==V=d_ye(6a&K@+g_&x~SW0TH( zsIMZsw}MvKYJ^!a&X}pUI+t-xczO*!tDGYW%4=NZVQTSEhcITw z=zyeu`lCOf>~}Y_h+;hk4T$Nqu0nfJW>0{X)biaLF1jaeH+K0eYpRmfR_ujTwYpF@ z{f#3P9#c#p4P9u@{F-Z8KjpGHAC2koW_1TeduC4#n0BzlB!+(0GiV~P)F^`1q=D*` z`0_0KqPj=fz}cV)u=xX*swHL^lftNoJJSE_vW#BHv_sva4;U+>415`=;k?U1AM}|p zM#0kQCyEN8-xn? z36kIKQ*nhItX6fHRxYd(MyUnZ3xNRqJ%Y^`)Z9WWW&0TJ$nRCd_EMz1eNGzx^@0C+ z=J^nRdvH;^zNNkDiOKh4Ipv<2r}0#(M7N;*Fx10U*ZaXTDU2qzL?U6-BHbK*s=H(QADoYfpp6mzU~M;Sb2 z`>4sPv%Z561da+YulX~|!2bvc6zSX>_$2k_B<@(HJnoJi@TFB{?b>FijBLCkw$JH4 z5pvvqitZp`?^`qxNZL72aYsC*?@z4gM)NQ9;vc20nAk_yDc_Xp^9aG+M2)@k;rr6%@Ha_sV z+B(ZW?%(M3{{W}|6TMoLay@VTzR5U=_s-Ol&MW5f!)NfS)>l@RHwR~L-tIG!{h!#C z`yN%Mf~^ktr9jwf43Y=Xk;sP&lgg>=vC;VyQ1)Q1^1-j4E5!t7-^uCI|I_PpqXoHGM&Ap+-dFB-4cl*AJ;v#;depml1{`~Knf`bM;ESene5J6;-b%yQs zL;jKo+fLPBt|jkV(!yF|Vxej_BG7HLhG5C@q6)s%V$SM!i9gf1Eg!`X8)|Cq)dimr z$hKE8kq9*_^6O$Z=3``~*0gUnRQ7nJKBEEjds39|?$tS6*y5St%Km_SjP1WC^3rwb z^j=NYo1Gv=JrSE!V*hhbA#g=eVxgcHmq}U3-a|$VgNflL^WMgF0g+dn|3ezM39>4j z-Q$vVdN@k&rNEdPx07`q{kmb>IjElbd6@Aq*R;R>ZQ9e@jY`kq)8F5A_VgsiI$d?I z8e^=E?raY}S72mkZY7Oy_0?!a=&m2^i0`5QP&2MO8A?^Fl^E<*5GzyhCX;@@V{rmw zg4*?oYfsF5LbFInteCvKJkm3*x@SfI41Q00Pdf>lXUV*)XkL{cYyT$2aBz_ zdkUNC7OL%(ydEhqZ?l(BPg|&YW=)$Vsp%dp+zK`iv!&5v@iSjnOKbK4LAIpUxg0sJ zGD?K?eELg<#T_wEdb|$3L1P2V5Rsmv6__!if@T}t#FWwSLLdCJEM?uldf>=Jen)Po zVbZ>=oqO)1vRh4^{jv@kdM)pp43O>kJk^l|bA)F#?2M0fe=&6ZnEr>yX)Kx>|jqqBQs_m)GMeFz0MehXRp78#=si%MQO3`jV4fs-pH`2U>GpDap<9s1N z%bts{oD^w-2{WWd6CKV_nC8}WGNq&JeAuM2GM-}@73Z+Tuf_59{a|&jTz>?Z>OV5K(z?-+=)zifB?FGy^=#2x z<>e;p9$8-q_rUt#83G!Ixqzv%Q<4^a)Y8}Z%+wLubia7>-ZuR^H`gxgXMFLBQ}~wa zbngDH`*dHv-rIqJf$#3QVQ05Cr;@IG`}PfXjlUQ&(fn540eeq-Yg$M{x-sUsNM`Ny zE1@7p_7%Sys|yYCZ!^e?E-v~mZbZMg)@-stN2}}9WeOG+Cr}L)N+bd@DbS_c1Aq9yNTEXO2OfVJ;7vVHlM&W~FWH^?QYX!!j)aPRjQkO)ur zt8m}J+P50|8v!HG#QP6gzSj%lM8{ZyO}_i(Z&!MDS5S+uyn@y;|8jEQE#~RCf0i>w zb{qFoYAfh*`V!G|YriD?+*qv_Vw%JvsMFNQPC~)!rxbnmeS}BY`^|f_)=-t~b%|i* zcRCD1cOCqe)7i?n?(D$QCKF0FTkXl0+P4mFEsTw*otZsKGK1K8?ya4?R<9j%*XRmn z7v?-YNrd?+Gx1R<%so?n$j(FRBgoa)%%H zi%*|e#P#y4&zI?Ea}dDe`ni=KewX%4oNZU;R4wAAxjw_;iUhgvLb6kUBTHFJ^Wy!& zqNHfOm`vq`2Ly!{U6abd4dvqE_zPVlL&Jq;G(Q9@hCJM6Q`v!X^vz*M$}b{as4}y{ z?}CC8&*u6jI0jv^b{>Fx{_qZ{8?mpkZ#FW~Ky6LGqM|{> z7j!JwhqL>pttW;^))AGgBvg|W6WGoxiD;U z?r?~OS8?HGhT0STrjO;%hGb2tgRiq0Ch>A$Wa0IF#KdQ`8Infy<{9XO`mlf+X_GZp zoti5~T3YKogip1y=JP6`%6s5kn~xuQk^?8^?k)r&$_BRI3{Sz?=40FLsr%0z2!0Ee zLdvtnj8sJXMSh8;=yANpT8`SDob5u&St*O+KWC=XKx1DVwDRs9zGhX{9hN{f1XCR6 z(|xMDxGxxuZYxUwrqA^4Ic3(=i_tZ$8uX7 zO}V|i+@fjw{KQH^bK>y(=dQN(&t6c7LgQgTProt@O2%N;ax~)FlqkpFSGq7Kr;3hh z{*qB`rm^=+bFrJaD`=*)W)1i75UFM2m1lDd7Ur~N`uRY?T>U!d#;4Y1-j#QOAo!U} zbsL~Tkw^@xHOwe?GR5gqGnZZ7mY}yVp7s1Ujc}_7R!I}+ zvM3nCxntUiQP38Mu*^@}&yxPr>gl*yMsj#TzxynG$*9+~Jw|oDk)7y@8o?_EyDsv6 zlCukt96S~+YLSs3H-!I^k*qOk3K9a{jAMOT$9q&_OtBNY+KxX2kJP7?!E|63 z9`aYHwwadUTXQE{o*rxoT<)VS6|8(C4lC8kkw3l+4=*^Ijw~j-?OGjo3IQfhX75sn*!3)0H&*cV&@@rPVYCRx~h|x#rTYfqNvmFoSe-Kjlh z2``WnA?XS0-~2{Q4g$FLbgq$ewDo<4}pN+WIc;o|>u_EsbU^ z6V-Xc1s``RAvR|9+# zmTm##7?Z?Dm{WtharFcSe8SBUz%-EPm8p)e2~e26es2d~u3~xL8I<3w+AF9RSp&6c zc4%VS%@7N*o;HTpf*!r#9WQz5=vYdK82=bG6A(xY3?TTF-I5pmm;!fSSZcghzf*8p znB&*HgjH~o;i(-$86%$gpe}HbEgr3bK!?fbPf780!L1fre^jIbfrDd=j})UEOKQ() zVMs3OrJGO9@oT0F6*Q{3=6xCIl=;c+`?lxDi>3~lXYKAu35QRfV1}@s4Gc4}N~!qG zya4-bj{2htN|yw;@bPsjj1psrs!;P2HnbuTe=)wv%B40_u=w5WpF_F!C2!7NQ{Km* z%D-1W!N*(Pu|u_XPJA7dwpIoq*wnDkznnrOJG{&bm!1FVfkz;ukU);X%^; zX54C62cljU4!0;Xs~?i7Ou9NlRHZ>u@OQzgnW~UXVRxgwnUhONmK#ls6kd^vM2CF| zZ;;nP$Ykc8s{cXa5^dH9p0)M7OX7oy2WfEN%nmNb-FW!0&u!(qp$R)v@gX+ti=#6l z+Cn8SIENeL41X=@To_05t&j1Kz7g|~?HOpW>+Ktmz6SoV7_BYsg2qGNp3R*7+Niib zh>>n=t)@iE*am?k=6T1k6E-SKI*aB9AO4M_Gfu!8gZCN&p0RQ_otVK(Fi2|7E3g!& zIZZyb9oxlx#I7I2f7+H9v%P)Ajv*TYl>U0e2~y!WVis`D5LgM_3lMY8$*NrP5n7&q zw@-C-aeii#O>-gH>IoQ}Ap7Xzs?Qb2peK4B(H|qs6nonp!Zn<5(W?=z&og_3e z)LJkuq#H3d^r7xC5JDD^jo0QD!3sQ1UPIu9T5FL)l*{BdW9N>jNn^c{TN43M#onUc z>U{%IvH0P{($cV{&cVQK_(6tg`O^{Q-cnCFl)`!_?a*WluM&>lVXMY5<~-|8z`8CS zNma}5zE_pTbDmbhzC%#P%k5517+eY0GB~#%>M$7VRPxryb|JpM2v&Ejl%oXGg@jfAI?La@d5oaI zsH|v^&>4XKNVyIjSJA)na-x*5Usubc?nYbK%FZFxKEcV01y)xfcXANZxV)G#ol$;P6wLkPrr+p&X8GH`Kd_>GLUfJvc$rX0rtBS3ghen z^W2uuVtKK2X}1233k!6muvkhRrB+v{R-~u2is4NSriuH|9{clz#hbNs6D!-cWo!3c z5z7$>`qE*c_2f=Fh=dShaFO;Tq^ig>zG|g~R@rOr7K^W%kP-ZaVzbXwy>2Pef%;lq zpL9zq`=v2qm&{B&Oj^5E{O6URvHOL`)+-vJ){~73?<#+E67BkJ=O@v?lJt1(3WkE{ z9mUB*Kl~<4sNKQLh4gw!R^puoP0M|?k1c4gQiBdt32+yA;P0E9nTgQK9e`r^nR zUwp(!9usgAul4Z=#Y@-BEy%z15psllvb%rj^p?Ma@z-(Ee4KbfrTs08=<61TjNb90 zA9#vIjGacX-r9ys|4b`6U2>u*MB{n@xUyuDF(6A-CuCV~dG~i~BQUMUszijs1P##M z8lx~41}9>+ zcc~eLIRuD`*GrG%g8QPJ25w-sA9NBcLOp*Y@H}y}?DU)^ z)$)TDlQ_J-awk9tJe$2~No`WikA+55Z-lovRHUH|9SI)y<5)T))O{`U35c_F5?2VC z;J}8~tM@P}ge)Of>Q7}SffM1C@LzsonDkk~9S5%J37!04JORs+j|d{S(CNJ4ivn)r z-HKhAxMaHpR-qbpAmK>9v)*jYQ zv!|*=s5PWF*4a#D$(~2-f`!#d3#bn5p|{^g??e^(#8{%3H(9N#09XrO;2S(;?YdW> zzi9jG5Y;bOZKOIiL`+gcV6x=Adsz%4sCMMT{p0KNAxk$S3 zruj2sA@(8U+h9Fp^C3m&GwhTHLPkYPD#Uz&yJ?C?rWR@7<8Hdbavr~s%(>$MGG=H& zr)IMfOP5wq-;{TjYnpYgpdm$578>MBND|p(kX0*@iQJm%k@1acqUZzsKvwd>i2=s1 zj^YzJI~((<6LS5dD?*FsP5!MIbANXpfBr{s&2(?HxcUCzZA86V;|U!he^vT#gn}irrrRi=({Do5?I1Vz96I? zP(u99?Y#O3{$-V^!c(HbIPx%#>8*x9-iR!U`d8ulQMrFg%gbDr{GY0G4n?+qPSG#2 zFOxw)1pXS~dHio9^VqYqQwULBFnlKG>s&YVBpaf{6ort$|$%$aA;f;iZT!FlP( z2l+K*f>msv*qyoiz>^5S#ea%KK=HpX9PT^wpYpIgdv3yX^8dNi8DpQnb;nel6k4&tHi{MjlQw2HBxdV-rk(=G(t^|E1sG4&D5;^VrdGDKR}Y zwNbAL#u#5ekXQBJ4S!@!CG5N&=_Tds<%T|`ajW(RKMcn$D6V)xd$yk=&FiPKg)Zwt zgii}5>3Cmw!6Tgx5RLzjjMym&fVvt_6mD;2H-lIbr7!`&d5xWYix1ZARfD5Yy~XUZ ze%v{(?UuKcafciM2{AHBpuyGOd)~Rnzh?_@vF<4T&gqyWs3p7O7-Oi~^3kKbQuAVL zn>U6st6gPN`+&Rqx8`@v0ifhWzG{U4cdwX_vF~evsZ{u9`2b;1T85L&r`q1!dWx}r zaBq`ma2&EK-bQr=D(*&}VoiJJ-wU34u`_?7-!*ou{UL3_&@1;Gdt8)}zC-%+Q1AAfXAD%tyWyd@x4B$n$S>PS3PI@#v%`eyXc0%Xm2-8>U_^I?;#03)C&sKbU$J;((YBmPajM=PwQ%JZ80sOBK&Z2$do?Fh#*GRTh5_>R=sX_D^O{p?kzdw$m`Uxl~mAYqhmGs?HDb- zo{_2u%+!D_mJFKcP2=?iX2-g4SVrtg={3|eRMNlsm5IW@aXhm1JBo?jTxoTe1#hUx1s)84&?D+jF?fDbd=h6I z?gX)eOy6d5wD)z;(Zoi(%-q^mhhM_7J+UIAu69D+7{*q!W3M-z~okTKd?uemh@3T>;|JB}m zhBcLTecz0V*Z`G5l&Yd2AfVC&1T3TU-lRrFYUq&AK?GDpK%_|^AiWcMq+>-&LJ1IR zLJutj2oNBIJR4@lYv!8gy5IYLKfUj9-1`#=Ig(w@z0Y&4_5c4?#F$}AhpgdP%lex) zYUqFz9VI1f6jxvMZ)EhH4D0Do@`%SNuUoEBPjdM9Qd|utHiRBV6?acjMC1h>7(UV5 z4+bsow45`7>ICu-%^sNg$wNa=@0QG%FAb(hGIv^L?f9~m<}tH*gYfHl&P&O*1a8^8 zE@$C`>F?+_heS|9rIXo(Y2?dke4?+8#iz;NmAQ1LoJHwG^5y)7Z6SUy&8t_3IXOw# zdKlKuSK1Ed@nlf}s~YEpUBily)f35ltq%J4xai8boKJ1KCkQ9(+> zu#=%Tyx#=&4l}HkRq!QAuluF4(GR9%NiKmAfy3q%EIg*;10s&nq8ei68}jQ(QK+vMqOlYao4pJeVg+*1bnr>~HBczN| zi=~+R*OK_g;qJt?X6^BV+xFheBP}-w%J#AXMTZUgP7_~U9?ZQ$kSbw~vvMO?$M=@X z@ANxfUukjZ-*{d199JzOZ?sEiI!bUy)0x;Z2?_CZg^XdA-Z(1NdG|ZVl;e@gj*7I1 zW`fYJ$D;(new={p3+Y4Jp1XVx>%{_{DjGggoHyD>K^4SZn9+IBMzl}E$An|wHpow3 zY|_XMam4awsx-m_v--K2yhGF4kYmStjX-Gus+%XgN&H)Zeh5B4rcaY+=?$d_i*H_K zC7Z#N)L&fY&4dJpYxeGg2PD!_|CQ&j4GrGrupF(5oHN!6@Bi>oN?3L<`1z3SXIB^N zjdI2WeecneJNG+MMz)(~`Z6A1*r?g=kE_|9fek|ze_dTdWJ>QGZt|`f3>J5+K2xaT zH$M?t17RXmD&!P^xG{p4Sf?T3T@hC3lxvcSX9S`?4{Fa>1`-M}QeW1W7Hgnl&$1>Q z`Z`#NToZw7H>#Q$p*6B@d_su10y^FIs_RVxleW74h;@y#x_FSu4!JrXFGmh)>Sl=C%7>A^1$R)`uo^C>G}AGDX$T7>=k; zsBACX7VH217aE(fI&`!LxZg{k}9tWQR@xx&Uj10E$=3|XueD%xLhrn;gWutk?7{VI+NZ0dFBl! zK@XOU=2}22SCued-0DRYoXt70Vy1Ulu`^YDz|E<%Pg1ix?)KK{Cf2A&5u)wI4Vpbu zLviNH=85WFYdx#)^P7WFc7io|kg4w{=MO=eE9J$pg ztJLBCeY9N0H2sMgelz}j)G?~z9Gxi&wxggycBXIl^b>?625X)&_W83E9Rr^HcH@nN z*Gg^N;U@&MsA+jHx(fy; z&km&4J_Wm*s~5I4MpRinCypSMhw|TV9|6QIGM+t{VEX8=$J@@ToXIna%_4kg?{Bs7Gp_Lv3cui(os_PA&+QE z+B-`7qkvVd&j&Aziryl6rwmC!q_Oj`1>X=oef`l3KZ-n-Y6wF@V`m)%L^bsOT`qLG z)j>e>Rm@iU=sB-M?QW@V*E96V+TpmWckL`gxm$^+&#||^zZrg^qjI2N^_?K;<;|v6 zNXkd|yw`092<#$G;R&vqE@2DMShZ^HPm|MqUE9G`cSS0zc@BJ%s(Hs6@eXO}LATlP zM|{Rhwgwt<^gFCmmeFYrIk3(sC9eq|Ue0_PRmUSWA^<#rMn`4&O4c4;zJ+ja zrAM#7hfxOznRko5vQHyzcMr$Ymrv3yifXzEiv0I4x_v@69zfigWxjwERAl2mNO$w* z5jJqsvkUyz>Z)}h1bcH+;}_$%Maz`HQ-$+SyB8zo&d)q=PDD%E=a)bDM!VnYqa}qs zlEt!w$T&vomiD?X_$9oh8J|jHZC_{@6mb~2E7s-b5qY^09nizv4ffS!OC4B97Lbvm zMx(Ymh57FdS35=2u_BUe52u;f^dChZj0(3I{(R`R;SNjDM3Yz9OgVd^py%?_7o6)? zl3llYf)&sy&%Qo-oFFKY=Q zn6^d{suf@Id*k%wDkZT->EhRhme7D>jZymE`F0^ajkc*^{L7}I2XwaXj~JJ!LK&;8eY5nJ7?ZcQ3mn3sPaR6Nf5ELVTiV*UW7OJjYljhJ zgF0^ojmSpX7kaEO&X3_G2LlaP>A@AnCNnNN3r)(JhGbclYD9HDWNpY${{6xWTFzL` z8HxU@Bh;p;AMfeODU*5xdglOzXTW*f-FAd|Czx}XGw860bEmwPp+zna+v3S~b1v>; z*BgX`Zdk^a_hVF=k!@X7{W`lh^IdVB#1!%MA8oMT`rg&Bl8TYI0+&E?vhU{jO9+*S z1kd;8!z65@hC6)P;)L8ND~wUuGd;lQVZL0PRJjO&F&-7{$ssFy48!ft>3spOv!x~C zWgZq<2j-y-VZ*R?GespQ&1q4@JE_)^=3f6O6<^U(U2FA9e%;J~W7m|X5GffMcKW8a zK_!SgO^o54Tyf&}!IYG8O2>Uuf15EE)7HStH2Rq094F;Hc9o=i+%S;k-D2TfvoOEv z0E=a9f}D5Uux>08B{h$1-l|jfNeg-1AR}nJLeB|JO&2j-UwHo-HU?Eb1JNlUBU9e# z|5^w2habR)4>=*I7@oBU@Lm<;|E}CkStSWnrKx{beoo3FpI8-koA~!YlvgXr5_yKD zLcdQ)7q`hhx0FMnr|0M2piCpA&r5&!UalQZ?LHfA$n6m|6G{})dL-h!NPW$(w=a|% zv->UiKJ{QQ2SZm!U$sqncV5Q9LaUsZ#aOoUsD@rEc$Cz4D|Um7dg_i1CNcojeKK$E zr_Sxe1IEAW+&+}_mgI1ZKXxEe!KQa6U0Q7%QZ;Q~>JHXaEon1qsss6pyDn1yIVKJR z#9n3T`zmGtW%qkdq8Es(hv>QU+qsO-UOfI?riV)Ysj#+taO6Y!-%rTDN9I-sT++gA z3qAT-fw=nAzr@)$YYuhk{7hi!hyjwMuKlQ+;p7t_Wddyf^tb#^k`90W28elU3)4j? zcT|x4bRD#V?LTJLuxJZDhWWoG3m6y#fePAhp*Z3Hs0{}M{w{#K4e;okmHL++t~Zb2 zFL@)fd?pxn#Du}#(u)5Q+D|Sj7 zH$1Jl+wgIK=R^=MLkj@K`}OK^UXc?WX+rYx2ET`}>T9Q%Ka~8=g+U4+Msh^WXcvrY z#ausgo&HB`*ZlZ7@q@qh;kM^t_I`Oaj30`Mt~%i@D?mt;uMMsCH^2nd8{(#)*hIv=)sFodQGVfIVVGAczBNHX$h8JQsGOb3n7kTNNC=^1%C#zr3T#IdU~H(O{|F=Z}v zdRDdE;{Z=ly6O4IqO3vB@kK$1X%o3`4mR%VwP7yL@ys+WSA((1*eFqTsNDVa4avL5 z;Uw&22<>nO+N(UTi3*QE9shwc3Ivhlw_bSc$`cjo^7esaZ3!Alj~fwYR1y3R!{HCz z^F7%StE;O8C-x2bN$U%z(>cW2NH1696r0q|1Ou-;Fx zansl{kU7LSv{G&_6rK!dlFeqTGzP@+JH|v{G0n6wu12_Y%PW#AM}1$EuDgOTDOJW9 z)?NR<3fdXIY^8SMa>Cj+93B-G`#>6FjeV6=FUP|R!#C=&G-oQll~@DI5vmpN)k-M| zpJBSj5NUdC6V~zpkTwI_ZOzo9^<2`9T|^|l#0wvQMKgAt{guN>XNcn1A&Fw8&AjUC zZ#$GMW&xFYvYVc48}3Uz?Y+tPdGrEJ~Y}e#9!@nIzj0pLL$SIT$9% z<{epxXf*X8pf7J8h;03%_A)~kXY)>5I_ZR4lvXc^J6cbUJ3~Ani2N?q;H-&Rw|9

lpYe6KI-{@F<2^VS@YY9zx+A2m~A8A1ANJ7XcNLqZJeXwPF(dmaZ3 zcSJ5kTjijXMA$+>-kj891N-?gCNvT3V2J^H&LJxMYJ8y(nDeVTE!U8ohFKZpRb5#njagM&4-BQ$CX*E4iL-ZF8doi%5Ea2CuyKbXP{<-V;y#)JoCm;HWY zQb!u>%F*(qdb_dpq_O0ita&ol_f3=QR2cn;o=!YOG8em`4$ErtVfil~6lxzA&Y8EF z!Q^f#$Ks=<_|V3sIoMt_3|)|7og?&g;i_hqqnPoeI8V8EGq;Mw0l`E!E}OmR)P> z?D51mVEvv~QLCh8LNNb|>o&Qz%Jn_m!M{Vc!(jRniIMa6mA)MFj2z^kaPK{ROFi8h z_#s%q?{v^A{}o3~&i5H8ibeKuXSBZCJ^yO64a^kt0+{=uIuv2>crFpzrrS=)e9=+$ zmBi!+WjyJC_6l^+D$Rv5yi%TZDmfh8wfv4r3T!gLEbDJQL|cV(%H|~wd(NiZnXK}* zO+x-KFC=s%S4o0cttoB^lZ(Wyd9(rb@3E1;PuNL{1;qCoz7qza^D5g{|&31&}gDu;{DiBTlLij#w;tBo?C%gJkN zsC#P?7)P`Z`rZOc)V>}U>f-AdlVdUMFRmeBPOp2E+y@)_wlv9+|7gpASpt!mRQ%G& z4}ZPF@o9;K-k8)kNHXQ}El_rt=?z)=?OOg^LjLSqi!(boi(zA>xm|q=o}JWBj~(c6 zD_fYsVQ0-l=N+Fn)FqSZ=ailqaWe?-oeI-+?0^ve+NS_kVez^3(CqE{Z(+5BB;?x0 zi)@(p%wg1aU&WA9BBy#kpFuwY)JK*{EB*|S(>|e+`>2iVrizn#w17EycUPIbj2VAo z6*lfN*ZPKtS01gL3)0@x_8B^Q9c~f;tmdJ@yp%O&M4VWn!>oyQ+i-O|ykw1RY?&uZ zU;nVN5qQ_daUc(ylO{;R_~F?9_a+R+ zhZZ=I1s@zqC*33Q;!L55~|PyZCK)azr46=;VUO^R-q=| zt1r@kB~}g|?bIq|#xeHOa0+X%1ci6mO-;UqXXw|fU6z+l!RoQoo|;)QHs>#OP-F)% zzRP-t8S-9r4Zq1=JDWQ!hR?Fc#7Z%08b(L>iWEa$>zQWdAWZ{K(%_(@3VGT=I$3YPaBE_UQ`J)Lor5VgjA3p_&OGs) zmxNA5YKN9jNB!r!a(PFAL+Viz_NaIS44zf-6zzP2?N-9}1ecH+(LLk^6q<9~vUh^D zeC@|UnJc4Pw~)6QkS|jCj_2{bv@GB?ta`A!a*4LurlqDZxaDlFc=sMWV4xJWRf%-1 zhCHvhHGK%~UM`V3QOsK<0U|5SW`#FN;zdZ1mN&dv<%U~;ptAu-L2sqPgVF1rbFi3Uw@=a39$)ck zY?G})d9s<8D0c~P%0)}xb5Hh8V45U%OYj(6hCb=5@vudP6h8j);(iDsD4E|G^s5bD zVb+hMxmwqXR>_Gy`fNe+s>Hycio^8E=m%O9*fEZVH1YMDX10~f)d{n4X9Ne!)NVeO z-ex`$$WfrHSJ}SfnN^7)o=|Sr*LK?#?IQ%T+47J3A-6JLY;GO7?Sb77AOzdE7$QT2 zqBUv^^w)6ae=c&nrhHu#C5+7kyaOZ?*>B}FBH6)Tr+Y9pmLwE>ceaB|zo;w%a0(~o z3!Aae4i1`|%~~p1C9_@Ds>2RFExck2l&8%Xqeuad8hClV9px6Tqf*3cXD{-2jkwh= ze?DH5t!rnnbCqj};Ircg`*_v(o;F1>qAy@q%}cDu;)|^srr%D@CyH$1f@q<8*WH+K zunI{7Qx9r?w#7F%dl7yW4H8x-qE^e9eP?qg4Hq3LD-n7P(yJNvQdZ`riJu!xvb?uGk!h8owj{ivlx4%=0greAL z58a=4%b)HSlPK_h8dv^f*O-424zYEXU{lS3SJ}v6CKGu)zc;;E^j^zQL8^OPMC@)o znj&i}M(;p|D`Miqa4_cS8bWHs&ICtOss0frs!8CiD9K};5E&ESL_?_HOBCRpI1o|J z(0_NMi8rZfs^P~S0+l-b5~1vTJ#7%1(pe-C-5qeQ_`O4aLS=D-Ric3PHc&q5t9mFmGJPnHUuYV|nuZrM$ zWj~?8?4r_e6Srl)-aSUI)$d%I&l?6^lPYsoD9n7_35qZXsBupb+qD;md-R%TmPojQQB44Y|R|N3_~7>~)`x(lpGec$Gnl!}*y4SJ`^u+ClNq_KdT&`il zr+bXI=L>JZ*ZJm_wt*i*-KjXy5YK3tng7y~Vchnoi*1jp@!_1bONsFEz69ZOwn^AN zsvg)~ag@N?>3wqFhb?<3DtZ4Tp_u;D-b2j4j(j~8|EC*ogtelC-N6XyX#YuCbMcAo zFRp*?U(o)D1JHu!03*U?$-JUs=eY>ua{qc~)6|>DRG^sO#LBelsgF$3>RrzUKKZa=3m~xF6=%m zYLp)I_rgIUvYzMHHYX`9Oef7N+7%qDRN;r)lOP)8nU!vuh<`_i_?kohD3K8yHVJAm z6W7Fi2s%SY1*E*?b_J@=0hA{^{ z^~9n*k0*2*UeF%Gp2|Iq*#iQT)-I>&+`XrCmRUcEJ0{SsW+Ry|W z-8BJGomU-(>OAR385Nj*)+M}qLCas%3NW4xakcGT2%ZiUf3SwK*l z&(a@`FB&+f5j*p=Q|Yt~0LiX-AX{9_Q`~%Xp~B;G9iJ+=U~h9ik=M2tX&?YdC_-*=xKx1j0$xzl4V2sTx`cIOjhjC5zHR29 zX2ee^i?hk0{{hqBr2vmFkAOi`hm__kr&7;*d0v_b4gnPT^cU;X!OKIqL$)5p#e9w- z^Ha?t|%w>Qb zmu&MmD?SPc6y3O1q*B9ED4z@IDV+q5cZGw0q7QuTMd!rzi@k^%y=CAvz!4i8lR zdJ_Vc!9R1ffU$Hx$l*xW-+Wko#+D+u|2#OqmN6%RUEW6JqOPsdgnTm#(A9f`MUpGj zQqpGzh7&bIetYqh$9C_++a&i)ET zm1V#_G>U5CQ>3_?ds}}cx?Gz$5W^1$#G+o;WIyb&#A4(Anm%&5um!pNBtGvGFnS)4xnk8B%o!=3rNqCuQt zY!(RV#~HVLMIIJ<{6P*#{ED6trZSEqF1%g|f^Q_*2g%3NOauM_bZF5sKldm(-^i|f zzQ1%3@|}=>O-E!J!6kC=K-CX7DUTd(w*)6v$HE?)vK;9lyk)7zQ5;@rd}|k+WOUW7 zlUyxz!&vyo9H}EZ-g;#k%%e$I^7(4exrhPE4$ImL5EA@>A$;D zk&dt8g_dg3p5{JdE){oWC*rPmW63!p3G9~VPK#7Pf3t+Nuo3*Gbv%cbjQ!7@876&o z?+PG&au@xGi04iePGcj?;zE>&e8V5@gPNXG-*4jBECrW*9*j^cf)Zyvc-V1?6RBW5In`>=r)em@es0WLM=B`fL#7Yw?sYe;W(rH=%kOiY)F77@ zVP7&WEC$p7g-($`flmmR{y+pY>#8@ozy8%}!W^JwxO6Qy&h$UdZ-bo#PdLKvVlC5C zQ85CbIsEIZh6H9HbIK~xe=shEX0f?NrC_ihjFP%X)NgOAa9NQB5_=Yziji;X;CL zX@U!nVeSvHDQrZ>=C{JB8!Gbb`UI)^y;_LtT1RVI&b$ekuUz3=-FGF`BhsU_&M|Nk zGk{C?cJzgW`P+&+jQ82Keg2)t(R_U(rAVpqwzEffo4Cu{8$CnAWt?`SckF>wEfMoB zG#5}-xZ1pYc>B0oii>4o&og3JY8$}xHfmX(3GVDg9!(L_go7Hsw`1Q(nfe#J{`%9y!fkDw+k1&Eox-$-#EQRzz zkI3D_5DG6W11Oza!MIx(@qbb_nCd|@CC8piR;exG7`*Esnr zuX!suOZ*0AWRP^o`QAm_mA`;^2bN+B`YJ3|AhyPRnafmIB_-%l^y?dPd1qp7eRwh} zK@uVQNwZv55bL`on0E(vkA32~*Avte!{CyOY~JEmIN3$q9VS*~f#P$0o0%I?vcYHRK6qu-g%~pI=Pm>5lScc^|dB=nY?y3vj;| zKD>o9&}8=9iL?DK(&3d*e^Y9M-?Dgs?*QU>??f%BePK*oYwe=}CFMmRYxo%;Prq(s zf&5|l{Yl#_GYkqEV`4^zyC}hpznG~e-R3CNT^EZ{ZQFS}zk6F}yCN~-jIv|y#CEqNrrBS;S*~($EEv#g(Al3 z^Wuq+joBB)8#H5g^8$aZlx-hYw+_Ycw1Jy~^a2F`wnT82vvfDU!TP z)6C?KK4u z9D@NUQzn~e!P>bd)>)GEG?c|*VpynUVTJBk9HV4!P52=E)8)0tm1np;TWs`)y~-{x zw*7AqsytRIg@_SpGRr8N6daJ1!nn7I9Uz^$@d@eaASfSJ@Kg1)KW%o^*R);-+(Ni* z+o+Y8-W)dXXzmskVCUC^|MNYcF&@Wm@3eH0eX$C&cc40*M;cuBnnM{wNH#BVG%0uA z)YtRdB`TmL-B0yCrqsZEcrZU!OFozWFlJ7vS4642qG&5NWlJC3g@SIYj6j@}1KbJS zPJ8pY-H9U&uWH<@apnL*ChcrCOLDHmK)_Z3#(StdO~BX+L@v245OEJd-4%Mu_mszHRRFoul^dRY&D=?mH>SV zursxLIXunDf4r1^yu?q(hm`2kej2+D&g2tW6QJzDb2hNDIW}@0uXs)Ix4_X#qC%M5 zVyzywdreLRgI*~zbx5MG_n7>bUOwTVw-rmQ!}bJ8+wBBQoV}5nQ(-ZM{*YduA883& zv$6;(kRW|^nL9<0O?#szwQtAL1hgxv@UDqV@-u#h@{K;xxRF`_=dM!cQ6c4S;-_g+ zuItj|{&GmXP8WGq)Tlje19N+NK{PfYvRrd$xm?oIRq1j+sdm`A$RH&3VWtdLtS?S0 zS&}%!T^xCMrtRi0-rL@y_5cwC`N@ZdkJ6*Mb0s7vckXIah(g9ggHG$_cO`6%DWrw< zU+_kSGV|6t?$C6{|NlT}QJdoi(k7gshqZIBQ-ZoPK7#lP9-~>b*`i!}i!=5v#R_%(p7_ zwgMlO^l}JOM|`f(%!9-|Ea@G0I0FO8#gQpxYxK1ZtPm%(+nyaJ8?8W1c9;wuG)`E= zVEhy@qVkPhxoWytbk9O3U++S8%UnvTQtyC7lyP?&W#I)qrn-TWq$ul{%G2HGlx9Dd zYO@`(cemdS?uvLn;)vic>?o8Zj2%(fExZ#vH27=Pn#V%0!VpAdFG*BPI>GM&-JiS(Ff6dS%c@I5_0E%C8V#V^@SB}aLUn6SqI!u z{&K@_?m0-TXQ_6{vrtHAE4c*csshSN%~BSNaG4odpPGaRX?Lw72WC(l0qTOuj7u_f zwn!=fQlo0U?rBua%1xu!B>^P`hR|c_9M`M)3uUlQy~E-fdJnAQbBpDF{MHBbj03m# zJC!|#CUofQ`95{9i!iRTZ-F{J6k~4qkjoavc5`^P_wLY6;zju{y4z(ea;!xCgUsno z<FKG zF?%4nCtpmOB-G93!uit1xG9Krd$r>h0fWeq{p9-NyR-M-5PuX{SE?azzLgWkqIYWz6HyjPOP20B zE_{l2lpL&WWo_yyVT!awHpu!bjHfY{WH(TQ?|ZGA3ofcy{QNj~_HzPgVV#ap(I!QF z4Bk3Lz1NZplBcI^BIGC|v2m(OMthI7&qo?=9uQLFqr@$d%9OQtje}@cE1DiCS{B6t z$ADg~pqdv%<3;1d=8B_o!kkX?R1oH51_kX}Z&pNJfYnm&(rj=Kvy(dl{A-=PpN7h@ zYxP-kfYNRC%O!IPDYt|S@i=*XW6Dyt$KjC-ls$4GY0@N19NnjnZ(bTl(WFx zLDrfhm~td(%uKE-7QWh%M0+0?IH*%)KirSLqxml8X}D5valB=>1GFaqEC#vOhDd=d z?KGBn<8nfu!)BttsTp_nSQKI;SCTk9gEr2uZ`y0yp3NF(ee>4q zlydkn-n#q0_bIbjuUKTNf+Ff}Uv6)aC))_StcP&gCr}#IFh(4H$0P6EZ%a-sKJJ@L z*y#Sj5mCPd2&8t}f!<1kIN6Zz3v;NiV8Ek&Xa7Lb=2)37%GKNh6VLS-Vbg4EsiwTS z+FpT0X-d?l+Q-UCT8`^Zqwd{aYdduyyQao;XQkaJB#xD?X%pO3p2Guni}GWnYo zZ_v}6-&2fHo5L$@ix{I$T9=s=cgpQLVNk7q+>2CuTf^m=Mn|tmUbAXl7es2Yx|(HA zvG!EE%J;FJbO`=(7H*K;u5IW>mLS0mbS>{>ORGfxVvNUWhZ76KbQ`go~J3ZT@#MkomdaEkxzP-KDpX!yx%Y#YrGD?!PwoEPA5Y>-+H)KXT ze6vDL9iBN=cb8v`l+_DN+#YXbU*F%}{6JpbRTF)Pzrz+3PrrXZnM-hTG}To2kG zMgM?&VM{Th#{HU|8kCMUPM7{wZx}cZ@4exQ(VaMi@u6o{%n-3;K0YJU7SjAWxZbh} zgLckjZ(7XL&PmMK|8;dF~*ZRvO znj1PF)M8LYEvu}#(sfBTW^T%%k9$;VMwpqaN15M)xbuu{VoA7K^?r~C%Oq7kMP>A! zR%(_G~!%k+^ zzA&MeYbv;xa+DJ75tt=@2t_xD(Ob(bDejdr^d*Hf*%wRD8}tOjcy{l4@NQKMAFonM zS(hjIjCWZo&G%XQLSj}IA+_PJ6QeMtf@*!FDExd=8$OG)=aT!5IR_Yjbi@A|D0!?&~(Y;jqnz-{xVK zr_`BVpZ65}?WKB)2w&GS$+@dCeGpdVA0kb6i-n8_p?*`TB-c+_&9bhHk;=cBxQ4*O?&GqR%7oOWh{@e21Wp!yG@a0~1Jtt-iSxVd z+J>JpC)Xpc%gl3lp)oHKh$DV$IiS^NFLGvpp1L%M)l%a8`*DS0Q=vId36jvLYfoYA z+&jf>lZ_KZS;aoMlH1ZjfS<%x3wBk2}(P(Uc6WBk{t@hR*eFs*{aLw=HF!-mENeqnf*o`a0y29#uO(R-89 zGpp!-Msn+~a?pGKbag!CyKppkU-1&90L+&TY?eoB8DN<%x!f)-I%cg=7QmcZ83fv4 zPSjEG=;$ar$Z-A?pdbhyyRh1VvMRr@(tqA*xEk^kuPyiROj3Hfv&p|r+@VM7qv^Kb z$Q@M?`4;leX(V< z7d~sgvM=Wb+UuZTv`;QLM_$?tYNk9Qh)xOe!ZHCXHI}@+=9<7NIc|-9Q0(5-OW$d- zse5mz-q-rA4LZ!1HBP-{oz2{1%Hv_Wo+%6sP}5 zmcyfu&PO%we_gZPp7KrVRY^AkL-gDd_mnu*B7@dS;&gJRm2}Uz$L#L`64--R#*w>T zq5EHQS2B=^LzJ7@QH;iU1Ay`N-w_EAsZNN#TKu Date: Mon, 21 Jun 2021 17:17:32 +0200 Subject: [PATCH 349/415] Update hello-feature-pin-reset.md removed double quotes from ConfigureWebSignInAllowedUrls proposed value. --- .../hello-for-business/hello-feature-pin-reset.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6d1ae1fbd1..c772362fa2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -197,7 +197,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - **Description:** (Optional) List of domains that are allowed during PIN reset flows. - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls - **Data type:** String - - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be "signin.contoso.com;portal.contoso.com" + - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com (no double quotes) ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png) @@ -218,4 +218,4 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) From 98918dc567478c00c37821b66c79b0ba1107fe72 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 21 Jun 2021 09:10:40 -0700 Subject: [PATCH 350/415] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 99f5695221..b06abc4571 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,7 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From f20b7e7a1f92c38fffd20c3abdde85630969aefa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 13:58:34 -0700 Subject: [PATCH 351/415] edits --- windows/whats-new/windows-sv-plan.md | 126 +++++++++---------- windows/whats-new/windows-sv-requirements.md | 53 ++++++-- windows/whats-new/windows-sv.md | 28 ++--- 3 files changed, 117 insertions(+), 90 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 87cefa2210..aa15b3748b 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -25,101 +25,101 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: -- Create a deployment plan. -- Define readiness criteria. -- Evaluate current infrastructure and tools. -- Determine application readiness. -- Define your servicing strategy. +- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) +- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) +- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) +- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) +- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -Most organizations will have a mix of Windows Sun Valley and Windows 10 devices side-by-side as they integrate the upgrade into their environments. As such, there are unique yet largely familiar considerations to take into account when planning your deployments. +If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. -## Upgrade eligibility +## Determining eligibility -As a first step, you will need to know which of your current PCs meet the Windows Sun Valley hardware requirements. Detailed requirements can be found [here](windows-sv-requirements.md). However, in general you should expect that if your devices were purchased within the last 18-24 months, they will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. -Analysis tools will be developed and made available to validate devices against the Windows Sun Valley hardware requirements. A standalone tool is planned, and upgrade eligibility will also be integrated into your existing enterprise deployment tools. - -When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations can use the PC Health Check app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade. [LINK NEEDED]() has been developed for this purpose. - -For organizations with investments in enterprise deployment tools, analytics functionality will be available to evaluate device readiness, including Endpoint Analytics and Update Compliance. Microsoft is also sharing information with independent sofware vendors to enable their tools to support analytics for Windows Sun Valley. +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  + +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint Analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability -As with Windows 10, the availability of Windows Sun Valley will vary depending on whether the device is unmanaged and receives updates from Windows Update, or a device is managed using tools operated by an IT administrator. - -##### Unmanaged devices - -For unmanaged devices, most eligible devices purchased after June of 2021 will be offered the Windows Sun Valley upgrade in October of 2021. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. - -> [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. - -After General Availability (GA) date for Windows Sun Valley, the OS upgrade will be available to eligible devices that use Windows Update. The upgrade will be available first to seekers, then as part of Microsoft's intelligent rollout process. The Windows Update Settings page will confirm when a device is eligible, and users can choose whether or not to upgrade. - -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning the last quarter of calendar year 2021. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. ##### Managed devices -The right time to upgrade will be different for each organization and environment. You can choose between Windows Sun Valley and Windows 10, and decide when the time is right to integrate Window Sun Valley into your environment. Initially, it is expected that many organizations will operate with a mix of Windows 10 and Windows Sun Valley. +Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -You can deploy the Windows Sun Valley upgrade to eligible devices using your existing management tools beginning at GA. If you use Windows Update for Business (WUfB), you will have the additional benefit of two safety nets: offering blocks on non-eligible devices that do not meet the hardware requirements, and Safeguard holds. Safeguard holds will function for Windows Sun Valley devices the same way that they do for Windows 10. Administrators will have access to information on which Safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: + +- Blocking the upgrade on non-eligible devices. +- Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end user license agreement (EULA). If you are deploying with WUfB **Target Version** or with WSUS, you are accepting this new EULA on behalf of the end users within your organization. +> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. Additional considerations: -- Windows 10 Pro or higher can upgrade for free using existing management tools. +- Devices running Windows 10 Pro or higher can upgrade for free using existing management tools. - Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. - Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. - You can downgrade to any version of Windows Pro that has not reached its end of support date. -## Availability and upgrade path +##### Unmanaged devices -As previously mentioned, the Windows Sun Valley upgrade offer will begin for eligible devices at GA in October of 2021. This is true for existing eligible devices as well as for new devices. +Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. -To preview Windows Sun Valley, you can join the [Windows Insider Program](https://insider.windows.com/for-business) (WIP). This enables you to begin validating Windows Sun Valley, and to explore new features as they’re being created. As a WIP participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), Windows Sun Valley will be available to you in the summer of 2021, well ahead of the October GA date. - -You can deploy directly from the Windows Insider Pre-release category in WSUS in a variety of ways: -1. Configure Manage Preview Builds to **Release Preview** with WUfB. -2. Leverage Windows Virtual Devices or Cloud PC* (check if this will be announced when this paper goes out) and Azure Marketplace images. -3. Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. - -Regardless of which way you choose to deploy, you have the benefit of free Microsoft support when validating a pre-release. Just go to [Support for business](http://support.microsoft.com/supportforbusiness/productselection?sapId=39fc4a93-68cd-5a19-f91b-f0b349a098f3) and submit your support case. This is free for any Microsoft commercial customer deploying Windows 10 version 21H2 or Windows Sun Valley 21H2 pre-release bits after the commercial preview date in the summer of 2021. - -## Quality updates - -- Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates. -- Windows Sun Valley devices will receive a single feature update annually, a change from the twice per year of Windows 10. -- Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support your ongoing deployments of Microsoft 365. - -## Servicing duration - -Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to our servicing approach based on your suggestions and feedback. - -Windows 10 feature updates are released twice yearly via the Semi-Annual Channel. They are serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. Windows Sun Valley will have an annual feature update cadence, targeted for release in the second half of the calendar year: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months. - -THIS SECTION DOESNT EXIST: For more details on the lifecycle and servicing strategy for Windows Sun Valley, see [Windows lifecycle and servicing update overview](). -Microsoft recognizes the importance that organizations have adequate time to plan for Windows Sun Valley. Therefore, we have committed to supporting Windows 10 through October 14, 2025. For more information, see the [Windows release information]() page. This page also includes information for Windows 10 semi-annual channel and LTSC releases. -A consolidated [update history]() is also available for every version of the Windows operating system. This information offers quick access to knowledge base articles for each monthly, optional, and out-of-band release. In addition to update highlights, you’ll find a list of improvements and fixes, a summary of any known issues, and details on how to get the update, including any prerequisites. +Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. + +> [!NOTE] +> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. + +The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +## Windows Sun Valley readiness considerations + +The recommended method for organizations to determine if their infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features in details. + +As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: +- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune, allowing you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). + +For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). + +The introduction of Windows Sun Valley is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. + +## Servicing and support + +Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. + +Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Windows Sun Valley devices will receive a single feature update annually, targeted for release in the second half of each calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the date of release. + +When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. + + +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. ## Application compatibility -Windows 10 upgrades have proven to be highly compatible, and that does not change with Windows Sun Valley. Microsoft's compatibility promise for Windows 10 that upgrades will preserve application compatibility is maintained for Windows Sun Valley. Windows Sun Valley comes with the same App Assure promise and commitment that you have known with Windows 10. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for our enterprise customers, including line of business apps. Windows Sun Valley has passed the same app compatibility validation requirements that are in place for Windows 10 feature and quality update releases. +Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, and it is passing these requirements. -#### App Assure and Test Base +#### App Assure and Test Base for Microsoft 365 + +If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. + +With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. + +For software vendors and systems integrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. -With enrollment in the App Assure service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - -If you’ve created your own applications, Test Base for Microsoft is a service that allows independent software vendors and commercial customers to validate their apps across a variety of updates and environments in a Microsoft managed Azure environment. Both services can be of benefit to you as you roll out Windows Sun Valley into your environment. - ## Next steps [Prepare for Windows Sun Valley](windows-sv-prepare.md) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index d9c0d22b1a..99d261a3d9 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -25,21 +25,20 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V ## Hardware requirements -To install Windows Sun Valley, devices must meet the following specifications: +To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster processor or SoC; dual-core CPU or greater - - Intel 8th generation, Intel Celeron N4000, Pentium N5000 - - AMD Ryzen gen 2 (Zen+), AMD 3xxx - - Qualcomm 7c, 8c, 8cx +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](http://aka.ms/CPUlist) or system on a chip (SoC) +- RAM: 4 gigabytes (GB) or greater +- Storage: 64GB or greater available storage is required to install Windows Sun Valley + - Additional storage space might be required to download updates and enable specific features +- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver +- System firmware: UEFI, Secure Boot capable +- TPM: Trusted Platform Module (TPM) version 2.0 +- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel +- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. + - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -- RAM: 4 gigabyte (GB) or greater -- Hard disk space: 64GB, 64-bit architecture -- Graphics card: DirectX 12 or later with WDDM 2.x driver -- Security: Trusted Platform Module (TPM) 2.0 chip, UEFI support, Secure Boot capable -- Display: 9" monitor size or greater with HD (1366 x 768) resolution or greater -- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. It is required for the Home edition of Windows Sun Valley. - -For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility) NEED LINK. +For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -49,6 +48,34 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > S mode is not supported on Windows Sun Valley. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. +## Feature-specific requirements + +Some features in Windows Sun Valley have requirements beyond those listed above. See the following list: + +- **5G support** requires 5G capable modem. +- **Auto HDR** requires an HDR monitor. +- **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana** requires a microphone and speaker and is currently available on Windows 11 for the Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States +- **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU +- **DirectX 12 Ultimate** is available with supported games and graphics chips +- **Presence** requires sensor that can detect human distance from device or intent to interact with device +- **Intelligent Video Conferencing** requires video camera, microphone and speaker (audio output) +- **Multiple Voice Assistant** requires a microphone and speaker +- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width +- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute +- **Spatial Sound** requires supporting hardware and software +- **Microsoft Teams** requires video camera, microphone and speaker (audio output) +- **Touch** requires a screen or monitor that supports multi-touch +- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities +- **Voice Typing** requires a PC with a microphone +- **Wake on Voice** requires Modern Standby power model and microphone +- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router +- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key +- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct +- **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. + + ## Next steps [Plan to deploy Windows Sun Valley](windows-sv-plan.md)
diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index b1b09d27be..31c967b779 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -22,34 +22,36 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating systgem release. -Also see the following articles to learn about Windows Sun Valley: +Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you create a Windows Sun Valley deployment plan. +- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. -This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise we made with Windows 10. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. +This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10 beginning in the first half of 2022. Windows Sun Valley will also be available on new, eligible devices. +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning in the last quarter of the 2021 calendar year. Windows Sun Valley will also be available on new, eligible devices. -For PCs that are managed by your organization and meet the eligibility requirements, Windows Sun Valley will be available through the same channels that you use for Windows 10 feature updates today. Existing deployment and management tools such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot can be used to deploy and manage Windows Sun Valley. Commercial organizations running Pro, Enterprise and Education editions of Windows 10 will have control over when to upgrade their devices from Windows 10 to Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). -For personal devices and other unmanaged PCs that meet the eligibility requirements, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process. Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements for Windows Sun Valley will be offered the upgrade starting in October of 2021. +For eligible PCs that are not managed by an organization, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. Windows Sun Valley will initially be offered to Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements. -If you are interested in testing Windows Sun Valley before general availability, you can join the Windows Insider Program or Windows Insider Program for Business [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For more information about eligibility to upgrade, see [Windows Sun Valley requirements](windows-sv-requirements.md). +For those interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). ## Before you begin +Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following is a quick summary of licensing, compatibility, management, and servicing considerations. + #### Licensing There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. @@ -64,16 +66,14 @@ Windows Sun Valley preserves the application compatibility promise made with Win #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Management tools](windows-sv-prepare.md#management-tools). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). #### Servicing Windows Sun Valley -Windows Sun Valley will have an annual feature update cadence and receive monthly quality updates. For details, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). - -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page. +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). ## Next steps [Windows Sun Valley requirements](windows-sv-requirements.md)
-[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From 3e49e11277468a943426735c54d2bb692e2024f7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 14:11:04 -0700 Subject: [PATCH 352/415] edits --- windows/whats-new/windows-sv-plan.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index aa15b3748b..31658c2150 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -55,7 +55,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer versions of the same product (Windows 10 to Windows 10), but they cannot migrate a devices between products (Windows 10 to Windows Sun Valley).
+> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. Additional considerations: @@ -69,8 +69,6 @@ Additional considerations: Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. - - Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. > [!NOTE] From 18e50e69af70791ad22788321e44d64f71e6d2de Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:05:43 -0700 Subject: [PATCH 353/415] draft of final --- windows/whats-new/windows-sv-plan.md | 4 +- windows/whats-new/windows-sv-prepare.md | 107 ++++++++++++++----- windows/whats-new/windows-sv-requirements.md | 2 +- windows/whats-new/windows-sv.md | 4 +- 4 files changed, 88 insertions(+), 29 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 31658c2150..3f6adedbbd 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -33,7 +33,7 @@ Since Windows Sun Valley is built on the same foundation as Windows 10, you can If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. -## Determining eligibility +## Determine eligibility As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. @@ -43,7 +43,7 @@ Enterprise organizations looking to evaluate device readiness in their environme ## Windows Sun Valley availability -Windows Sun Valley will be offered to eligible Windows 10 devices beginning the last quarter of calendar year 2021. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. ##### Managed devices diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index db5959e103..238373f36b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -22,46 +22,105 @@ ms.topic: article Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -As you prepare for Windows Sun Valley, it’s also a good time to look at the deployment infrastructure of your environment. If you aren’t already taking advantage of cloud-based management tools like Microsoft Endpoint Manager this might be the perfect time. Or, if you are exclusively using an on-premises management tool such as Configuration Manager (Note: Config Mgr is part of MEM, need clarification here), using Cloud management gateway, enabling tenant attach, or enabling co-management with Microsoft Intune are all ways to help keep devices secure and up-to-date. ---insert links for the named solutions +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. -Policies related to deployment may need to be updated or re-evaluated, considering update compliance deadlines, device activity policies, and the replacement of older policies. A servicing mindset focused on keeping current means creating a deployment plan to build out your servicing strategy. +## Infrastructure and tools -## Analytics +The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. Aa few nuanced differences are described below: -If you’re a Microsoft Endpoint Manager customer, make sure you’ve onboarded your devices to Endpoint analytics. Later this year, we’ll be providing a hardware readiness assessment directly in Endpoint analytics so that you can quickly identify which of your managed devices meet or exceed the minimum hardware requirements. +#### On-premises solutions -If you’d rather start exploring Windows Sun Valley readiness within your organization right away, take advantage of our [hardware eligibility assessment script](add link). By following the instructions to deploy and aggregate results via Microsoft Intune or Configuration Manager, you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see Windows Sun Valley offered as an option. -## Management tools +> [!NOTE] +> During deployment, you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. -The toolset that you use for heavy lifting during deployments of Windows 10 are still able to be leveraged in Windows Sun Valley. There are a few nuanced differences described here: +- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. -#### On-premises management +> [!NOTE] +> Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. -- Windows Server Update Service (WSUS): Commercial customers using WSUS will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see the feature update to SV. Please note that during deployment you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will note there is no x86 (32 bit?) payload for Windows Sun Valley as such is no longer supported on Windows Sun Valley going forward. -- MEM Configuration Manager: For customers using MEM Configuration Manager, you will easily be able to sync the new “Windows Sun Valley” Product category and begin upgrading eligible devices. Please note that Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. If you would like to validate Windows Sun Valley prior to release, simply sync the **Windows Insider Pre-release** category as well. +#### Cloud-based solutions -#### Cloud management +- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. -- Windows Update for Business (WUfB) Group Policy (GP) and Configuration Service Provider (CSP) policies: Commercial customers using WUfB will need to leverage the Target Version capability rather than feature update deferrals to move from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using WUfB through Group Policy Management Console (GPMC), MEM Intune, or other 3rd party management tools. -- MEM Intune: For customers using MEM Intune with E3 licenses you will be able to leverage **Feature Update Deployments** to easily manage moving between Windows 10 versions or to Windows Sun Valley, version 21H2. You will be able to continue using the same update experience controls to manage the behavior of the device once updates are offered for either Windows 10, version 21H2 and Windows Sun Valley, version 21H2. +You'll also want to check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. -## Deploy Windows Sun Valley +## Cloud-based management -Since your familiar Windows 10 toolsets are meant to be used with Windows Sun Valley as well, then managing, securing, and deploying Windows Sun Valley devices will be well known procedures in the plan, prepare and deploy process. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. -Just as we recommend that broad deployment of new versions of Windows 10 begin with a pilot deployment phase, Windows Sun Valley is no different. Further, in your blended environment of Windows 10-capable devices and Windows 10 + SV-eligible devices, you will be poised to roll out an update to a select number of devices. Once you’ve gone through the checklist of pilot deployment tasks such as assigning the pilot devices from your prepare phase, implementing baseline and operations updates, testing and supporting the devices, and so forth, you can deploy to your test group. We recommend cloud-based deployment solutions such as Microsoft Endpoint Manager to fully take advantage of data-driven insights, though Configuration Manager works as well. +The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: -Using artifacts from your Plan and Prepare phase (such as security and configuration baselines, etc.) as well as data from your test deployment, will give you the confidence you seek to manage a broader rollout of Windows Sun Valley to increasingly larger rings of eligible devices. Desktop Analytics will help you ensure that your apps are scoped to only the pilot rings you designate. +- **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. +- **Configure rules and control settings for users, apps, and devices for both Windows SV and Windows 10**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. -Though we’ve mentioned only a few, the tools and processes we have had in place for your previous 10 Windows deployment will be there for you with Windows Sun Valley as well. +If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. + + +## Review servicing approach and policies + +Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. + +To begin, think about how you roll out Windows updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: + +- Preview (first or canary): Planning and development +- Limited (fast or early adopters): Pilot and validation +- Broad (users or critical): Wide deployment + +For more information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). + +#### Review policies + +Review deployment-related polices, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. + +#### Validate apps and infrastructure + +To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started) and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). + +If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: + +- Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. +- Leverage Azure Virtual Desktop and Azure Marketplace images . +- Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. + +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. + +#### Analytics and assessment tools + +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. + +For those that are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's **hardware eligibility assessment script**. This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. + +## Prepare a pilot deployment + +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production before deploying it broadly across the organization. + +At a high level, the tasks involved are: + +1. Assign a group of users or devices to receive the update. +2. Implement baseline updates. +3. Implement operational updates. +4. Validate the deployment process. +5. Deploy the upgrade to devices. +6. Test and support the pilot devices. +7. Determine broad deployment readiness based on the results of the pilot. + +## End user readiness + +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: + +- Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. +- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. +- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. + +## Learn more + +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows Sun Valley. ## See also [Windows Sun Valley deployment planning](windows-sv-plan.md) - -• Windows release health: Windows release health offers the quickest way to stay up to date on update-related news, information, and best practices, including important lifecycle reminders and the status of known issues and safeguard holds. IT administrators have access to this information, plus additional details, within the health experience Microsoft 365 admin center. - -• Windows Tech Community: Offering technical professionals a place to discuss, share, troubleshoot, and learn around Windows, Tech Community is also the home of the Windows IT Pro Blog, our monthly Windows Office Hours events, and the Windows Video Hub. - -• Microsoft Learn: We are in the process of developing online learning paths and modules to help you and your organization effectively plan, prepare, and deploy Windows Sun Valley effectively. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 99d261a3d9..341495b506 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -27,7 +27,7 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](http://aka.ms/CPUlist) or system on a chip (SoC) +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) - RAM: 4 gigabytes (GB) or greater - Storage: 64GB or greater available storage is required to install Windows Sun Valley - Additional storage space might be required to download updates and enable specific features diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 31c967b779..86cffe9e8f 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -38,7 +38,7 @@ This release is built on the same foundation as Windows 10, so the investments y ## How to get Windows Sun Valley -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning in the last quarter of the 2021 calendar year. Windows Sun Valley will also be available on new, eligible devices. +Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). @@ -70,7 +70,7 @@ Windows Sun Valley is built on the same foundation as Windows 10, so generally y #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Windows Sun Valley servicing](windows-sv-plan.md#windows-sun-valley-servicing). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From bd2ceade13af7d98a2b51b3f0dd5d3f01e855109 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:09:53 -0700 Subject: [PATCH 354/415] draft of final2 --- windows/whats-new/windows-sv-prepare.md | 1 - windows/whats-new/windows-sv.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 238373f36b..71e51fe64f 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -60,7 +60,6 @@ The following are some common use cases and the corresponding Microsoft Endpoint If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. - ## Review servicing approach and policies Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 86cffe9e8f..6a44007c98 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -62,7 +62,7 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-prepare.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes From 9e9e77eeec912044aaf4f1eda89dc110adbdb2b9 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 21 Jun 2021 16:43:46 -0700 Subject: [PATCH 355/415] draft of final3 --- windows/whats-new/windows-sv.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 6a44007c98..3aca95c50b 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -27,12 +27,12 @@ This article provides an introduction and answers some frequently asked question Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Planning for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. +- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows OS ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. From 012e0b3338d2ec20be7a95aa5852c7d4523cdffa Mon Sep 17 00:00:00 2001 From: Brian Delaney <68655382+briandelmsft@users.noreply.github.com> Date: Tue, 22 Jun 2021 11:52:02 -0400 Subject: [PATCH 356/415] Update event-4627.md resizing image to max the text to its right easier to read --- windows/security/threat-protection/auditing/event-4627.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index ff63c0c122..cf25e61624 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -21,7 +21,7 @@ ms.technology: mde - Windows Server 2016 -Event 4627 illustration +Event 4627 illustration ***Subcategory:*** [Audit Group Membership](audit-group-membership.md) From b2087ddf915607b1f00bc132598694ba6f7cac51 Mon Sep 17 00:00:00 2001 From: Brian Delaney <68655382+briandelmsft@users.noreply.github.com> Date: Tue, 22 Jun 2021 11:55:18 -0400 Subject: [PATCH 357/415] Update event-4627.md Updating image size to max text on its right easier to read and consistent with other events --- windows/security/threat-protection/auditing/event-4627.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index cf25e61624..0ae5e51990 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -21,7 +21,7 @@ ms.technology: mde - Windows Server 2016 -Event 4627 illustration +Event 4627 illustration ***Subcategory:*** [Audit Group Membership](audit-group-membership.md) From bddcb1af8601cb8bd0b2bf74cce24e70d42631fa Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 11:22:53 -0700 Subject: [PATCH 358/415] close to final --- windows/whats-new/windows-sv-plan.md | 26 +++++++------------- windows/whats-new/windows-sv-prepare.md | 11 +++++---- windows/whats-new/windows-sv-requirements.md | 6 ++--- windows/whats-new/windows-sv.md | 9 +++++-- 4 files changed, 25 insertions(+), 27 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 3f6adedbbd..81e3281c7d 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,7 +24,7 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment and servicing strategy. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) that are in place for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) @@ -35,11 +35,11 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V ## Determine eligibility -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Detailed requirements can be found at [Windows Sun Valley requirements](windows-sv-requirements.md). In general, you should expect that a device purchased in the last 18-24 months will be able to run Windows Sun Valley. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. The majority of devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint Analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability @@ -49,7 +49,7 @@ Windows Sun Valley will be offered to eligible Windows 10 devices beginning late Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: - Blocking the upgrade on non-eligible devices. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. @@ -58,13 +58,6 @@ If you manage devices on behalf of your organization, you will be able to upgrad > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. -Additional considerations: - -- Devices running Windows 10 Pro or higher can upgrade for free using existing management tools. -- Devices running S mode will first need to switch out of S mode because it is not supported on Windows Sun Valley. -- Downgrade rights are available with Windows Sun Valley Pro OEM licensed devices and with Microsoft Volume Licensing, where the licensing agreement permits it. -- You can downgrade to any version of Windows Pro that has not reached its end of support date. - ##### Unmanaged devices Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. @@ -95,14 +88,13 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. -Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Windows Sun Valley devices will receive a single feature update annually, targeted for release in the second half of each calendar year. -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the date of release. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the date of release. +Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availabily date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. - -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 that do not meet Windows Sun Valley hardware requirements will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. ## Application compatibility @@ -114,7 +106,7 @@ If you run into compatibility issues or want to ensure that your organization's With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software vendors and systems integrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. +For software vendors, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 71e51fe64f..da5759ab4b 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -26,7 +26,10 @@ After you evaluate your hardware to see if it meets [requirements](windows-sv-re ## Infrastructure and tools -The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. Aa few nuanced differences are described below: +The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. + +> [!IMPORTANT] +> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. #### On-premises solutions @@ -46,8 +49,6 @@ The tools that you use for heavy lifting during Windows 10 deployments can still - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. -You'll also want to check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. - ## Cloud-based management If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. @@ -64,7 +65,7 @@ If you are exclusively managing devices on-premises (for example, using Configur Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. -To begin, think about how you roll out Windows updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation @@ -100,7 +101,7 @@ A pilot deployment is a proof of concept that rolls out an upgrade to a select n At a high level, the tasks involved are: -1. Assign a group of users or devices to receive the update. +1. Assign a group of users or devices to receive the upgrade. 2. Implement baseline updates. 3. Implement operational updates. 4. Validate the deployment process. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 341495b506..a1ae360f30 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -46,7 +46,7 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements @@ -56,7 +56,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Auto HDR** requires an HDR monitor. - **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows 11 for the Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States +- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States - **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU - **DirectX 12 Ultimate** is available with supported games and graphics chips - **Presence** requires sensor that can detect human distance from device or intent to interact with device @@ -71,7 +71,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Voice Typing** requires a PC with a microphone - **Wake on Voice** requires Modern Standby power model and microphone - **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router -- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key +- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct - **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 3aca95c50b..fcbf1043e9 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -60,13 +60,18 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W #### Compatibility -Most accessories and associated drivers that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. +Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). +Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. If you use non-Microsoft tools, check with your vendor to verify compatibility. + +> [!IMPORTANT] +> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. + +For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). #### Servicing Windows Sun Valley From e33525fcf0047aef686fcf0daa502645c0f017b7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 11:40:51 -0700 Subject: [PATCH 359/415] remove extraneous --- .../windows-sv-app-manage.md | 17 - windows/client-management/sv-manage.md | 67 ---- .../client-management/windows-sv-manage.md | 19 - windows/configuration/sv-configure.md | 329 ------------------ windows/configuration/windows-sv-configure.md | 17 - windows/deployment/index.yml | 2 +- windows/hub/index.yml | 4 +- windows/sv/TOC.yml | 33 +- windows/sv/breadcrumb/toc.yml | 50 --- windows/sv/docfx.json | 4 +- windows/sv/index.md | 0 windows/sv/index.yml | 61 ---- windows/sv/placeholder.md | 22 -- windows/sv/windows-sv-get-started.md | 36 -- windows/sv/windows-sv-lifecycle.md | 21 -- windows/sv/windows-sv-overview.md | 94 ----- windows/sv/windows-sv-requirements.md | 53 --- 17 files changed, 8 insertions(+), 821 deletions(-) delete mode 100644 windows/application-management/windows-sv-app-manage.md delete mode 100644 windows/client-management/sv-manage.md delete mode 100644 windows/client-management/windows-sv-manage.md delete mode 100644 windows/configuration/sv-configure.md delete mode 100644 windows/configuration/windows-sv-configure.md create mode 100644 windows/sv/index.md delete mode 100644 windows/sv/index.yml delete mode 100644 windows/sv/placeholder.md delete mode 100644 windows/sv/windows-sv-get-started.md delete mode 100644 windows/sv/windows-sv-lifecycle.md delete mode 100644 windows/sv/windows-sv-overview.md delete mode 100644 windows/sv/windows-sv-requirements.md diff --git a/windows/application-management/windows-sv-app-manage.md b/windows/application-management/windows-sv-app-manage.md deleted file mode 100644 index 86ee8a28c0..0000000000 --- a/windows/application-management/windows-sv-app-manage.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Manage applications in Windows Sun Valley -ms.reviewer: -manager: dansimp -description: Use this article to understand the different types of apps that run on Windows Sun Valley, such as UWP and Win32 apps. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- -# Manage applications in Windows Sun Valley - ->Applies to: Windows Sun Valley diff --git a/windows/client-management/sv-manage.md b/windows/client-management/sv-manage.md deleted file mode 100644 index 4fc41d68c1..0000000000 --- a/windows/client-management/sv-manage.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Manage corporate devices (Windows 10) -description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. -ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D -ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: ["MDM", "device management"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp -ms.localizationpriority: medium -ms.date: 09/21/2017 -ms.topic: article ---- - -# Manage corporate devices - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. - -## In this section - -| Topic | Description | -| --- | --- | -| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | -| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | - - -## Learn more - -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) - -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) - -[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) - -[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791) - -[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765) - -[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) - -[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620) - -[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207) - -Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/) - - - - - - -  \ No newline at end of file diff --git a/windows/client-management/windows-sv-manage.md b/windows/client-management/windows-sv-manage.md deleted file mode 100644 index 22704843bd..0000000000 --- a/windows/client-management/windows-sv-manage.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Manage Windows Sun Valley in your organization -description: This topic offers strategies for deploying and managing Windows Sun Valley, including deploying Windows Sun Valley in a mixed environment. -keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp -ms.localizationpriority: medium -ms.date: 04/26/2018 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article ---- - -# Manage Windows Sun Valley in your organization - diff --git a/windows/configuration/sv-configure.md b/windows/configuration/sv-configure.md deleted file mode 100644 index 15407ebc50..0000000000 --- a/windows/configuration/sv-configure.md +++ /dev/null @@ -1,329 +0,0 @@ ---- -title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 01/18/2018 -ms.reviewer: -manager: dansimp ---- -# Configure Windows 10 taskbar - -Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. - -> [!NOTE] -> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. - -You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). - -If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. - -The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. - -> [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - - -## Configure taskbar (general) - -**To configure the taskbar:** - -1. Create the XML file. - * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. - * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. -2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. - * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. - * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. - * Use `` and Desktop Application Link Path to pin desktop applications. -3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). - ->[!IMPORTANT] ->If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. -> ->If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. - -### Tips for finding AUMID and Desktop Application Link Path - -In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. - -The easiest way to find this data for an application is to: -1. Pin the application to the Start menu on a reference or testing PC. -2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. -3. Open the generated XML file. -4. Look for an entry corresponding to the app you pinned. -5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. - - -### Sample taskbar configuration XML file - -```xml - - - - - - - - - - - -``` -### Sample taskbar configuration added to Start layout XML file - -```xml - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Keep default apps and add your own - -The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. - -```xml - - - - - - - - - - - - -``` -**Before:** - -![default apps pinned to taskbar](images/taskbar-default.png) - -**After:** - - ![additional apps pinned to taskbar](images/taskbar-default-plus.png) - -## Remove default apps and add your own - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. - -If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. - -```xml - - - - - - - - - - - - -``` -**Before:** - -![Taskbar with default apps](images/taskbar-default.png) - -**After:** - -![Taskbar with default apps removed](images/taskbar-default-removed.png) - -## Remove default apps - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. - - -```xml - - - - - - - - - - -``` - -## Configure taskbar by country or region - -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: - -![taskbar for US and UK locale](images/taskbar-region-usuk.png) - -The resulting taskbar for computers in Germany or France: - -![taskbar for DE and FR locale](images/taskbar-region-defr.png) - -The resulting taskbar for computers in any other country region: - -![taskbar for all other regions](images/taskbar-region-other.png) - - -> [!NOTE] -> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) - - - - -## Layout Modification Template schema definition - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Related topics - -- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -- [Customize and export Start layout](customize-and-export-start-layout.md) -- [Add image for secondary tiles](start-secondary-tiles.md) -- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file diff --git a/windows/configuration/windows-sv-configure.md b/windows/configuration/windows-sv-configure.md deleted file mode 100644 index 2a7ccf17d1..0000000000 --- a/windows/configuration/windows-sv-configure.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Configure Windows Sun Valley -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.localizationpriority: medium -ms.date: 01/18/2018 -ms.reviewer: -manager: dansimp ---- -# Configure Windows Sun Valley - diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index ef58977660..eda7ab8577 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -67,7 +67,7 @@ landingContent: - text: What's new in Windows deployment url: deploy-whats-new.md - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv-overview.md + url: /windows/whats-new/windows-sv.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 60a1b71261..c745cb605b 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -30,8 +30,10 @@ landingContent: url: /windows/whats-new/windows-sv - text: Windows Sun Valley requirements url: /windows/whats-new/windows-sv-requirements - - text: Plan to deploy Windows Sun Valley + - text: Plan for Windows Sun Valley url: /windows/whats-new/windows-sv-plan + - text: Prepare for Windows Sun Valley + url: /windows/whats-new/windows-sv-prepare - text: What's new in Windows 10, version 21H2 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml index f0ec3588a7..01da3e1c0a 100644 --- a/windows/sv/TOC.yml +++ b/windows/sv/TOC.yml @@ -1,34 +1,5 @@ -- name: Windows Sun Valley - href: index.yml - items: - - name: Get started - items: - - name: Windows Sun Valley overview - href: windows-sv-overview.md - - name: Windows Sun Valley requirements - href: windows-sv-requirements.md - - - name: Deploy and Manage Windows Sun Valley - items: - - name: Plan to deploy Windows Sun Valley - href: /windows/deployment/windows-sv-plan - - name: Prepare for Windows Sun Valley - href: /windows/deployment/windows-sv-prepare.md - - name: Deploy Windows Sun Valley - href: /windows/deployment/windows-sv-deploy.md - - name: Configure Windows Sun Valley - href: /windows/configuration/windows-sv-configure.md - - name: Manage Windows Sun Valley - href: /windows/client-management/windows-sv-manage.md - - name: Windows Sun Valley application readiness - href: /windows/application-management/windows-sv-app-readiness.md - - - name: Support - items: - - name: Windows Sun Valley lifecycle - href: windows-sv-lifecycle.md - - name: Windows Sun Valley release information - href: /windows/release-health +- name: Index + href: index.md diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml index e2971f2d84..48236190f9 100644 --- a/windows/sv/breadcrumb/toc.yml +++ b/windows/sv/breadcrumb/toc.yml @@ -1,53 +1,3 @@ - name: Docs tocHref: / topicHref: / - items: - - name: Windows - tocHref: /windows - topicHref: /windows/windows-10 - items: - - name: What's new - tocHref: /windows/whats-new/ - topicHref: /windows/whats-new/index - - name: Configuration - tocHref: /windows/configuration/ - topicHref: /windows/configuration/index - - name: Deployment - tocHref: /windows/deployment/ - topicHref: /windows/deployment/index - - name: Application management - tocHref: /windows/application-management/ - topicHref: /windows/application-management/index - - name: Client management - tocHref: /windows/client-management/ - topicHref: /windows/client-management/index - items: - - name: Mobile Device Management - tocHref: /windows/client-management/mdm/ - topicHref: /windows/client-management/mdm/index - - name: Release information - tocHref: /windows/release-information/ - topicHref: /windows/release-health/release-information - - name: Privacy - tocHref: /windows/privacy/ - topicHref: /windows/privacy/index - - name: Security - tocHref: /windows/security/ - topicHref: /windows/security/index - items: - - name: Identity and access protection - tocHref: /windows/security/identity-protection/ - topicHref: /windows/security/identity-protection/index - items: - - name: Windows Hello for Business - tocHref: /windows/security/identity-protection/hello-for-business - topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification - - name: Threat protection - tocHref: /windows/security/threat-protection/ - topicHref: /windows/security/threat-protection/index - - name: Information protection - tocHref: /windows/security/information-protection/ - topicHref: /windows/security/information-protection/index - - name: Hardware-based protection - tocHref: /windows/security/hardware-protection/ - topicHref: /windows/security/hardware-protection/index diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json index e7955464fe..fe874614d1 100644 --- a/windows/sv/docfx.json +++ b/windows/sv/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-sv/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "windows-11", + "dest": "windows-sv", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/windows/sv/index.yml b/windows/sv/index.yml deleted file mode 100644 index 6f30d77869..0000000000 --- a/windows/sv/index.yml +++ /dev/null @@ -1,61 +0,0 @@ -### YamlMime:Landing - -title: Windows Sun Valley # < 60 chars -summary: Find out about Windows Windows Sun Valley. # < 160 chars - -metadata: - title: Windows SV # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about the administrative tools, tasks and best practices for managing Windows SV across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: windows-10 - author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. - ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 05/07/2021 #Required; mm/dd/yyyy format. - localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new - -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Get started - linkLists: - - linkListType: overview - links: - - text: Windows Sun Valley overview - url: windows-sv-overview.md - - text: Windows Sun Valley requirements - url: windows-sv-requirements.md - - # Card (optional) - - title: Deploy Windows Sun Valley - linkLists: - - linkListType: overview - links: - - text: Plan to deploy Windows Windows Sun Valley - url: /windows/deployment/windows-sv-plan.md - - text: Prepare for Windows Windows Sun Valley - url: /windows/deployment/windows-sv-prepare.md - - text: Deploy Windows Windows Sun Valley - url: /windows/deployment/windows-sv-deploy.md - - text: Configure Windows Windows Sun Valley - url: /windows/configuration/sv-configure.md - - text: Manage Windows Windows Sun Valley - url: /windows/client-management/windows-sv-manage.md - - text: Windows Windows Sun Valley application readiness - url: /windows/application-management/windows-sv-app-readiness.md - - # Card (optional) - - title: Support information - linkLists: - - linkListType: overview - links: - - text: Windows Windows Sun Valley lifecycle - url: placeholder.md - - text: Windows Windows Sun Valley release information - url: /windows/release-health - diff --git a/windows/sv/placeholder.md b/windows/sv/placeholder.md deleted file mode 100644 index fecfe94a8e..0000000000 --- a/windows/sv/placeholder.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Placeholder -description: PH -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Placeholder - -Placeholder text. - diff --git a/windows/sv/windows-sv-get-started.md b/windows/sv/windows-sv-get-started.md deleted file mode 100644 index 25b0d9e99c..0000000000 --- a/windows/sv/windows-sv-get-started.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Get started with Windows Sun Valley -description: Learn about features, review requirements, and plan your deployment of Windows Sun Valley, including IT Pro content, release information, and history. -keywords: ["get started", "windows sun valley"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 10/16/2017 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# Get started with Windows Sun Valley - -**Applies to** - -- Windows Sun Valley - -## Deployment planning - -Consider using the following process to deploy Windows Sun Valley to existing devices: -1. Preview Windows Sun Valley and create a deployment plan. -2. Test critical applications and management policies. -3. Update devices to the latest release of Windows 10. -4. Verify that devices meet the minimum hardware requirements for Windows Sun Valley. -5. Update deployment tools and infrastructure. -6. Update qualifying devices to Windows Sun Valley. - - -## See also - -[Windows Sun Valley deployment planning](/windows/deployment/windows-sv-deploy) diff --git a/windows/sv/windows-sv-lifecycle.md b/windows/sv/windows-sv-lifecycle.md deleted file mode 100644 index fab8fda180..0000000000 --- a/windows/sv/windows-sv-lifecycle.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Lifecycle -description: Lifecycle information for Windows 11 -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows 11 lifecycle - -Windows 11 lifecycle. - diff --git a/windows/sv/windows-sv-overview.md b/windows/sv/windows-sv-overview.md deleted file mode 100644 index 2407048dbc..0000000000 --- a/windows/sv/windows-sv-overview.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Windows Sun Valley overview -description: Overview of Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley overview - -**Applies to** -- Windows Sun Valley - -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next client release of Windows. - -Windows Sun Valley is a newly designed Windows client operating system due to be released later in 2021. It is fresh and light, yet familiar to those who use Windows today. The goal of this release is to be the most reliable, secure, connected, and performant OS release ever. - -## How to get Windows Sun Valley - -Windows Sun Valley will delivered as an upgrade to devices running Windows 10 beginning in the first half of 2022. All upgrades to Windows Sun Valley from Windows 10 will be free. Windows Sun Valley will also be available on new devices that meet the hardware requirements. - -You must be running a current version of Windows 10 and meet the minimum hardware specifications to be eligible to upgrade. For more information, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -Not all eligible Windows 10 PCs will be offered the upgrade at the same time. To see if your PC is eligible, download the PC Health Check app (link). The app will check that your devices meets hardware and software requirements to perform an upgrade to Windows Sun Valley. You can also check the status of your device by navigating to **Windows Update** in **Settings**. Once the upgrade rollout has started and the upgrade has been tested and validated for your PC's hardware, Windows Update will indicate that the upgrade is ready for installation. - -You can get early access to test Windows Sun Valley by joining the [Windows Insider Program](https://insider.windows.com), or by enabling pre-release Windows 10 feature updates in Configuration Manager or Windows Server Update Services (WSUS). - -## Windows Sun Valley lifecycle - -### Updates - -Windows Sun Valley feature updates will be released once per year in the second half of the year. Quality updates will be released each month on the second Tuesday of the month. - -Microsoft will continue to provide one cumulative package that includes all latest cumulative updates (LCUs) and servicing stack updates (SSUs), if applicable, for Windows Sun Valley. This will be provided as a single package to Windows Server Update Services (WSUS) and Catalog, and have them orchestrated on the device. This capability is also the default for devices using Windows Update. - -### Servicing - -Windows Sun Valley annual releases are supported for 24 months for the following editions: -- Home -- Pro -- Pro for Workstations -- Pro Education - -Windows Sun Valley annual releases are supported for 36 months for the following editions: -- Enterprise -- Education - -### Features and applications - -Most features and applications that are included with Windows 10 will be available on Windows Sun Valley. For information about features that are deprecated or work differently on Windows Sun Valley, see [article link here]. - -## Windows 10 lifecycle - -Starting with Windows 10, version 21H2, Windows 10 will receive only quality updates on the second Tuesday of the month. - -Windows 10 will be supported with security updates until October 2025. - -## Management and tools - -Windows Sun Valley is based on the same foundation as Windows 10. You can use your current management tools and processes to manage quality updates for both Windows 10 and Windows Sun Valley, in addition to using them to move between the two products. - -## Hardware compatibility - -Most accessories and associated software that worked with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -## Application compatibility - -Microsoft is committed to ensuring your Windows 10 applications work on Windows Sun Valley. If you have [App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure), Microsoft will help you fix any issues at no cost. App Assure is free for organizations with 150 or more seats. For more information on eligibility requirements, see [Products and Capabilities: App Assure](https://docs.microsoft.com/fasttrack/products-and-capabilities#app-assure). - -## Licensing - -There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. - -Microsoft 365 licenses that include Windows licenses will permit you to run Windows Sun Valley on supported devices. - -If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. - -## Rollback - -After you have upgraded to Windows Sun Valley, you have 10 days to use the rollback function if you wish to move back to Windows 10 while keeping your files and data. After the 10 day grace period, you will need to back up your data and perform a clean install to move back to Windows 10. - -## See also - -[Get started with Windows Sun Valley](windows-sv-get-started.md) diff --git a/windows/sv/windows-sv-requirements.md b/windows/sv/windows-sv-requirements.md deleted file mode 100644 index ddb8bf84c1..0000000000 --- a/windows/sv/windows-sv-requirements.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Windows Sun Valley requirements -description: Hardware requirements to deploy Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley requirements - -This article lists the sotware and physical hardware requirements to run Windows Sun Valley. Windows Sun Valley can also be run on Virtual Machines (VMs). - -## Software requirements - -The upgrade to Sun Valley is available for devices running Windows 10, version 20H1 or newer, on eligible hardware. - -## Hardware requirements - -To install Windows Sun Valley, devices must meet the following specifications: - -Processor -- Intel 8th generation, Intel Celeron N4000, Pentium N5000 -- AMD Ryzen gen 2 (Zen+), AMD 3xxx -- Qualcomm 7c, 8c, 8cx -- 64bit architecture -- 1Ghz clock speed -- 2 cores - -Hardware -- 64GB drive -- 4GB RAM -- UEFI, Secure Boot capable & TPM 2.0 -- Monitor size 9” or more with HD Resolution -- DirectX 12 compatible graphics / WDDM 2.x - -## Network requirements - -Internet connectivity is required for the Home Edition - -## See also - -[Windows Sun Valley overview](windows-sv-overview.md) - From 36c589b9e5d96f87f935bde4729dacf959f2fb41 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:18:22 -0700 Subject: [PATCH 360/415] acrolinx --- .../sv-app-readiness.md | 183 ------------------ windows/sv/index.md | 1 + windows/whats-new/windows-sv-plan.md | 16 +- windows/whats-new/windows-sv-prepare.md | 20 +- windows/whats-new/windows-sv-requirements.md | 36 ++-- windows/whats-new/windows-sv.md | 12 +- 6 files changed, 43 insertions(+), 225 deletions(-) delete mode 100644 windows/application-management/sv-app-readiness.md diff --git a/windows/application-management/sv-app-readiness.md b/windows/application-management/sv-app-readiness.md deleted file mode 100644 index d8cddab78d..0000000000 --- a/windows/application-management/sv-app-readiness.md +++ /dev/null @@ -1,183 +0,0 @@ ---- -title: Windows 10 - Apps -ms.reviewer: -manager: dansimp -description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- -# Understand the different apps included in Windows 10 - ->Applies to: Windows 10 - -The following types of apps run on Windows 10: -- Windows apps - introduced in Windows 8, primarily installed from the Store app. -- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. -- "Win32" apps - traditional Windows applications. - -Digging into the Windows apps, there are two categories: -- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: - - Provisioned: Installed in user account the first time you sign in with a new user account. - - Installed: Installed as part of the OS. -- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. - -The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI. - -Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. - -## Provisioned Windows apps - -You can list all provisioned Windows apps with this PowerShell command: - -```Powershell -Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName -``` - -Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. - -| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | -| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | - ->[!NOTE] ->The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. - -## System apps - -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. - -You can list all system apps with this PowerShell command: - -```Powershell -Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation -``` - -| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | -|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| -| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No | -| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No | -| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No | -| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No | -| | InputApp | x | x | x | No | -| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No | -| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No | -| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | -| | Microsoft.CredDialogHost | x | x | x | No | -| | Microsoft.ECApp | x | x | x | No | -| | Microsoft.LockApp | x | x | x | No | -| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No | -| | Microsoft.PPIProjection | x | x | x | No | -| | Microsoft.Win32WebViewHost | | x | x | No | -| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | -| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | -| | Microsoft.Windows.CapturePicker | | x | x | No | -| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | -| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | -| Cortana | Microsoft.Windows.Cortana | x | x | x | No | -| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | -| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | -| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | -| | Microsoft.Windows.ParentalControls | x | x | x | No | -| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No | -| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No | -| | Microsoft.Windows.SecHealthUI | x | x | x | No | -| | Microsoft.Windows.SecondaryTileExperience | x | | | No | -| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | -| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | -| Windows Feedback | Microsoft.WindowsFeedback | * | | | No | -| | Microsoft.XboxGameCallableUI | x | x | x | No | -| | Windows.CBSPreview | | x | x | No | -| Contact Support* | Windows.ContactSupport | * | | | Via Settings App | -| Settings | Windows.immersivecontrolpanel | x | x | x | No | -| Print 3D | Windows.Print3D | | x | x | Yes | -| Print UI | Windows.PrintDialog | x | x | x | No | - - -> [!NOTE] -> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). - -## Installed Windows apps - -Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. - - -| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | -|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | -| Sway | Microsoft.Office.Sway | x | x | x | Yes | -| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | -| | Microsoft.Services.Store.Engagement | x | x | | Yes | -| | Microsoft.VCLibs.120.00 | x | x | | Yes | -| | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | - ---- diff --git a/windows/sv/index.md b/windows/sv/index.md index e69de29bb2..9796fd78a1 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -0,0 +1 @@ +# Welcome to sv \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 81e3281c7d..45080d69f4 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -35,11 +35,11 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V ## Determine eligibility -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. The majority of devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. +As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software vendor partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publisher partners to facilitate Windows Sun Valley device readiness into their solutions. ## Windows Sun Valley availability @@ -56,7 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad > [!NOTE] > If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end user license agreements on behalf of the end users within your organization. +> Additionally, Windows Sun Valley has a new end-user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end-user license agreements on behalf of the end-users within your organization. ##### Unmanaged devices @@ -86,15 +86,15 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa ## Servicing and support -Along with end user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availabily date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 semi-annual channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 Semi-Annual Channel and LTSC releases. ## Application compatibility @@ -106,7 +106,7 @@ If you run into compatibility issues or want to ensure that your organization's With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software vendors, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software vendors for participation by completing a short form. +For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index da5759ab4b..ee5d8fea7d 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -33,30 +33,30 @@ The tools that you use for heavy lifting during Windows 10 deployments can still #### On-premises solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category you will see Windows Sun Valley offered as an option. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. > [!NOTE] -> During deployment, you will be prompted to agree to the license agreement on behalf of your end users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. +> During deployment, you will be prompted to agree to the license agreement on behalf of your end-users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] -> Configuration Manager will prompt you to accept the end user license agreement on behalf of the users in your organization. +> Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. #### Cloud-based solutions - If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Wndows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices for both Windows SV and Windows 10**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. - **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. @@ -84,7 +84,7 @@ To validate that your apps, infrastructure, and deployment processes are ready f If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. -- Leverage Azure Virtual Desktop and Azure Marketplace images . +- Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. @@ -93,7 +93,7 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. -For those that are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's **hardware eligibility assessment script**. This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. +If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). ## Prepare a pilot deployment @@ -109,9 +109,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End user readiness +## End-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end-users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index a1ae360f30..d3b9ece9e5 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -29,7 +29,7 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) - RAM: 4 gigabytes (GB) or greater -- Storage: 64GB or greater available storage is required to install Windows Sun Valley +- Storage: 64 GB or greater available storage is required to install Windows Sun Valley - Additional storage space might be required to download updates and enable specific features - Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver - System firmware: UEFI, Secure Boot capable @@ -55,24 +55,24 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **5G support** requires 5G capable modem. - **Auto HDR** requires an HDR monitor. - **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V** requires a processor with second level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States -- **DirectStorage** requires 1TB or greater NVMe SSD to store and run games that uses the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU -- **DirectX 12 Ultimate** is available with supported games and graphics chips -- **Presence** requires sensor that can detect human distance from device or intent to interact with device -- **Intelligent Video Conferencing** requires video camera, microphone and speaker (audio output) -- **Multiple Voice Assistant** requires a microphone and speaker -- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width -- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute -- **Spatial Sound** requires supporting hardware and software -- **Microsoft Teams** requires video camera, microphone and speaker (audio output) -- **Touch** requires a screen or monitor that supports multi-touch -- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities -- **Voice Typing** requires a PC with a microphone -- **Wake on Voice** requires Modern Standby power model and microphone -- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router +- **Client Hyper-V** requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **DirectStorage** requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectX 12 Ultimate** is available with supported games and graphics chips. +- **Presence** requires sensor that can detect human distance from device or intent to interact with device. +- **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) +- **Multiple Voice Assistant** requires a microphone and speaker. +- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width. +- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. +- **Spatial Sound** requires supporting hardware and software. +- **Microsoft Teams** requires video camera, microphone, and speaker (audio output). +- **Touch** requires a screen or monitor that supports multi-touch. +- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. +- **Voice Typing** requires a PC with a microphone. +- **Wake on Voice** requires Modern Standby power model and microphone. +- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct +- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. - **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index fcbf1043e9..8c2564672a 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -22,17 +22,17 @@ ms.custom: seo-marvel-apr2020 - Windows Sun Valley, version 21H2 -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating systgem release. +This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating system release. Also see the following articles to learn more about Windows Sun Valley: - [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organizatioin. +- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organization. - [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. +Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. @@ -46,11 +46,11 @@ For eligible PCs that are not managed by an organization, the Windows Sun Valley For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). -For those interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +If you are interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). ## Before you begin -Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following is a quick summary of licensing, compatibility, management, and servicing considerations. +Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations. #### Licensing @@ -75,7 +75,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available via a consolidated Windows SV update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From ff368163501f4e9af127c97ffec4a515b6c021cf Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:28:02 -0700 Subject: [PATCH 361/415] fixes --- windows/sv/index.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 9796fd78a1..2217e6e08d 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1 +1,5 @@ -# Welcome to sv \ No newline at end of file +--- +title: SV +author: greg-lindsay +ms.author: greglin +--- \ No newline at end of file From 98f5f95120a757da1ff7d3dfedfe44efc4ce8115 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 12:53:07 -0700 Subject: [PATCH 362/415] acrolinx --- windows/hub/index.yml | 2 +- windows/whats-new/windows-sv-prepare.md | 8 ++++---- windows/whats-new/windows-sv-requirements.md | 18 +++++++++--------- windows/whats-new/windows-sv.md | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index c745cb605b..0eeef6aed5 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -5,7 +5,7 @@ summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index ee5d8fea7d..4abb0e142c 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -75,13 +75,13 @@ For more information, see [Create a deployment plan](/windows/deployment/update/ #### Review policies -Review deployment-related polices, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. +Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security. #### Validate apps and infrastructure -To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started) and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). +To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). -If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following: +If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes: - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. - Leverage Azure Virtual Desktop and Azure Marketplace images. @@ -111,7 +111,7 @@ At a high level, the tasks involved are: ## End-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but end-users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index d3b9ece9e5..bcb173bfe8 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -27,14 +27,14 @@ This article lists the system requirements for Windows Sun Valley. Windows Sun V To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC) -- RAM: 4 gigabytes (GB) or greater -- Storage: 64 GB or greater available storage is required to install Windows Sun Valley - - Additional storage space might be required to download updates and enable specific features -- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver -- System firmware: UEFI, Secure Boot capable -- TPM: Trusted Platform Module (TPM) version 2.0 -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel +- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). +- RAM: 4 gigabytes (GB) or greater. +- Storage: 64 GB or greater available storage is required to install Windows Sun Valley. + - Additional storage space might be required to download updates and enable specific features. +- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver. +- System firmware: UEFI, Secure Boot capable. +- TPM: Trusted Platform Module (TPM) version 2.0. +- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. - Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. @@ -62,7 +62,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Presence** requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) - **Multiple Voice Assistant** requires a microphone and speaker. -- **Snap** three column layouts require a screen that is 1920 effective pixels or greater in width. +- **Snap** three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. - **Spatial Sound** requires supporting hardware and software. - **Microsoft Teams** requires video camera, microphone, and speaker (audio output). diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 8c2564672a..ae6a0260d0 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -75,7 +75,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will be available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From 19ecc31a67c25c3c85f87993e789552d8d8b7114 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 13:03:50 -0700 Subject: [PATCH 363/415] acrolinx --- windows/sv/index.md | 5 ++++- windows/whats-new/windows-sv-plan.md | 10 +++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 2217e6e08d..6f48df996d 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,5 +1,8 @@ --- title: SV +md.prod: w10 author: greg-lindsay ms.author: greglin ---- \ No newline at end of file +--- + +# \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 45080d69f4..6cae30fc07 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,14 +24,14 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) that are in place for Windows Sun Valley. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) - [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) - [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some additional items to consider are provided below. +If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. ## Determine eligibility @@ -49,7 +49,7 @@ Windows Sun Valley will be offered to eligible Windows 10 devices beginning late Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have additional benefits, such as: +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: - Blocking the upgrade on non-eligible devices. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. @@ -60,7 +60,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad ##### Unmanaged devices -Unmanaged devices are those that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. +Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. @@ -69,7 +69,7 @@ Unmanaged eligible devices running Windows 10 that were purchased after June 202 The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This improves the update experience and ensures that devices first nominated for updates are those likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows Sun Valley readiness considerations From a16c12781777c3e34e91a8e1811422139e3a9f47 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 14:01:55 -0700 Subject: [PATCH 364/415] some edits --- windows/whats-new/windows-sv-plan.md | 16 ++++-- windows/whats-new/windows-sv-prepare.md | 46 ++++++++-------- windows/whats-new/windows-sv-requirements.md | 55 ++++++++++---------- windows/whats-new/windows-sv.md | 12 +++-- 4 files changed, 71 insertions(+), 58 deletions(-) diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index 6cae30fc07..d1e4c7dbec 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -24,7 +24,9 @@ ms.topic: article This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: +Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. + +At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) @@ -88,13 +90,17 @@ The introduction of Windows Sun Valley is also a good time to review your hardwa Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. -Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. However, Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +**Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. + +**Feature updates**: Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. + +**Lifecycle**: - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. - Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about Windows 10 Semi-Annual Channel and LTSC releases. +It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. ## Application compatibility @@ -104,9 +110,9 @@ Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun V If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. -With enrollment in the [App Assure](/windows/compatibility/app-assure) service, if you find any problems with an existing application as you migrate to Windows Sun Valley, Microsoft will help you remedy those application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. +**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows Sun Valley can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 4abb0e142c..5220b153c3 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -20,58 +20,59 @@ ms.topic: article - Windows Sun Valley, version 21H2 -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One common management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. -> [!IMPORTANT] -> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. + > [!IMPORTANT] + > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. #### On-premises solutions - If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. -> [!NOTE] -> During deployment, you will be prompted to agree to the license agreement on behalf of your end-users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > [!NOTE] + > During deployment, you will be prompted to agree to the end-user license agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. -> [!NOTE] -> Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. + > [!NOTE] + > Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product, but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether using Windows Update for Business, Microsoft Intune, or other management tools. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to leverage **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can then continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether you are using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. Aside from consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. - **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley using Microsoft Endpoint Manager. +- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. -If you are exclusively managing devices on-premises (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. +If you are exclusively managing devices on-premise (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. Every organization will transition to Windows Sun Valley at its own pace. However, thinking of operating system updates as an ongoing process improve your ability to deploy feature and quality updates, and enable you to stay current with less effort and impact on productivity. +Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. -To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This enables you to stay current with less effort and impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation - Broad (users or critical): Wide deployment -For more information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). +For detailed information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). #### Review policies @@ -91,13 +92,15 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year that enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. -If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). +If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. + +For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). ## Prepare a pilot deployment -A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production before deploying it broadly across the organization. +A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization. At a high level, the tasks involved are: @@ -112,8 +115,7 @@ At a high level, the tasks involved are: ## End-user readiness To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - -- Create a communications schedule to ensure that you provide the right communications at the right time to the right groups of users based on when they will see the changes. +- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index bcb173bfe8..f32476c8f3 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -31,14 +31,14 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - RAM: 4 gigabytes (GB) or greater. - Storage: 64 GB or greater available storage is required to install Windows Sun Valley. - Additional storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver. +- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. - TPM: Trusted Platform Module (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates and to download and take advantage of some features. +- Internet connection: Internet connectivity is necessary to perform updates, download, and use some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -For additional guidance, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). +For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -46,34 +46,35 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
+> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements -Some features in Windows Sun Valley have requirements beyond those listed above. See the following list: +Some features in Windows Sun Valley have requirements beyond those listed above. See the following list of features and associated requirements. -- **5G support** requires 5G capable modem. -- **Auto HDR** requires an HDR monitor. -- **BitLocker to Go** requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V** requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana** requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. -- **DirectStorage** requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. -- **DirectX 12 Ultimate** is available with supported games and graphics chips. -- **Presence** requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing** requires video camera, microphone, and speaker (audio output) -- **Multiple Voice Assistant** requires a microphone and speaker. -- **Snap** three-column layouts require a screen that is 1920 effective pixels or greater in width. -- **Mute** and **unmute** from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. -- **Spatial Sound** requires supporting hardware and software. -- **Microsoft Teams** requires video camera, microphone, and speaker (audio output). -- **Touch** requires a screen or monitor that supports multi-touch. -- **Two-factor authentication** requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. -- **Voice Typing** requires a PC with a microphone. -- **Wake on Voice** requires Modern Standby power model and microphone. -- **Wi-Fi 6E** requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. -- **Windows Hello** requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection** requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox** app requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. +- **5G support**: requires 5G capable modem. +- **Auto HDR**: requires an HDR monitor. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectX 12 Ultimate**: is available with supported games and graphics chips. +- **Presence**: requires sensor that can detect human distance from device or intent to interact with device. +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Multiple Voice Assistant**: requires a microphone and speaker. +- **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. +- **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. +- **Spatial Sound**: requires supporting hardware and software. +- **Microsoft Teams**: requires video camera, microphone, and speaker (audio output). +- **Touch**: requires a screen or monitor that supports multi-touch. +- **Two-factor authentication**: requires use of PIN, biometric (fingerprint reader or illuminated infrared camera), or a phone with Wi-Fi or Bluetooth capabilities. +- **Voice Typing**: requires a PC with a microphone. +- **Wake on Voice**: requires Modern Standby power model and microphone. +- **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. +- **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). +- **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. +- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. ## Next steps diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index ae6a0260d0..335297ca86 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -36,6 +36,8 @@ Windows Sun Valley is the next evolution of Windows; the most significant update This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. +After Windows Sun Valley is generally available, it is expected that many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The guidance provided here can help you to manage this hybrid environment. + ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. @@ -50,7 +52,7 @@ If you are interested in testing Windows Sun Valley before general availability, ## Before you begin -Many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations. +The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows Sun Valley. #### Licensing @@ -62,11 +64,11 @@ Microsoft 365 licenses that include Windows 10 licenses will permit you to run W Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. -Windows Sun Valley preserves the application compatibility promise made with Windows 10 and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). +Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). #### Familiar processes -Windows Sun Valley is built on the same foundation as Windows 10, so generally you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. If you use non-Microsoft tools, check with your vendor to verify compatibility. +Windows Sun Valley is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. > [!IMPORTANT] > Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. @@ -75,7 +77,9 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md #### Servicing Windows Sun Valley -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have an annual feature update cadence. When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will be available from a consolidated Windows Sun Valley update history page at that time as well. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. + +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From 5e7dcbac9d78e94a8c48259b510b325eecb28160 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 22 Jun 2021 14:20:10 -0700 Subject: [PATCH 365/415] some edits --- windows/deployment/deploy-whats-new.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 03d5ce122e..583e4392a1 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -20,14 +20,13 @@ ms.custom: seo-marvel-apr2020 **Applies to:** - Windows 10 -- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an all-up overview of new features in Windows 11, see [What's new in Windows 11](/windows/whats-new/index). +- For an overview of Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/windows-sv). ## Latest news From 68bd4770c1ef05350b32668dc394d3e14db2c1c2 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:27:38 -0700 Subject: [PATCH 366/415] Matt Palko edits --- .../hello-aad-join-cloud-only-deploy.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b5aa653cdc..b195744150 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 06/03/2021 +ms.date: 06/23/2021 ms.reviewer: --- # Azure AD Joined Cloud Only Deployment @@ -25,15 +25,15 @@ When you Azure Active Directory (Azure AD) join a Windows 10 device, the system You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD (AAD) join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites -This cloud only deployment will use AAD multi-factor authentication (MFA) during the Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in AAD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business deployment enrollment process. +Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). -Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells AAD that the federated IDP will perform the MFA challenge. +Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. Check and view this setting with the following MSOnline PowerShell command: @@ -53,9 +53,9 @@ If you use this Supports MFA switch with value **True**, you must verify that yo We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't running Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. -## Create a Windows Hello for Business Enrollment policy +## Disable Windows Hello for Business using Intune Enrollment policy 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. @@ -72,11 +72,11 @@ The information below can be pushed out to the devices through a third-party MDM Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. -Here are the registry settings an Intune policy would set. If you aren't using Intune, it's recommended to use the Intune Device Policy registry settings manually to disable Windows Hello For Business enrollment. +Here are the registry settings an Intune policy would set. Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** -To find the Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. @@ -91,7 +91,7 @@ For your reference, these registry settings can be applied from Local or Group P - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable -If there's a conflicting Device policy and User policy, the device policy or computer policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. +If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. ## Related reference documents for Azure AD join scenarios From 6cb449cb45de2824e6d0aa0a1a240a5914441e5b Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Wed, 23 Jun 2021 08:49:57 -0700 Subject: [PATCH 367/415] Coded the reg strings --- .../hello-aad-join-cloud-only-deploy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b195744150..379f033684 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -74,20 +74,20 @@ Because these systems are Azure AD Joined only, and not domain joined, these set Here are the registry settings an Intune policy would set. -Intune Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies** +Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) These registry settings are pushed from Intune for user policies for your reference. -- Intune User Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies** +- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** - DWORD: **UsePassportForWork** - Value = **0** for Disable, or Value = **1** for Enable For your reference, these registry settings can be applied from Local or Group Policies. -- Local/GPO User Policy: **HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork** -- Local/GPO Device Policy: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork** +- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** +- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** - DWORD: **Enabled** - Value = **0** for Disable or Value = **1** for Enable From c2a85c0c718ddde7cdeee43e37171045d0b81a38 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 09:05:44 -0700 Subject: [PATCH 368/415] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 755472b5af..85fe76af37 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,6 +1,6 @@ --- title: Language Pack Management CSP -description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp ms.author: dansimp @@ -8,17 +8,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nimishasatapathy -ms.date: 03/12/2021 +ms.date: 06/22/2021 --- # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. - +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node +1. Enumerate installed languages with GET command on the "InstalledLanguges" node: Sample command **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** @@ -30,10 +29,11 @@ The nodes under “InstalledLanguages” are the language tags of the installed 2. Install language pack features with EXECUTE command on the "StartInstall" node of the language Sample command + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -The installation is an asynchronous operation. IT admin can query the ‘Status’ node using +The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** From a9ac94ea0da7023a22d9e049af7095cbd79363ec Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Wed, 23 Jun 2021 11:07:01 -0700 Subject: [PATCH 369/415] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 05468dd64e..ee556ecef8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -121,7 +121,8 @@ To create the WDAC policy, they build a reference server on their standard hardw As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version. ## File rule precedence order -WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deploy-wdac-policies-with-managed-installer.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). + +WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). ## More information about filepath rules From c8d156c7354b04770d47904928c4d89e59d8e30e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:19:59 -0700 Subject: [PATCH 370/415] Update configuration-service-provider-reference.md fixing relative link --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 2f152af35b..8d54b43c2b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1109,7 +1109,7 @@ Additional lists: check mark -Only for mobile application management (MAM) +Only for mobile application management (MAM) check mark check mark @@ -2843,4 +2843,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 769114b7494120e57e068de280a77cb18b49c4d9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:28:04 -0700 Subject: [PATCH 371/415] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 42 ++++++++++++------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 85fe76af37..2e9d2f4140 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,43 +14,55 @@ ms.date: 06/22/2021 # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. -Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node: +1. List the installed languages with GET command on the "InstalledLanguges" node. For example: -Sample command -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** +``` +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers +``` -The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. -2. Install language pack features with EXECUTE command on the "StartInstall" node of the language - -Sample command +2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, +``` **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** +``` -The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: +The installation is an asynchronous operation. You can query the **Status** node by using the following commands: +``` **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** +``` + +Return value definitions are: + +- 0 – Not started +- 1 – In process +- 2 – Succeeded +- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed -Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed > [!NOTE] -> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. Sample command +``` **DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** +``` 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node Sample command +``` **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** +``` From 6c92cd3cdbba8167b1fef020426b49f0b1d58710 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 13:54:22 -0700 Subject: [PATCH 372/415] incorp changes --- windows/hub/index.yml | 2 +- windows/whats-new/windows-sv-plan.md | 39 ++++++++--------- windows/whats-new/windows-sv-prepare.md | 45 +++++++++----------- windows/whats-new/windows-sv-requirements.md | 18 ++++---- windows/whats-new/windows-sv.md | 16 +++---- 5 files changed, 57 insertions(+), 63 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 0eeef6aed5..846ee4e900 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -34,7 +34,7 @@ landingContent: url: /windows/whats-new/windows-sv-plan - text: Prepare for Windows Sun Valley url: /windows/whats-new/windows-sv-prepare - - text: What's new in Windows 10, version 21H2 + - text: What's new in Windows 10, version 21H1 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information url: /windows/release-health/release-information diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md index d1e4c7dbec..11aa8a3ddc 100644 --- a/windows/whats-new/windows-sv-plan.md +++ b/windows/whats-new/windows-sv-plan.md @@ -18,13 +18,13 @@ ms.topic: article **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley ## Deployment planning This article provides guidance to help you plan for Windows Sun Valley in your organization. -Since Windows Sun Valley is built on the same foundation as Windows 10, you can utilize the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. +Since Windows Sun Valley is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. At a high level, this strategy should include the following steps: - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) @@ -39,48 +39,45 @@ If you are looking for ways to optimize your approach to deploying Windows Sun V As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publisher partners to facilitate Windows Sun Valley device readiness into their solutions. +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows Sun Valley device support into their solutions. ## Windows Sun Valley availability -Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. The availability of Windows Sun Valley will vary according to a device's hardware and whether or not the device receives updates directly or from a management solution that is maintained by an IT administrator. +The availability of Windows Sun Valley will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. ##### Managed devices -Managed devices are devices that are under organization control. For example: devices managed by Microsoft Endpoint Manager (Microsoft Intune or Microsoft Endpoint Configuration Manager) or another endpoint management solution. +Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: -- Blocking the upgrade on non-eligible devices. +- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows Sun Valley upgrade. - Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. > [!NOTE] -> If you use WUfB to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (Windows 10 to Windows 10), but they cannot migrate a device between products (Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new end-user license agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new end-user license agreements on behalf of the end-users within your organization. +> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows Sun Valley).
+> Additionally, Windows Sun Valley has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. ##### Unmanaged devices Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. -Unmanaged eligible devices running Windows 10 that were purchased after June 2021 will be offered the Windows Sun Valley upgrade in the last quarter of the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. +Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. -> [!NOTE] -> New devices purchased after October 2021 will see the Windows Sun Valley offer during the out of box experience (OOBE), or they will already be upgraded to Windows Sun Valley. - -The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Microsoft Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. +The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows Sun Valley readiness considerations -The recommended method for organizations to determine if their infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features in details. +The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. - Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune, allowing you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). @@ -92,11 +89,11 @@ Along with end-user experience and security improvements, Windows Sun Valley int **Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. -**Feature updates**: Microsoft will provide a single feature update annually, targeted for release in the second half of each calendar year. +**Feature updates**: Microsoft will provide a single Windows Sun Valley feature update annually, targeted for release in the second half of each calendar year. **Lifecycle**: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the availability date. +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the general availability date. +- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the general availability date. When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. @@ -104,7 +101,7 @@ It is important that organizations have adequate time to plan for Windows Sun Va ## Application compatibility -Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, and it is passing these requirements. +Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. #### App Assure and Test Base for Microsoft 365 @@ -122,4 +119,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme ## Also see -Learning module +[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index 5220b153c3..dfca52badf 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -18,54 +18,54 @@ ms.topic: article **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. One management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's also a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. +After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools -The tools that you use for heavy lifting during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. -#### On-premises solutions +#### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. Once you sync the product category, you will see Windows Sun Valley offered as an option. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. After you sync the product category, you will see Windows Sun Valley offered as an option. If you would like to validate Windows Sun Valley prior to release, you can sync the Windows Insider Pre-release category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the end-user license agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. - If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > Configuration Manager will prompt you to accept the end-user license agreement on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy and Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true whether you are using Windows Update for Business, Microsoft Intune, or other management tools. +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, it can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: - **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices**: Devices that are enrolled in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provide administrators with full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamlined, easy-to-manage devices for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. +- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. -If you are exclusively managing devices on-premise (for example, using Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune, making it easier to keep devices secure and up-to-date. +If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. -When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This enables you to stay current with less effort and impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development @@ -88,15 +88,11 @@ If you use Windows Server Update Services, you can deploy directly from the Wind - Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10, version 21H2 or Windows Sun Valley, version 21H2 pre-release bits, once they become available through the Windows Insider Program. +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows Sun Valley Preview Builds, once they become available through the Windows Insider Program. #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. - -If you are ready to explore Windows Sun Valley readiness right away, you can take advantage of Microsoft's [hardware eligibility assessment script](https://aka.ms/HWReadinessScript). This script includes instructions on how to deploy and aggregate your assessment results using Microsoft Intune or Configuration Manager, so you can quickly determine how many of your devices meet the hardware requirements for Windows Sun Valley. - -For more information, see [Understanding Windows Sun Valley readiness in your organization with Microsoft Endpoint Manager](https://aka.ms/HWReadinessBlog). +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. ## Prepare a pilot deployment @@ -112,9 +108,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End-user readiness +## end-user readiness -To prepare an effective, enterprise-wide deployment of Windows Sun Valley, the importance of end-user readiness should not be overlooked. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows Sun Valley. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. @@ -125,4 +121,5 @@ See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365- ## See also -[Windows Sun Valley deployment planning](windows-sv-plan.md) +[Plan for Windows Sun Valley](windows-sv-plan.md)
+[Windows help & learning](https://support.microsoft.com/windows) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index f32476c8f3..75dffa0e7b 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). @@ -29,15 +29,17 @@ To install or upgrade to Windows Sun Valley, devices must meet the following min - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). - RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB or greater available storage is required to install Windows Sun Valley. +- Storage: 64 GB\* or greater available storage is required to install Windows Sun Valley. - Additional storage space might be required to download updates and enable specific features. - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. -- TPM: Trusted Platform Module (TPM) version 2.0. +- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, download, and use some features. +- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows Sun Valley up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). + For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). ## Operating system requirements @@ -46,7 +48,7 @@ For the best Windows Sun Valley upgrade experience, eligible devices should be r > [!NOTE] > S mode is not supported on Windows Sun Valley. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
+> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements @@ -59,7 +61,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. - **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. -- **DirectX 12 Ultimate**: is available with supported games and graphics chips. +- **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) - **Multiple Voice Assistant**: requires a microphone and speaker. @@ -74,12 +76,12 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active Xbox Game Pass subscription. See https://www.xbox.com/xbox-game-pass to learn more about the pass. +- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Next steps -[Plan to deploy Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows Sun Valley](windows-sv-plan.md)
[Prepare for Windows Sun Valley](windows-sv-prepare.md) ## See also diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md index 335297ca86..392951b9ff 100644 --- a/windows/whats-new/windows-sv.md +++ b/windows/whats-new/windows-sv.md @@ -20,9 +20,9 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows Sun Valley, version 21H2 +- Windows Sun Valley -This article provides an introduction and answers some frequently asked questions about Windows Sun Valley, the next Windows client operating system release. +This article provides an introduction to Windows Sun Valley, and answers some frequently asked questions. Also see the following articles to learn more about Windows Sun Valley: @@ -32,19 +32,17 @@ Also see the following articles to learn more about Windows Sun Valley: ## Introduction -Windows Sun Valley is the next evolution of Windows; the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. +Windows Sun Valley is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. -This release is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. - -After Windows Sun Valley is generally available, it is expected that many organizations will have a mixed environment of Windows Sun Valley and Windows 10 devices. The guidance provided here can help you to manage this hybrid environment. +Windows Sun Valley is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. ## How to get Windows Sun Valley Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. -For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you utilize today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Management, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). +For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). -For eligible PCs that are not managed by an organization, the Windows Sun Valley upgrade will be offered through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. Windows Sun Valley will initially be offered to Windows 10 devices purchased after June 2021 that meet or exceed the minimum hardware requirements. +For devices that are not managed by an organization, the Windows Sun Valley upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). @@ -79,7 +77,7 @@ For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the Windows release health hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). +When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). ## Next steps From b840943cb4adfc4afc0d6d867f1ef1d721f64cb1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 13:58:33 -0700 Subject: [PATCH 373/415] warning --- windows/sv/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 6f48df996d..6918ab9666 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,8 +1,11 @@ --- title: SV +description: SV md.prod: w10 +manager: laurawi +ms.topic: article author: greg-lindsay ms.author: greglin --- -# \ No newline at end of file +# . \ No newline at end of file From 37adc674590200f58a76dfcd24a24eb5790ee2ad Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 23 Jun 2021 14:06:58 -0700 Subject: [PATCH 374/415] final --- windows/sv/index.md | 2 +- windows/whats-new/windows-sv-prepare.md | 4 ++-- windows/whats-new/windows-sv-requirements.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 6918ab9666..7a31c42d39 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1,7 +1,7 @@ --- title: SV description: SV -md.prod: w10 +ms.prod: w10 manager: laurawi ms.topic: article author: greg-lindsay diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-sv-prepare.md index dfca52badf..e6f48a1037 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-sv-prepare.md @@ -26,7 +26,7 @@ After you evaluate your hardware to see if it meets [requirements](windows-sv-re ## Infrastructure and tools -The tools that you use for core workloads during Windows 10 deployments can still be leveraged for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be used for Windows Sun Valley. A few nuanced differences are described below. > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. @@ -45,7 +45,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to leverage the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). - Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-sv-requirements.md index 75dffa0e7b..eb25e65a86 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-sv-requirements.md @@ -75,7 +75,7 @@ Some features in Windows Sun Valley have requirements beyond those listed above. - **Wake on Voice**: requires Modern Standby power model and microphone. - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). -- **Windows Projection**: requires a display adapter which supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. +- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. - **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. From d84deb14fe354539e2cfc5dd6135d30f1e1f08d5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 23 Jun 2021 15:14:07 -0700 Subject: [PATCH 375/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 73 ++++++++++++++++++- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index eeb53adf0b..3916a1550a 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/02/2021 +ms.date: 06/23/2021 --- # Defender CSP @@ -59,6 +59,9 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) +--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -518,9 +521,75 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) +**Configuration/PlatformUpdatesChannel** + +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 0: Not configured (Default) +- 1: Beta Channel - Prerelease +- 2: Current Channel (Preview) +- 3: Current Channel (Staged) +- 4: Current Channel (Broad) + +**Configuration/EngineUpdatesChannel** + +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 0 - Not configured (Default) +- 1 - Beta Channel - Prerelease +- 2 - Current Channel (Preview) +- 3 - Current Channel (Staged) +- 4 - Current Channel (Broad) + +**Configuration/DefinitionUpdatesChannel** + +Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. + +The data type is integer. +Supported operations are Add, Delete, Get, Replace. + +Valid Values are: +- 0: Not configured (Default) +- 3: Current Channel (Staged) +- 4: Current Channel (Broad) + **Scan** Node that can be used to start a Windows Defender scan on a device. From 9f21e81e112a2c816c10ec7a8f0dab73b3723e36 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 23 Jun 2021 15:21:45 -0700 Subject: [PATCH 376/415] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 3916a1550a..97561119e4 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -574,7 +574,7 @@ Valid values are: - 3 - Current Channel (Staged) - 4 - Current Channel (Broad) -**Configuration/DefinitionUpdatesChannel** +**Configuration/SignaturesUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. From 051dd31f47d60f5b74e9cceaef1ca96a84b432b8 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:00:11 -0700 Subject: [PATCH 377/415] 11 --- windows/application-management/index.yml | 2 +- windows/deployment/TOC.yml | 12 +- windows/deployment/deploy-whats-new.md | 2 +- windows/deployment/index.yml | 4 +- windows/hub/TOC.yml | 4 +- windows/hub/index.yml | 20 +-- windows/sv/docfx.json | 4 +- windows/whats-new/TOC.yml | 18 +-- windows/whats-new/index.yml | 24 ++-- windows/whats-new/windows-11-plan.md | 122 ++++++++++++++++++ ...ws-sv-prepare.md => windows-11-prepare.md} | 52 ++++---- ...irements.md => windows-11-requirements.md} | 34 ++--- windows/whats-new/windows-11.md | 86 ++++++++++++ windows/whats-new/windows-sv-plan.md | 122 ------------------ windows/whats-new/windows-sv.md | 86 ------------ 15 files changed, 296 insertions(+), 296 deletions(-) create mode 100644 windows/whats-new/windows-11-plan.md rename windows/whats-new/{windows-sv-prepare.md => windows-11-prepare.md} (60%) rename windows/whats-new/{windows-sv-requirements.md => windows-11-requirements.md} (76%) create mode 100644 windows/whats-new/windows-11.md delete mode 100644 windows/whats-new/windows-sv-plan.md delete mode 100644 windows/whats-new/windows-sv.md diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..d3a95df0d0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index e3fcfca9e0..cafdf97782 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,8 +5,8 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows Sun Valley deployment overview - href: /windows/whats-new/windows-sv-overview.md + - name: Windows 11 deployment overview + href: /windows/whats-new/windows-11-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -35,8 +35,8 @@ - name: Plan items: - - name: Windows Sun Valley deployment planning - href: /windows/whats-new/windows-sv-plan.md + - name: Windows 11 deployment planning + href: /windows/whats-new/windows-11-plan.md - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -71,8 +71,8 @@ - name: Prepare items: - - name: Prepare to deploy Windows Sun Valley - href: /windows/whats-new/windows-sv-prepare.md + - name: Prepare to deploy Windows 11 + href: /windows/whats-new/windows-11-prepare.md - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 583e4392a1..fa8ca9e964 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -26,7 +26,7 @@ ms.custom: seo-marvel-apr2020 This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an overview of Windows Sun Valley, see [What's new in Windows Sun Valley](/windows/whats-new/windows-sv). +- For an overview of Windows 11, see [What's new in Windows 11](/windows/whats-new/windows-11). ## Latest news diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index eda7ab8577..d938c4922b 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -66,8 +66,8 @@ landingContent: links: - text: What's new in Windows deployment url: deploy-whats-new.md - - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv.md + - text: Windows 11 overview + url: /windows/whats-new/windows-11.md - text: Windows client deployment scenarios url: windows-10-deployment-scenarios.md - text: Basics of Windows updates, channels, and tools diff --git a/windows/hub/TOC.yml b/windows/hub/TOC.yml index 1752028577..a199923b84 100644 --- a/windows/hub/TOC.yml +++ b/windows/hub/TOC.yml @@ -6,8 +6,8 @@ items: - name: What's new in Windows href: /windows/whats-new - - name: Windows Sun Valley - href: /windows/whats-new/windows-sv + - name: Windows 11 + href: /windows/whats-new/windows-11 - name: Release information href: /windows/release-health - name: Deployment diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 846ee4e900..f61c3a9861 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Windows client resources and documentation for IT Pros # < 60 chars -summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # < 160 chars +summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -26,14 +26,14 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows Sun Valley overview - url: /windows/whats-new/windows-sv - - text: Windows Sun Valley requirements - url: /windows/whats-new/windows-sv-requirements - - text: Plan for Windows Sun Valley - url: /windows/whats-new/windows-sv-plan - - text: Prepare for Windows Sun Valley - url: /windows/whats-new/windows-sv-prepare + - text: Windows 11 overview + url: /windows/whats-new/windows-11 + - text: Windows 11 requirements + url: /windows/whats-new/windows-11-requirements + - text: Plan for Windows 11 + url: /windows/whats-new/windows-11-plan + - text: Prepare for Windows 11 + url: /windows/whats-new/windows-11-prepare - text: What's new in Windows 10, version 21H1 url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: Windows release information diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json index fe874614d1..e7955464fe 100644 --- a/windows/sv/docfx.json +++ b/windows/sv/docfx.json @@ -39,13 +39,13 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "breadcrumb_path": "/windows/windows-sv/breadcrumb/toc.json", + "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None" }, "fileMetadata": {}, "template": [], - "dest": "windows-sv", + "dest": "windows-11", "markdownEngineName": "markdig" } } \ No newline at end of file diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 71e18303ee..a9ae9e12ba 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,16 +1,16 @@ - name: What's new in Windows href: index.yml -- name: Windows Sun Valley +- name: Windows 11 expanded: true items: - - name: Windows Sun Valley overview - href: windows-sv.md - - name: Windows Sun Valley requirements - href: windows-sv-requirements.md - - name: Plan for Windows Sun Valley - href: windows-sv-plan.md - - name: Prepare for Windows Sun Valley - href: windows-sv-prepare.md + - name: Windows 11 overview + href: windows-11.md + - name: Windows 11 requirements + href: windows-11-requirements.md + - name: Plan for Windows 11 + href: windows-11-plan.md + - name: Prepare for Windows 11 + href: windows-11-prepare.md - name: Windows 10 expanded: true items: diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index fbea14e982..375f946870 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: What's new in Windows # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # < 160 chars +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars metadata: title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 06/02/2021 #Required; mm/dd/yyyy format. + ms.date: 06/24/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -23,18 +23,18 @@ landingContent: # Start card title with a verb # Card (optional) - - title: Windows Sun Valley + - title: Windows 11 linkLists: - linkListType: overview links: - - text: Windows Sun Valley Overview - url: windows-sv.md - - text: Windows Sun Valley requirements - url: windows-sv-requirements.md - - text: Plan for Windows Sun Valley - url: windows-sv-plan.md - - text: Prepare for Windows Sun Valley - url: windows-sv-prepare.md + - text: Windows 11 overview + url: windows-11.md + - text: Windows 11 requirements + url: windows-11-requirements.md + - text: Plan for Windows 11 + url: windows-11-plan.md + - text: Prepare for Windows 11 + url: windows-11-prepare.md - title: Windows 10 linkLists: diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md new file mode 100644 index 0000000000..ad68e1ebfa --- /dev/null +++ b/windows/whats-new/windows-11-plan.md @@ -0,0 +1,122 @@ +--- +title: Plan for Windows 11 +description: Windows 11 deployment planning, IT Pro content. +keywords: ["get started", "windows 11", "plan"] +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +ms.date: 06/24/2021 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# Plan for Windows 11 + +**Applies to** + +- Windows 11 + +## Deployment planning + +This article provides guidance to help you plan for Windows 11 in your organization. + +Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. + +At a high level, this strategy should include the following steps: +- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) +- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) +- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) +- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) +- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) + +If you are looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. + +## Determine eligibility + +As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. + +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  + +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. + +## Windows 11 availability + +The availability of Windows 11 will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. + +##### Managed devices + +Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. + +If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: + +- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows 11 upgrade. +- Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. + +> [!NOTE] +> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
+> Additionally, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. + +##### Unmanaged devices + +Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. + +Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase. + +The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. + +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. + +## Windows 11 readiness considerations + +The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. + +As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: +- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). + +For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). + +The introduction of Windows 11 is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. + +## Servicing and support + +Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. + +**Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. + +**Feature updates**: Microsoft will provide a single Windows 11 feature update annually, targeted for release in the second half of each calendar year. + +**Lifecycle**: +- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows 11 will receive 24 months of support from the general availability date. +- Enterprise and Education editions of Windows 11 will be supported for 36 months from the general availability date. + +When Windows 11 reaches general availability, a consolidated Windows 11 update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds. + +It is important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. + +## Application compatibility + +Microsoft's compatibility promise for Windows 10 is maintained for Windows 11. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows 11 is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. + +#### App Assure and Test Base for Microsoft 365 + +If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. + +**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. + +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. + +You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. + +## Next steps + +[Prepare for Windows 11](windows-11-prepare.md) + +## Also see + +[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv-prepare.md b/windows/whats-new/windows-11-prepare.md similarity index 60% rename from windows/whats-new/windows-sv-prepare.md rename to windows/whats-new/windows-11-prepare.md index e6f48a1037..3ef63328a5 100644 --- a/windows/whats-new/windows-sv-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,7 +1,7 @@ --- -title: Prepare for Windows Sun Valley -description: Prepare your infrastructure and tools to deploy Windows Sun Valley, IT Pro content. -keywords: ["get started", "windows sun valley"] +title: Prepare for Windows 11 +description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. +keywords: ["get started", "windows 11"] ms.prod: w11 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,40 +14,40 @@ ms.localizationpriority: high ms.topic: article --- -# Prepare for Windows Sun Valley +# Prepare for Windows 11 **Applies to** -- Windows Sun Valley +- Windows 11 -Windows 10 and Windows Sun Valley are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows Sun Valley helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows Sun Valley deployments in the same way that you do with Windows 10. +Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-sv-requirements.md) for Windows Sun Valley, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. +After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools -The tools that you use for core workloads during Windows 10 deployments can still be used for Windows Sun Valley. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be used for Windows 11. A few nuanced differences are described below. > [!IMPORTANT] - > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows Sun Valley, particularly if they provide security or data loss prevention capabilities. + > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. #### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows Sun Valley** product category. After you sync the product category, you will see Windows Sun Valley offered as an option. If you would like to validate Windows Sun Valley prior to release, you can sync the Windows Insider Pre-release category as well. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the Windows Insider Pre-release category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows Sun Valley is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. -- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows Sun Valley** product category and begin upgrading eligible devices. If you would like to validate Windows Sun Valley prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use Microsoft Endpoint Configuration Manager, you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows Sun Valley. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows Sun Valley). -- Quality update deferrals will continue to work the same across both Windows 10 and Windows Sun Valley. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows Sun Valley. You can also continue using the same update experience controls to manage Windows 10 and Windows Sun Valley. +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). +- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management @@ -55,19 +55,19 @@ If you aren’t already taking advantage of cloud-based management capabilities, The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: -- **Provision and pre-configure new Windows Sun Valley devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows Sun Valley devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. -- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows Sun Valley and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. -- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows Sun Valley by using Microsoft Endpoint Manager. +- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. +- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. +- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Every organization will transition to Windows Sun Valley at its own pace. Microsoft is committed to supporting you through your migration to Windows Sun Valley, whether you are a fast adopter or will make the transition over the coming months or years. +Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you are a fast adopter or will make the transition over the coming months or years. When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. -Next, craft a deployment plan for Windows Sun Valley that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: +Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: - Preview (first or canary): Planning and development - Limited (fast or early adopters): Pilot and validation - Broad (users or critical): Wide deployment @@ -80,7 +80,7 @@ Review deployment-related policies, taking into consideration your organization' #### Validate apps and infrastructure -To validate that your apps, infrastructure, and deployment processes are ready for Windows Sun Valley, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). +To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes: @@ -88,11 +88,11 @@ If you use Windows Server Update Services, you can deploy directly from the Wind - Leverage Azure Virtual Desktop and Azure Marketplace images. - Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. -Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows Sun Valley Preview Builds, once they become available through the Windows Insider Program. +Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows Sun Valley upgrade. +If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. ## Prepare a pilot deployment @@ -110,16 +110,16 @@ At a high level, the tasks involved are: ## end-user readiness -Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows Sun Valley. Windows Sun Valley has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows Sun Valley: +Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows Sun Valley. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also -[Plan for Windows Sun Valley](windows-sv-plan.md)
+[Plan for Windows 11](windows-11-plan.md)
[Windows help & learning](https://support.microsoft.com/windows) diff --git a/windows/whats-new/windows-sv-requirements.md b/windows/whats-new/windows-11-requirements.md similarity index 76% rename from windows/whats-new/windows-sv-requirements.md rename to windows/whats-new/windows-11-requirements.md index eb25e65a86..2fbeeb8490 100644 --- a/windows/whats-new/windows-sv-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,6 +1,6 @@ --- -title: Windows Sun Valley requirements -description: Hardware requirements to deploy Windows Sun Valley +title: Windows 11 requirements +description: Hardware requirements to deploy Windows 11 ms.reviewer: manager: laurawi ms.audience: itpro @@ -15,51 +15,51 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows Sun Valley requirements +# Windows 11 requirements **Applies to** -- Windows Sun Valley +- Windows 11 -This article lists the system requirements for Windows Sun Valley. Windows Sun Valley is also supported on a virtual machine (VM). +This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). ## Hardware requirements -To install or upgrade to Windows Sun Valley, devices must meet the following minimum hardware requirements: +To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). - RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows Sun Valley. +- Storage: 64 GB\* or greater available storage is required to install Windows 11. - Additional storage space might be required to download updates and enable specific features. - Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. - System firmware: UEFI, Secure Boot capable. - TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. - Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows Sun Valley Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. + - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows Sun Valley up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-10-specifications#primaryR5). -For information about tools to evaluate readiness, see [Determine eligibility](windows-sv-plan.md#determine-eligibility). +For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). ## Operating system requirements -For the best Windows Sun Valley upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. +For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. > [!NOTE] -> S mode is not supported on Windows Sun Valley. +> S mode is not supported on Windows 11. > If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements -Some features in Windows Sun Valley have requirements beyond those listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond those listed above. See the following list of features and associated requirements. - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. - **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. -- **Cortana**: requires a microphone and speaker and is currently available on Windows Sun Valley for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. +- **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. @@ -81,10 +81,10 @@ Some features in Windows Sun Valley have requirements beyond those listed above. ## Next steps -[Plan for Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) +[Plan for Windows 11](windows-11-plan.md)
+[Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows Sun Valley overview](windows-sv.md) +[Windows 11 overview](windows-11.md) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md new file mode 100644 index 0000000000..260967a467 --- /dev/null +++ b/windows/whats-new/windows-11.md @@ -0,0 +1,86 @@ +--- +title: Windows 11 overview +description: Overview of Windows 11 +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Windows 11 overview + +**Applies to** + +- Windows 11 + +This article provides an introduction to Windows 11, and answers some frequently asked questions. + +Also see the following articles to learn more about Windows 11: + +- [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11. +- [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization. +- [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11. + +## Introduction + +Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. + +Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11. + +## How to get Windows 11 + +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. + +For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). + +For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. + +For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md). + +If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). + +## Before you begin + +The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11. + +#### Licensing + +There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices. + +Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade. + +#### Compatibility + +Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details. + +Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility). + +#### Familiar processes + +Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11. + +> [!IMPORTANT] +> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities. + +For more information, see [Prepare for Windows 11](windows-11-prepare.md). + +#### Servicing Windows 11 + +Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year. + +When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support). + +## Next steps + +[Windows 11 requirements](windows-11-requirements.md)
+[Plan for Windows 11](windows-11-plan.md)
+[Prepare for Windows 11](windows-11-prepare.md) \ No newline at end of file diff --git a/windows/whats-new/windows-sv-plan.md b/windows/whats-new/windows-sv-plan.md deleted file mode 100644 index 11aa8a3ddc..0000000000 --- a/windows/whats-new/windows-sv-plan.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Plan for Windows Sun Valley -description: Windows Sun Valley deployment planning, IT Pro content. -keywords: ["get started", "windows sun valley", "plan"] -ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 06/24/2021 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# Plan for Windows Sun Valley - -**Applies to** - -- Windows Sun Valley - -## Deployment planning - -This article provides guidance to help you plan for Windows Sun Valley in your organization. - -Since Windows Sun Valley is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows Sun Valley. - -At a high level, this strategy should include the following steps: -- [Create a deployment plan](/windows/deployment/update/create-deployment-plan) -- [Define readiness criteria](/windows/deployment/update/plan-define-readiness) -- [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) -- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) -- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) - -If you are looking for ways to optimize your approach to deploying Windows Sun Valley, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below. - -## Determine eligibility - -As a first step, you will need to know which of your current devices meet the Windows Sun Valley hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows Sun Valley. Verify that your device meets or exceeds [Windows Sun Valley requirements](windows-sv-requirements.md) to ensure it is compatible. - -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows Sun Valley hardware requirements. When Windows Sun Valley reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows Sun Valley. end-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  - -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows Sun Valley is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows Sun Valley device support into their solutions. - -## Windows Sun Valley availability - -The availability of Windows Sun Valley will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. - -##### Managed devices - -Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. - -If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows Sun Valley using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: - -- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows Sun Valley upgrade. -- Additional insight into safeguard holds. While safeguard holds will function for Windows Sun Valley devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows Sun Valley. - -> [!NOTE] -> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows Sun Valley. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows Sun Valley).
-> Additionally, Windows Sun Valley has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. - -##### Unmanaged devices - -Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates. - -Windows Sun Valley will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows Sun Valley once available** on products that are available for purchase. - -The Windows Sun Valley upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. - -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. - -## Windows Sun Valley readiness considerations - -The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows Sun Valley is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. - -As you plan your endpoint management strategy for Windows Sun Valley, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: -- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. -- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). - -For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). - -The introduction of Windows Sun Valley is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. - -## Servicing and support - -Along with end-user experience and security improvements, Windows Sun Valley introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. - -**Quality updates**: Windows Sun Valley and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. - -**Feature updates**: Microsoft will provide a single Windows Sun Valley feature update annually, targeted for release in the second half of each calendar year. - -**Lifecycle**: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows Sun Valley will receive 24 months of support from the general availability date. -- Enterprise and Education editions of Windows Sun Valley will be supported for 36 months from the general availability date. - -When Windows Sun Valley reaches general availability, a consolidated Windows Sun Valley update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows Sun Valley servicing announcements, known issues, and safeguard holds. - -It is important that organizations have adequate time to plan for Windows Sun Valley. Microsoft also recognizes that many organizations will have a mix of Windows Sun Valley and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 Semi-Annual Channel and Long-term Servicing Channel (LTSC) releases. - -## Application compatibility - -Microsoft's compatibility promise for Windows 10 is maintained for Windows Sun Valley. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows Sun Valley is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. - -#### App Assure and Test Base for Microsoft 365 - -If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure and Test Base for Microsoft 365 can help. - -**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows Sun Valley can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. - -You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows Sun Valley. - -## Next steps - -[Prepare for Windows Sun Valley](windows-sv-prepare.md) - -## Also see - -[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) diff --git a/windows/whats-new/windows-sv.md b/windows/whats-new/windows-sv.md deleted file mode 100644 index 392951b9ff..0000000000 --- a/windows/whats-new/windows-sv.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -title: Windows Sun Valley overview -description: Overview of Windows Sun Valley -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Windows Sun Valley overview - -**Applies to** - -- Windows Sun Valley - -This article provides an introduction to Windows Sun Valley, and answers some frequently asked questions. - -Also see the following articles to learn more about Windows Sun Valley: - -- [Windows Sun Valley requirements](windows-sv-requirements.md): Requirements to deploy Windows Sun Valley. -- [Plan for Windows Sun Valley](windows-sv-plan.md): Information to help you plan for Windows Sun Valley in your organization. -- [Prepare for Windows Sun Valley](windows-sv-prepare.md): Procedures to ensure readiness to deploy Windows Sun Valley. - -## Introduction - -Windows Sun Valley is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows Sun Valley is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever. - -Windows Sun Valley is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows Sun Valley also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows Sun Valley. - -## How to get Windows Sun Valley - -Windows Sun Valley will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows Sun Valley will also be available on eligible new devices. - -For administrators managing devices on behalf of their organization, Windows Sun Valley will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows Sun Valley](windows-sv-plan.md). - -For devices that are not managed by an organization, the Windows Sun Valley upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience. - -For more information about device eligibility, see [Windows Sun Valley requirements](windows-sv-requirements.md). - -If you are interested in testing Windows Sun Valley before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows Sun Valley by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). - -## Before you begin - -The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows Sun Valley. - -#### Licensing - -There are no unique licensing requirements for Windows Sun Valley beyond what is required for Windows 10 devices. - -Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows Sun Valley on supported devices. If you have a volume license, it will equally cover Windows Sun Valley and Windows 10 devices before and after upgrade. - -#### Compatibility - -Most accessories and associated drivers that work with Windows 10 are expected to work with Windows Sun Valley. Check with your accessory manufacturer for specific details. - -Windows Sun Valley preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows Sun Valley. For more information, see [Application compatibility](windows-sv-plan.md#application-compatibility). - -#### Familiar processes - -Windows Sun Valley is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows Sun Valley. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows Sun Valley. - -> [!IMPORTANT] -> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows Sun Valley, particularly those providing security or data loss prevention capabilities. - -For more information, see [Prepare for Windows Sun Valley](windows-sv-prepare.md). - -#### Servicing Windows Sun Valley - -Like Windows 10, Windows Sun Valley will receive monthly quality updates. However, it will have a new feature update cadence. Windows Sun Valley feature updates will be released once per year. - -When Windows Sun Valley reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows Sun Valley update history page at that time. For more information, see [Servicing and support](windows-sv-plan.md#servicing-and-support). - -## Next steps - -[Windows Sun Valley requirements](windows-sv-requirements.md)
-[Plan for Windows Sun Valley](windows-sv-plan.md)
-[Prepare for Windows Sun Valley](windows-sv-prepare.md) \ No newline at end of file From da5e83a1887db5401adf04d571724d1e0a31129b Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:21:08 -0700 Subject: [PATCH 378/415] capitalization --- windows/whats-new/windows-11-prepare.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 3ef63328a5..a1a45c11c6 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -33,7 +33,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### On-premise solutions -- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the Windows Insider Pre-release category as well. +- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. @@ -45,9 +45,9 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions -- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature Update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). +- If you use Windows Update for Business Group Policy or Configuration Service Provider (CSP) policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but do not enable you to move between products (Windows 10 to Windows 11). - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use **Feature Update Deployments** to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management From a0f5e69c5d83903b287a0dd186e62b62cfcc9d89 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 01:36:46 -0700 Subject: [PATCH 379/415] link fix --- windows/deployment/TOC.yml | 10 ++++------ windows/deployment/deploy-whats-new.md | 5 +++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index cafdf97782..1348d4e836 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -5,8 +5,6 @@ items: - name: What's new href: deploy-whats-new.md - - name: Windows 11 deployment overview - href: /windows/whats-new/windows-11-overview.md - name: Windows client deployment scenarios href: windows-10-deployment-scenarios.md - name: What is Windows as a service? @@ -35,8 +33,8 @@ - name: Plan items: - - name: Windows 11 deployment planning - href: /windows/whats-new/windows-11-plan.md + - name: Plan for Windows 11 + href: /windows/whats-new/windows-11-plan - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -71,8 +69,8 @@ - name: Prepare items: - - name: Prepare to deploy Windows 11 - href: /windows/whats-new/windows-11-prepare.md + - name: Prepare for Windows 11 + href: /windows/whats-new/windows-11-prepare - name: Prepare to deploy Windows 10 updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index fa8ca9e964..e3a0d81b25 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -16,20 +16,21 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# What's new in Windows 10 deployment +# What's new in Windows client deployment **Applies to:** - Windows 10 +- Windows 11 ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows client in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). -- For an overview of Windows 11, see [What's new in Windows 11](/windows/whats-new/windows-11). ## Latest news +Check out the [Overview of Windows 11](/windows/whats-new/windows-11). [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
From f980c28e109ca579201859dd436635716942e944 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 02:07:14 -0700 Subject: [PATCH 380/415] small edit --- windows/whats-new/windows-11-plan.md | 4 ++-- windows/whats-new/windows-11-prepare.md | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index ad68e1ebfa..1227f3908d 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -58,7 +58,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad > [!NOTE] > If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
-> Additionally, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. +> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. ##### Unmanaged devices @@ -68,7 +68,7 @@ Windows 11 will be offered to eligible Windows 10 devices beginning later in the The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. -Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be leveraged when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Just like Windows 10, the machine learning based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be used when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience, and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. ## Windows 11 readiness considerations diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index a1a45c11c6..dda3e2c11d 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -108,7 +108,7 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## end-user readiness +## End-user readiness Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. @@ -117,7 +117,8 @@ Do not overlook the importance of end-user readiness to deliver an effective, en ## Learn more -See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. +See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn. +- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. ## See also From 3c0db3c4609ccb692a6394adce30440a37a130b3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 02:12:22 -0700 Subject: [PATCH 381/415] format fix --- windows/deployment/deploy-whats-new.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index e3a0d81b25..d2e0935b7d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -30,7 +30,11 @@ This topic provides an overview of new solutions and online content related to d ## Latest news -Check out the [Overview of Windows 11](/windows/whats-new/windows-11). +Check out the following new articles about Windows 11: +- [Overview of Windows 11](/windows/whats-new/windows-11) +- [Plan for Windows 11](/windows/whats-new/windows-11-plan) +- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) + [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
From f20d6bcbb2669165ce231e35735dcd4defa8dd95 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Thu, 24 Jun 2021 07:15:42 -0700 Subject: [PATCH 382/415] CI 152135 - QA review --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 379f033684..850b4b5214 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 06/23/2021 ms.reviewer: --- -# Azure AD Joined Cloud Only Deployment +# Azure Active Directory join cloud only deployment ## Introduction @@ -59,9 +59,9 @@ However, not everyone uses Intune. The following method explains how to disable 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. Select from the following options for **Configure Windows Hello for Business**: +3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. - 1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. > [!NOTE] > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). From 01af22fc75513dbe69c9bafa76e70e5c831cf8e7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 11:37:19 -0700 Subject: [PATCH 383/415] hook up article to TOC --- windows/deployment/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 1348d4e836..ae0fdee1a2 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -267,6 +267,8 @@ items: - name: How does Windows Update work? href: update/how-windows-update-works.md + - name: Windows 10 upgrade paths + href: upgrade/windows-10-upgrade-paths.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md - name: Understanding the Unified Update Platform From f25f4173932e00702c8aa4d9525c593a013ab649 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:15:35 -0700 Subject: [PATCH 384/415] change testbase link --- windows/whats-new/windows-11-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 1227f3908d..3df8ed3080 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. From eefda074104c8536d027ddbe9b4a4736078b7cd7 Mon Sep 17 00:00:00 2001 From: John Flores Date: Thu, 24 Jun 2021 15:16:47 -0400 Subject: [PATCH 385/415] Update windows-11-prepare.md --- windows/whats-new/windows-11-prepare.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index dda3e2c11d..5ccbff2c5b 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -31,7 +31,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil > [!IMPORTANT] > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. -#### On-premise solutions +#### On-premises solutions - If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. @@ -59,7 +59,7 @@ The following are some common use cases and the corresponding Microsoft Endpoint - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps. - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. -If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. +If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies From 2b1f47e6f3dcc2a72d5965d1d6bf9a72bd72c896 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:44:49 -0700 Subject: [PATCH 386/415] edit S mode requirements --- windows/whats-new/windows-11-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 2fbeeb8490..2b48d9fb14 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -47,8 +47,8 @@ For information about tools to evaluate readiness, see [Determine eligibility](w For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later. > [!NOTE] -> S mode is not supported on Windows 11. -> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
+> S mode is only supported on the Home edition of Windows 11. +> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. ## Feature-specific requirements From 6b4c4036a9753d7ae79f7b2891de7290bc70bf3f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 12:49:11 -0700 Subject: [PATCH 387/415] public to private for testbase --- windows/whats-new/windows-11-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 3df8ed3080..17d61a7125 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. From 6747493aab97d69588473413beaf68978e48af4d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 24 Jun 2021 13:13:28 -0700 Subject: [PATCH 388/415] update requirements --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 2b48d9fb14..8c87b2c454 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -60,7 +60,7 @@ Some features in Windows 11 have requirements beyond those listed above. See the - **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. - **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. -- **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU. +- **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. - **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) From 3919f4de32931580f92760397d6ec2390afa0dc8 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Thu, 24 Jun 2021 16:34:43 -0700 Subject: [PATCH 389/415] Update docfx.json --- windows/whats-new/docfx.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 16f6364ce9..fe5bc2fe98 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -3,8 +3,8 @@ "content": [ { "files": [ - "**/*.md", - "**/*.yml" + "**/**/*.md", + "**/**/*.yml" ], "exclude": [ "**/obj/**", @@ -19,9 +19,9 @@ "resource": [ { "files": [ - "**/*.png", - "**/*.jpg", - "**/*.gif" + "**/**/*.png", + "**/**/*.jpg", + "**/**/*.gif" ], "exclude": [ "**/obj/**", From 01d51d82f1b559925c5b029fa959cea9aab20336 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 25 Jun 2021 08:54:28 -0700 Subject: [PATCH 390/415] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4afc122348..8dbea776cc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18919,6 +18919,11 @@ "source_path": "windows/security/threat-protection/device-control/device-control-report.md", "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report", "redirect_document_id": false - } + }, + { + "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", + "redirect_document_id": false + } ] } From 7d9be28bd3ac8285558ffc9248ba849c65f52a4c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 25 Jun 2021 08:55:31 -0700 Subject: [PATCH 391/415] Delete system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md --- ...sed-root-of-trust-helps-protect-windows.md | 88 ------------------- 1 file changed, 88 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md deleted file mode 100644 index bb47f523e4..0000000000 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: How Windows Defender System Guard protect Windows 10 from firmware exploits -description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: deniseb -author: denisebmsft -search.appverid: met150 -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -ms.date: 03/01/2019 -ms.custom: asr -ms.technology: mde ---- - - -# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 - -In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. - -Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: - -- Protect and maintain the integrity of the system as it starts up -- Validate that system integrity has truly been maintained through local and remote attestation - -## Maintaining the integrity of the system as it starts - -### Static Root of Trust for Measurement (SRTM) - -With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. -This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. - -With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. -This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). -This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). - -As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. -Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list). -Each option has a drawback: - -- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust. -- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. -In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. - -### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) - -Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). -DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. -This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. - - -![System Guard Secure Launch](images/system-guard-secure-launch.png) - -Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. - -### System Management Mode (SMM) protection - -System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. -Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. -SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. -To defend against this, two techniques are used: - -1. Paging protection to prevent inappropriate access to code and data -2. SMM hardware supervision and attestation - -Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. -This prevents access to any memory that has not been specifically assigned. - -A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. - -SMM protection is built on top of the Secure Launch technology and requires it to function. -In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. - -## Validating platform integrity after Windows is running (run time) - -While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. - -As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. - - -![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) - -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. - From 4a278d355423eb63947930bfda1eab44643500b1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 25 Jun 2021 09:22:30 -0700 Subject: [PATCH 392/415] Update configuration-service-provider-reference.md --- .../mdm/configuration-service-provider-reference.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 3dad2ebf68..679a0aabe7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1036,7 +1036,6 @@ Additional lists: check mark Only for mobile application management (MAM) - check mark check mark check mark From 1d0e4e99cc951f391c0527b9fe5b43de8ceadd2c Mon Sep 17 00:00:00 2001 From: Max Stein Date: Fri, 25 Jun 2021 12:02:25 -0700 Subject: [PATCH 393/415] Update devicestatus-csp.md Light formatting fixes. --- .../client-management/mdm/devicestatus-csp.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 0dd72c26d2..f861b2d2e4 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 04/30/2019 +ms.date: 06/25/2021 --- # DeviceStatus CSP @@ -150,8 +150,8 @@ Node for the compliance query. **DeviceStatus/Compliance/EncryptionCompliance** Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: -- 0 - not encrypted -- 1 - encrypted +- 0 - Not encrypted +- 1 - Encrypted Supported operation is Get. @@ -179,8 +179,8 @@ Supported operation is Get. Added in Windows, version 1803. Read only node that specifies the device mode. Valid values: -- 0 - the device is in standard configuration -- 1 - the device is in S mode configuration +- 0 - The device is in standard configuration +- 1 - The device is in S mode configuration Supported operation is Get. @@ -211,10 +211,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi Valid values: -- 0 – Antivirus is on and monitoring -- 1 – Antivirus is disabled -- 2 – Antivirus is not monitoring the device/PC or some options have been turned off -- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC +- 0 – Antivirus is on and monitoring. +- 1 – Antivirus is disabled. +- 2 – Antivirus is not monitoring the device/PC or some options have been turned off. +- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC. - 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -263,10 +263,10 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa Valid values: -- 0 – Firewall is on and monitoring -- 1 – Firewall has been disabled -- 2 – Firewall is not monitoring all networks or some rules have been turned off -- 3 (default) – Firewall is temporarily not monitoring all networks +- 0 – Firewall is on and monitoring. +- 1 – Firewall has been disabled. +- 2 – Firewall is not monitoring all networks or some rules have been turned off. +- 3 (default) – Firewall is temporarily not monitoring all networks. - 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -331,8 +331,8 @@ Added in Windows, version 1709. Virtualization-based security status. Value is - 0 - Running - 1 - Reboot required - 2 - 64 bit architecture required -- 3 - not licensed -- 4 - not configured +- 3 - Not licensed +- 4 - Not configured - 5 - System doesn't meet hardware requirements - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details @@ -349,4 +349,4 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s - 4 - VBS not running -Supported operation is Get. \ No newline at end of file +Supported operation is Get. From 4214f6193ad6590941d482a82942d27493561997 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 25 Jun 2021 12:56:06 -0700 Subject: [PATCH 394/415] update driver topic --- ...icrosoft-recommended-driver-block-rules.md | 161 +++++++++++++++++- 1 file changed, 154 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 887fc765be..44f0200b2e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended driver block rules (Windows 10) -description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. -keywords: security, malware, kernel mode, driver +description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. +keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,7 @@ author: jgeurten ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 10/15/2020 -ms.technology: mde +ms.date: --- # Microsoft recommended driver block rules @@ -30,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. @@ -127,6 +126,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -352,6 +425,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -385,4 +532,4 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based ## More information -- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) \ No newline at end of file +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) From 8c7a9c164c557f35bc0bb73f1d9e25a87d3d8966 Mon Sep 17 00:00:00 2001 From: Nazmus Sakib Date: Fri, 25 Jun 2021 13:23:51 -0700 Subject: [PATCH 395/415] Add TPM2.0 recommendation Update additional details on TPM2.0 usage/recommendation in feature table --- .../tpm/tpm-recommendations.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6179ba0c0a..6bde2d3d8d 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support. Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | -|-|-|-|- - Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot + Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. Windows Defender Application Control (Device Guard) | No | Yes | Yes - Windows Defender System Guard | Yes | No | Yes - Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. - Device Health Attestation| Yes | Yes | Yes - Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. + Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. + Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. + Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. + Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. UEFI Secure Boot | No | Yes | Yes TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes Virtual Smart Card | Yes | Yes | Yes Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. - DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. ## OEM Status on TPM 2.0 system availability and certified parts @@ -133,4 +132,4 @@ Government customers and enterprise customers in regulated industries may have a ## Related topics -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file +- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 46f1dd1f676094fb8b63692ebfe2ecd4cb04e8a7 Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 25 Jun 2021 13:34:41 -0700 Subject: [PATCH 396/415] Remove SV docset --- .openpublishing.publish.config.json | 14 -------- windows/sv/TOC.yml | 5 --- windows/sv/breadcrumb/toc.yml | 3 -- windows/sv/docfx.json | 51 ----------------------------- windows/sv/index.md | 11 ------- 5 files changed, 84 deletions(-) delete mode 100644 windows/sv/TOC.yml delete mode 100644 windows/sv/breadcrumb/toc.yml delete mode 100644 windows/sv/docfx.json delete mode 100644 windows/sv/index.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 32eb1b181b..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -129,20 +129,6 @@ "build_entry_point": "docs", "template_folder": "_themes" }, - { - "docset_name": "sv", - "build_source_folder": "windows/sv", - "build_output_subfolder": "sv", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, { "docset_name": "win-access-protection", "build_source_folder": "windows/access-protection", diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml deleted file mode 100644 index 01da3e1c0a..0000000000 --- a/windows/sv/TOC.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Index - href: index.md - - - diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml deleted file mode 100644 index 48236190f9..0000000000 --- a/windows/sv/breadcrumb/toc.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: Docs - tocHref: / - topicHref: / diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json deleted file mode 100644 index e7955464fe..0000000000 --- a/windows/sv/docfx.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices.md" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "**/docfx.json", - "_repo.en-us/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json", - "extendBreadcrumb": true, - "feedback_system": "None" - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-11", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md deleted file mode 100644 index 7a31c42d39..0000000000 --- a/windows/sv/index.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: SV -description: SV -ms.prod: w10 -manager: laurawi -ms.topic: article -author: greg-lindsay -ms.author: greglin ---- - -# . \ No newline at end of file From 270bf2a633662cd9a2f668a9d843010747381bec Mon Sep 17 00:00:00 2001 From: v-hearya Date: Sat, 26 Jun 2021 02:25:05 +0530 Subject: [PATCH 397/415] developer-faq.md converted into YML --- windows/security/threat-protection/TOC.yml | 2 +- .../threat-protection/intelligence/TOC.yml | 2 +- .../intelligence/developer-faq.md | 51 ---------------- .../intelligence/developer-faq.yml | 60 +++++++++++++++++++ .../intelligence/developer-resources.md | 2 +- 5 files changed, 63 insertions(+), 54 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/developer-faq.md create mode 100644 windows/security/threat-protection/intelligence/developer-faq.yml diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 3c8e12e04c..e310d0d993 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -224,7 +224,7 @@ - name: Information for developers items: - name: Software developer FAQ - href: intelligence/developer-faq.md + href: intelligence/developer-faq.yml - name: Software developer resources href: intelligence/developer-resources.md - name: The Windows Security app diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml index 6c1f372f77..eb239b51c5 100644 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ b/windows/security/threat-protection/intelligence/TOC.yml @@ -55,6 +55,6 @@ - name: Information for developers items: - name: Software developer FAQ - href: developer-faq.md + href: developer-faq.yml - name: Software developer resources href: developer-resources.md diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md deleted file mode 100644 index 73ca4ec48c..0000000000 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Software developer FAQ -ms.reviewer: -description: This page provides answers to common questions we receive from software developers -keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.technology: mde ---- - -# Software developer FAQ - -This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide. - -## Does Microsoft accept files for a known list or false-positive prevention program? - -No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. - -## How do I dispute the detection of my program? - -Submit the file in question as a software developer. Wait until your submission has a final determination. - -If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. - -We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). - -## Why is Microsoft asking for a copy of my program? - -Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. - -## Why does Microsoft classify my installer as a software bundler? - -It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted. - -## Why is the Windows Defender Firewall blocking my program? - -Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). - -## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? - -This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/developer-faq.yml b/windows/security/threat-protection/intelligence/developer-faq.yml new file mode 100644 index 0000000000..04300736d9 --- /dev/null +++ b/windows/security/threat-protection/intelligence/developer-faq.yml @@ -0,0 +1,60 @@ +### YamlMime:FAQ +metadata: + title: Software developer FAQ + ms.reviewer: + description: This page provides answers to common questions we receive from software developers + keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking + search.product: eADQiWindows 10XVcnh + ms.prod: m365-security + ms.mktglfcycl: deploy + ms.sitesec: library + ms.pagetype: security + ms.author: dansimp + author: dansimp + ms.localizationpriority: medium + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: article + ms.technology: mde + +title: Software developer FAQ +summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide. + + +sections: + - name: Ignored + questions: + - question: | + Does Microsoft accept files for a known list or false-positive prevention program? + answer: | + No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. + + - question: | + How do I dispute the detection of my program? + answer: | + Submit the file in question as a software developer. Wait until your submission has a final determination. + + If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. + + We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). + + - question: | + Why is Microsoft asking for a copy of my program? + answer: | + Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. + + - question: | + Why does Microsoft classify my installer as a software bundler? + answer: | + It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted. + + - question: | + Why is the Windows Defender Firewall blocking my program? + answer: | + Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md). + + - question: | + Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? + answer: | + This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 659eaad25b..3b7d080b28 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -37,7 +37,7 @@ To objectively identify malware and unidentified software, Microsoft applies a [ ### Developer questions -Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md). +Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml). ### Scan your software From faeaeaddf09933dc0263f9b89e76065217129b2c Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 25 Jun 2021 14:17:28 -0700 Subject: [PATCH 398/415] Removed duplicate block events and file IOCs not intended to be blocked --- ...icrosoft-recommended-driver-block-rules.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 7d56cdbe9e..835c6da8f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -126,6 +126,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -351,6 +385,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 8d5d5e2f5ad1cf5ec2d42c19692250213fa9a3cd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:23 -0700 Subject: [PATCH 399/415] Acrolinx "a existing" --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6bde2d3d8d..2a29a3881a 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core From c163663490a9c6b53e407a7ea2145407739cac0d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:54 -0700 Subject: [PATCH 400/415] Fixed broken note --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 2a29a3881a..658a7d98d5 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. ## Discrete, Integrated or Firmware TPM? From f19fe3f304c3519cb505ea0a608ede95fd59bc9a Mon Sep 17 00:00:00 2001 From: Michael Howard Date: Sat, 26 Jun 2021 11:38:08 -0500 Subject: [PATCH 401/415] Fixed error in Principal Self SID --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 0dc6406a6d..f0c84a4b48 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -282,7 +282,7 @@ This group implicitly includes all users who are logged on to the system through ## Principal Self -This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. +This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. | **Attribute** | **Value** | | :--: | :--: | From f3a48169fa776b759e5f8f8e5dd3d4fa6c113b4a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 15:03:31 +0530 Subject: [PATCH 402/415] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 2e9d2f4140..d5266e8bf7 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -24,7 +24,7 @@ GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Provide GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers ``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, From 305560033d5d1e7ffb8db62e7b65ef3e963d4201 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 17:01:16 +0530 Subject: [PATCH 403/415] Updated --- .../mdm/Language-pack-management-csp.md | 64 ++++++------------- .../policy-configuration-service-provider.md | 9 +++ 2 files changed, 29 insertions(+), 44 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index d5266e8bf7..3c7af93899 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: Language Pack Management CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp @@ -14,64 +14,40 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. -1. List the installed languages with GET command on the "InstalledLanguges" node. For example: +1. Enumerate installed languages with GET command on the "InstalledLanguages" node + + ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** -``` -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers -``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, -``` -**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** -**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -``` + ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** -The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + The installation is an asynchronous operation. You can query the **Status** node by using the following commands: -``` -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** -``` + *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** + ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** -Return value definitions are: - -- 0 – Not started -- 1 – In process -- 2 – Succeeded -- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed + Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. -Sample command -``` -**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** -``` + + ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node -Sample command -``` -**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** -``` - - - - - - - - - - + **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fbe229c166..329281e328 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo

+ ## ADMX_ICM policies
@@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Language Pack Management CSP policies + +
+
+ LanmanWorkstation/EnableInsecureGuestLogons +
+
+ ### Licensing policies
From 6b6be2cac41decb77f9ded8b594274a4956cc761 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 23:45:45 +0530 Subject: [PATCH 404/415] Updated --- .../mdm/Language-pack-management-csp.md | 21 +++++++++++-------- ...onfiguration-service-provider-reference.md | 1 + 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 3c7af93899..f4a96bb39f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -18,22 +18,25 @@ The Language Pack Management CSP allows a direct way to provision language packs 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + - Indicates the language pack installed is a System Language Pack (non-LXP) + - Indicates that the LXP is installed. + - Indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, - ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** The installation is an asynchronous operation. You can query the **Status** node by using the following commands: - *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** - ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. @@ -43,11 +46,11 @@ The Language Pack Management CSP allows a direct way to provision language packs 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. - ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** + **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node - **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** \ No newline at end of file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 679a0aabe7..4f9dd3d9da 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1302,6 +1302,7 @@ Additional lists: check mark check mark cross mark + cross mark From 79aa1ec40fdb67558946ea5a0a45fe963b91e092 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:02:45 +0530 Subject: [PATCH 405/415] Updated --- .../mdm/Language-pack-management-csp.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index f4a96bb39f..dab7171589 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -3,7 +3,7 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows @@ -14,16 +14,15 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -52,5 +51,3 @@ The Language Pack Management CSP allows a direct way to provision language packs **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** - - \ No newline at end of file From 127f9618472920da0a49c483a55b616a65dc73de Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:08:19 +0530 Subject: [PATCH 406/415] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index dab7171589..4dbd9ec98a 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,7 +14,7 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. From 4497fee51b2b1d8d1176a86ce303d395849492cc Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:34:58 -0600 Subject: [PATCH 407/415] Apply suggestions from code review --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 4dbd9ec98a..40b8e8546f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -40,7 +40,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From b20ff81b07a24be019f09cc0aad92c4462c4f700 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:38:48 -0700 Subject: [PATCH 408/415] Update windows/client-management/mdm/Language-pack-management-csp.md Co-authored-by: Diana Hanson --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 40b8e8546f..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,7 +39,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. -> [!NOTE] + > [!NOTE] > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From acbcb2af334d511dc268af19e4df7e533063b797 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:40:57 -0600 Subject: [PATCH 409/415] Pencil edit indenting note --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 0a1e9f72a4..ab539346d8 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From a8a6c1e53d2a0314b4d7c60e8f47b8d809c74d6f Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:45:44 -0600 Subject: [PATCH 410/415] Pencil edit indent note more --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ab539346d8..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From ac723009ef483f88684707563a95f415dc7d7b1a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:49:57 -0700 Subject: [PATCH 411/415] term updates --- windows/client-management/mdm/policy-csp-admx-printing.md | 6 +++--- windows/client-management/windows-10-mobile-and-mdm.md | 2 +- .../deployment/upgrade/upgrade-windows-phone-8-1-to-10.md | 2 +- windows/security/threat-protection/auditing/event-4624.md | 2 +- windows/security/threat-protection/auditing/event-4648.md | 2 +- windows/security/threat-protection/auditing/event-4688.md | 2 +- windows/security/threat-protection/auditing/event-4696.md | 2 +- windows/security/threat-protection/auditing/event-4703.md | 2 +- windows/security/threat-protection/auditing/event-4704.md | 2 +- windows/security/threat-protection/auditing/event-4705.md | 2 +- windows/security/threat-protection/auditing/event-4717.md | 2 +- windows/security/threat-protection/auditing/event-4718.md | 2 +- windows/security/threat-protection/auditing/event-4732.md | 2 +- windows/security/threat-protection/auditing/event-4733.md | 2 +- windows/security/threat-protection/auditing/event-4751.md | 2 +- windows/security/threat-protection/auditing/event-4752.md | 2 +- windows/security/threat-protection/auditing/event-4768.md | 2 +- windows/security/threat-protection/auditing/event-4771.md | 2 +- windows/security/threat-protection/auditing/event-4776.md | 2 +- windows/security/threat-protection/auditing/event-4778.md | 2 +- windows/security/threat-protection/auditing/event-4779.md | 2 +- 21 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index c831b4a527..3ed6f22a6c 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1842,11 +1842,11 @@ Available in the latest Windows 10 Insider Preview Build. Announces the presence On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. -If you enable this setting, the print spooler announces shared printers to the print browse master servers. +If you enable this setting, the print spooler announces shared printers to the print browse main servers. -If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available. +If you disable this setting, shared printers are not announced to print browse main servers, even if Active Directory is not available. -If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available. +If you do not configure this setting, shared printers are announced to browse main servers only when Active Directory is not available. > [!NOTE] > A client license is used each time a client computer announces a printer to a print browse master on the domain. diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 608f2041b2..47b2fc60cb 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -978,7 +978,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre - **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted). - **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted). - **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash. -- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. +- **Boot cycle allow list** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. #### Example scenario diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 2876fbd034..d07348165d 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -32,7 +32,7 @@ This article describes how system administrators can upgrade eligible Windows Ph The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whitelist) with app allow-lists that could adversely affect the device after you upgrade. +If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) with app allow-lists that could adversely affect the device after you upgrade. Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can block the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to restrict the Upgrade Advisor app, see the [How to restrict the Upgrade Advisor app](#howto-restrict) section in this article. Enterprises that have restricted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f34d8e3ae4..27db3be3f3 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 8483ee08ac..44eb565de4 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -179,7 +179,7 @@ The following table is similar to the table in [Appendix A: Security monitoring | **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.
Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 39167d9431..6e90a42a1e 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -193,7 +193,7 @@ For 4688(S): A new process has been created. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 520d0d5d1e..e35c7d44e0 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 243fa17ce2..3d024b8ccf 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 4dc7eb2c64..a4e0e07aa3 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -153,7 +153,7 @@ For 4704(S): A user right was assigned. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 9478ffd125..83accc384e 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -152,7 +152,7 @@ For 4705(S): A user right was removed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index 32576cdc3b..3b438e68d4 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 2c7f91f8c7..75f96131fe 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 43c74c4d05..543455432e 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b7bad044d0..2b749c0511 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index a6ac4afde8..39888ce838 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index 7a81d28e4f..a1e4dff838 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index d4de56e2c7..cea554341c 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -305,7 +305,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index ec7a4064e5..c5aea23ecb 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -274,7 +274,7 @@ For 4771(F): Kerberos pre-authentication failed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index d5d1fcdf4f..75dc6a4a69 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -130,7 +130,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | | **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 74b7630bc6..8293e41487 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -127,7 +127,7 @@ For 4778(S): A session was reconnected to a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 7cf0dec285..f9c2757ab6 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. | From 40664b79fbf7f9d650ee4220890c3ef2fe8a574b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:57:46 -0700 Subject: [PATCH 412/415] term up --- windows/client-management/mdm/policy-csp-admx-printing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 3ed6f22a6c..0781ec7432 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1838,7 +1838,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain. +Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. From 2e8ded285f3d5efbea683bd150c8f569da17b0b1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:25:30 -0700 Subject: [PATCH 413/415] fix duplicate and hook up article to toc --- windows/configuration/TOC.yml | 2 +- .../cortana-at-work-testing-scenarios.md | 12 +++--------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index a5a0bbbb07..803fc6fa2a 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -138,7 +138,7 @@ - name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization href: cortana-at-work/cortana-at-work-o365.md - name: Testing scenarios using Cortana in your business or organization - href: cortana-at-work/cortana-at-work-testing-scenarios.md + href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query href: cortana-at-work/test-scenario-1.md - name: Test scenario 2 - Perform a quick search with Cortana at work diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 46b62aec12..02f6340c08 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios using Cortana in your business or organization (Windows 10) +title: Cortana at work testing scenarios description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 ms.mktglfcycl: manage @@ -7,25 +7,19 @@ ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium ms.author: greglin -ms.date: 10/05/2017 +ms.date: 06/28/2021 ms.reviewer: manager: dansimp --- -# Testing scenarios using Cortana in your business or organization +# Cortana at work testing scenarios We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md) - - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md) - - [Set a reminder](cortana-at-work-scenario-3.md) - - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md) - - [Find out about a person](cortana-at-work-scenario-5.md) - - [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md) - - [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) \ No newline at end of file From 4713be3c03c7b29ede68a4daefd77ceea2f1042f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:28:12 -0700 Subject: [PATCH 414/415] Update cortana-at-work-testing-scenarios.md --- .../cortana-at-work/cortana-at-work-testing-scenarios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 02f6340c08..8137313839 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -1,6 +1,6 @@ --- title: Cortana at work testing scenarios -description: A list of suggested testing scenarios that you can use to test Cortana in your organization. +description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From 6de0f33c286c674a4b828cd55a5d6367120c5544 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 28 Jun 2021 13:31:49 -0700 Subject: [PATCH 415/415] toc rename node --- windows/configuration/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 803fc6fa2a..867a205b26 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -117,7 +117,7 @@ items: - name: Set up and test Cortana in Windows 10, version 2004 and later href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md - - name: Testing scenarios using Cortana in your business or organization + - name: Cortana at work testing scenarios href: cortana-at-work/cortana-at-work-testing-scenarios.md - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query href: cortana-at-work/cortana-at-work-scenario-1.md

60h?V9 zmmC}u+Z9U;1}%~UgJ;qjD=zu$QW`1r+DM*=#aN{Mlb2}U8IaAwu-+&u^$Do~FQXpoml&&*!hpkVx*WC2 zw~9O1IObRIch}zZ6QtxFIl*`zvg8nqQ_pNHEiKX6tx?udobf&`vOW)mc$|!f$J?#I z5O-m|D4cXt?|H?aXAj>JrMR#wU?Uf;=idc%@V1Yqlbna_>IHC}(?^yUtw&p$;yeq{ zO1%X==wqsC2-(v!h`ZQz7DmsFZduVQogWH zr`!P_=!YzLq!&AwhiEbdf*P20iC$?J&JYNpz}eS5pfNaYaksps3&iLqQbvzA_WCL4i{5U{@NMl3)Ikt@Sec%miKNDIL~Xn>)p-BfkwJ60x_Rg2~#V z(<7qK&G&7+GczDWG)4X>FMNN>N8w!lN#9H35QBjdF;M9_=7~vJdQU*-OiKDA&zH{p z4TLK`3MU>bX)*_M#&rIvez{TPL&T|?kRx~F=f1Bi=7G(iM zVHq7AbkmmnvegY(j!;9<)daREo&5b3e5=_F=J4mw3zxG;48qoD7c8S!e%!R(FvQ9R z>TkJ8h?1H)a>#vINMyRW@-Ul(jI8aST+@MP9lifFNP91z#lXfE&AxhR{32RD?|iF` zu(NLM=$laf`!vIJ6zRS^+*FD*Zu1^YnF+L!!Le@hg8{K|l6hTRf|RWr>#pwWh^<>c z3FPXGd?64L@p^*Jh&{`fZy7RrF6&L1y&?Ql(o#8#nJkXBY)BgjCy}3YXuPS(P3|4& z#&D=pXYa&9{yjOo()l}pEgo1wzJ9GZM@lxBJIU=dWTVY7$%2x@-#|0p;zwUG=^ND+ zLJbyV3R&A-ew%GwgLu0ALBFtq$t3^y7K_U;;id0$=L2=`!fVOuc#PAer-U<2ic^R3 zD1APBXz5XizTIfLJDEwB2?%<4lO5z zeEs{DIdEOiIcEQhavT>R@o4$bEcbDT z#1(b{rIh8`w?QwNC<6smhOL_!VTJ`8f^Ktu&x_2sko*jP9WZO-cUWn2 za()7ffxLsQp^c|@+`)cxifj7bN^XQO7bk9baj?CHgHlX=5m%Qj!FJI$tnAoi`>TS7 zV9gZ423yN4c#xYdJT}6LaN6-@{F4Ui@mK&X(bR3DLgRWRzzdgwI^v_M)8$;6cu_w+ zu6WcfK684AstPj+k)9F0zD$PI$_B~GDrQ3XOiHnM-n0;YQ`N!Yy%oVtk@jC_#6z`T zGYM{X1BSFn*aS%kJ#FsKJjXmYuA3#VXgid}4}Npt50<85aX9&lea`U=mL6dJAuss+ zuE5%)+nAE}K(GxBHoP)~!W2ZoOIMOi>qet5vN?7pS~6W)-cyx#uAo?ju^*g}(_lht zCT%YNO(AsP3`4n$SxDOvLI08?kSwUE%5hhfOSxN4c_LCKDK?+r`Ycl-t|l$f-0-lG z)q;T2I9@x7g&iYt6XxMhIHtbW&GWi3Q`&Q zkk)%`2<1MnB7c;mP`@4gwy;?_+t;!DIa~Ap@%C0xajahy=S>2^A-F>V!9BPKhu{vu zA-HSfB)B%g9fE6cOXJdbAh^@GL*p(}x%WRaYu1{19Ul6T>Z<;#zEk_`^V@1eoeaNK zu}c&<2Q}v#TAks)Oa|xV>E0i&)2(TCe&VlZy;<8&-m;u;&aw9QTD)8g?VH~I*D0`@ z`cu>;9slw;T;4JePO>$OF+g{oZ11+oMO-db(WoFmGr^%gNBrek`sq(y6Ft)1n5$$h zKdFTD(P0=jdOjTx0~@s%ohc$L8d2B5M^gH|o}n~2{o(;CITN9SP5wjtE#8p0p$96B zZOU5yt^CQ9*(LH84fc?tX{^C(v!UP@R-c?TFvB-D^BP4$BOXa>+H)~|j{UyBkEiSV zBDE_=Dt)>^eh}8A*?Ki;&l4VMl2IrV*=Pxw-h8ZgmmzE80ee~d3na>&OTLql+++Qn z7qF7;e4&2%BfL|Ck>Mp571bCe3jQQWsJtF9*!X((s>+QKfvpDvxbM{QY+A~Rz1M`l zlt15gDfeAVvdGBrlk9KxHye7p6^CyLmS)6{$n5JXEJIrhS|8fR4YZZmu!@Q(KRcyE zzWf2}`E)gYAT$5h;+=2ScsF2;3nv&(2JLtuEnOmi8e-(|R0&vyBco2Cs7f2Wq z??K4o^Ag`-j_hT)kL>gsp#b&};PYgLmj(Bx@W?N)qPF2BWo_od5el6>RULP4x0j|{ zt8Kd2e|Fm((DT>Zr6Gk7!NSTWO{7%znJnJ7wxemfc?xYS_Qy!xvRWm}i>yWo@n7pu zv0BTfGyakKQYHnZVtly~j|`*EB99p0KNFsyGN!?x#U;3wO@td<23vnf6Bm!(s8onm z4_rq6F$E!%Mjfs_xA^BV^>qi%7#ofGnKXu1P<#L`pE#=I`=2HL+H&L=N#_Z0rD1t& zCi5+yO5*JGJFbzCC%6Y5{SbjE=`4jsxL|o|_8iPYCFRAFjhcu}3s*GvY^m0fl+(MOT z%48s1|BDpqcdN4gb@NLq$XCO*9{OFqFcH6R;`3LdvDB*C--;yj!!wzcA4-tVKEL1Y zVUd9gIVW0EZB9LGjIe(`{z#O(a-Hy;XY!cSD^^>P^A7K1s5K&K0NXXCsQ4tk+iSM~? z^xR$TuNqB6+Wozo-JyNU;^IK2D-ACRF7-_)zVvBrB26a#G%0TD3+J)6 z>(yY~_M(?rR^-Ej-tP3YJIiXthHYo}wj5)Q8KlED78apZ{(I~XhmlbW?qhD8Ky$Ok zt~_#5hdI;-{)_a|9q2%onm?UX#LnjK&dm{1#17F*3B<3wrHeoHuH6FF7mIx{~S}A0Wfz$*zz&51(KPpRXur9z+L@% zNb6GU*5-$)yCc`MIklm(Gf6^Xn<_8cV=@l|z3-A1CGU?KeKEA)^96dN#Md#_ch7t- zsraV^ET|Dbm_F-8KeyjFlGR^3=xC~b(>zeuF<6Q2Sh^36Y_7eGp{lrF{nl^TTgEM? zp+)C>$rca_AR=h&js3j%0SuF<@m}|bL@nM8ZS7}b202lhTi=ZgI^*7wE}dWP=(bEu z)s;mgNlBV&4#rD!HEPKgi4{x)oUgn3LxNpt8k{mTX%Z6lB%fj@zSsuV6D-hI124$yzVZN6r^ zHvTJ0>H2YQ2dKrGACLg-ici>0olC#Yr4X>*aI_-es}Zj34?T!vvM0gilopO!Ada>d zi&uRah!z$WtybTZMIQdCdH`9FUa!`qrOksa_5N14E3P{%IuK9n*BE49H9nN0B_UW> zO;)#m!O&uP!js==54+n(%>whd{cy87+s9VYFx!i?@oi=Qwq^U(-1b}HM6SN-QpMPa zix~K7;$if9v^!sUOrvER^c*%k`uuLi>mbIX$6ygb=@n{x>{Cds?6yxQI4|pk-YmEWRU`e6K6-2*3P0C=RSCtZj3xyLRG&L@Y7&8^} zHW{^6Nyv4Fc-?Vi*rAyV`-+rX0}SVD3iAYOJ<=Lig*2L7a;lQJv5hlS`is}aUe>O! zWvRxaC2QsE59e}kj(I!4+*@iq*x?iLd8*wrpa4s*Ni9)=1S7)Y|tU(wSbz zu_t$=RZ%Ux1|d;6^2b(*k)I-+r|0hB5DcTc2^2nftNi8{D%nqded+1WM~(sToE%@- zvhl-`CKc>O?Q7*>Ca*{x;q76gzTODjlbnEOy@PM-0wgi}$@VTnaUUfl#9?~F=Lx$j zc-jo=^qJkA-N4M{K5xyJJ*raB>OK=|SLAfL3eyhu;Ar=sF8-V2Jxk-QGSkDRXN?hq zS_FXqi^cA?t1>utpCP`+L|k+LW1?(Y@p8jA!$?m{8@zlwdj!>fdKvKaShd)U6#IK* z#6xJ2ah;1rA%!(=H0c7Tkg(e_bx9DJ{HzHQqnV6vvNeS7c@x)PSXZkrNcMPdDHrwu zT(Rk`kxXE68h@!%S41Ht#Zh6f7)(_oz2{zImY9~EqB?vUEGM|Z8__8H=n>k^~ghTAjGiK+m_{nHMn$ zy#_dV!|OJX^&EoY+UE;VO29(;S&K!iwpTd1`9`YNwSdKZxlTxN0Bj-8PcNz4(krha z<)w~uF!QqqE8s*T^ES(|RA&=IDpDPsSF5=FsYjpi>$-+ad?6-3w{~F7Tb;H_tp)h& zi(~b#vqk}k#lG?_dZ2aPbp@eweKUL2kxu%LQXkS6CoKFQ5b37+~_`835U-)BH zW_v9y>^8PB*D+gI2o}Y~<@cL5319WW;B9qDEsI8tUpV?M#*`Lq*~S#^)6&u|^%vLI zx#$(-;<4O;obU9kpHU_Vr_!XK_5A$WI&KiHla(Uf(l_~d^#tVNh;T5bbsB1MhP9_n zrqiV>3>U-AfhtLl^7?qhvS3F5QLL$EgU*Iun^`Zf|Jip}#P>XydiuEe*4ytHhEJGP zm|xC{*(3DWOAX9avHCl2N&Q?3a^CB!&sqd2iO^<^m9urEdSDfqSXj)|xFb~A`t>th zOYJ$m_(7{`i6^3~t2%{QD%q8N!0s{f&jqnYRHp0;#>fp>EpBSI?3lv^qGVR)t|hE; zj-BPgo0Fq09gz;419>STo~=(U8$aKc=jSu}(vv~I4Ev!{jx9MyaR5o|F{jW}aB9)c z)gIf)KGGh0%)WN#LP0ZLmS3llL zyy?1mF;DVb-3AhuSR(x;HRMB%Zlu`r^Ziy*%HGfn=?jc}*w=5($3=^OJuOrn+L-AX zH$#LdfKumc5L5s7h_smpDI)mwOO=bp%q5TG0-nWWZrxcG;DXrhy`)_O&|(f7?~kpb zr^`#W2Fghz3U@E}X-m=gPJb;GB*r<|cZ4Nxtb*2vJEDwrfX&q2K6uf{0Q9Qz?i5jn zQJiacbc5}%1BQJHlOL-5OOr3!eA$InowW}xreXH9I(jy4N# zqlB+cU~yRqQAjzSVlki-SOACzEWAdVdcLwqk~}#N3}Lby)?ACQIGf+!F+D^3DM#h{ zh0mAd3nY>{b&GQ{J?^0mvm4oh4ijA2K6lO!PoaX-kNdDEBM7kaEy(p`>T!z6))K3; zlefyM=Vdi8q18!9W&>qx5v$Cdt1t4aXEj#;NVuFNQQxo1hlQ|PsBwozhv&mr8+HY) zSo)N#B;n$3<8YkQhb9h^t<`S4(WvEo-byzaOF;OyvvSzfUImuQ;o(UUA`*nmJNO(% z+(sqmRkTV|6`bS`SM_DO%jvuJ7;W(d2L`_EUB_rXdI~VP+J9ek7{Hh9bH$&StZ_dX z{>@0=4}$=IcI~I8+{5a6PCkEJXMO2pwNsbN)U4c52$haja_3?>Nt~c(X82@k^1JtY z2R`a`)U{h9gxHgnn7zt$u;5xZjq?IWUtHTL`IBQoO3zqlCz87G$%Cg8I)zkrY`?m@ z^*!RTAI&91zX$m$pP&BLf(WIeRIyZCo4X1IYH)iuC)mDc1l5#QwISj zMvf3c%T1L`wU4fa#>xE+&*aPO$RvpSSJhWTrWTFV=?~f)Pq3$3vM29Z7Hg1$HeiXf zeRATIj?G8~_n2L^ECJ<#?pQqwqf!d1LF8Zp-Nvwy2(7V^bd@2Zq09)@&Yw~F&^YX2 ztj?#gN4!@v3S#tR;@IMq$Jb%Zg)?!nNO`}`yU>zx1g!#Pc~Cip6ZJW zMg7r>kh*+smnotO-8LMo6%enI;HgzZ(~2h|)K=T<`4!fe*o`?n^Te({wJ32(&>^Cy z)or0Xo2K9>?JGe3MaG|YkEb)jmpDaroKhK0n)Lg%s=|dspt}+sAo76h06DeL(A2W_ zDeM*|OZwULR+W>GH{N^RJxAiC3#m?JR)xVdQ{6IS(^u+yC{31?MhKHTvSqT+0@HWUwVuZ=8;{-Y$0eWZr<;{B4=`$treUK!rqd#CRLWjpOOdsbT1 z28$Bw#?fD;H&U+n+$#!QkKoSP?)&fED14`8gxby;pL}1l23aP6778`JuZ2$7+(n<` zbJoEfB9V?c7v}osb@Gb<(VElNmK@u0bVBOuTv@Yqn?7aOdi}R`4X|tXylkH-GB;g~ zi!<@-i=(LSrEm1eSQ7g6dgJ}(I_(7nHA|``V-(7}fz*9#+cM@Sv zh^}K>WbhPL4&jz-LF+rB(NS^nh31mTg*WSpc*URDf8s`}Q*gFb$nuz;zTYP`omioa z0bt7i{PkSUq*TqG7kh4TEyYi~-n`xqS$KWxAW0^3c2AX@6n1%uB6)r<+errOLWX=> zf-tCazaQc)Vp~mR1-2jB{rU){VfYge3^08%rX@RywDy`IgHEaKL&JlGP9=fK{ z=@sWp7*L#mvR=mqfF|3TPqCgeJScf=nEl>>gjSpE&_Gbw)*8wgC^7Igc*On$j-;qUp zH>Ak!LfC$^<}G9dGIu9cg%NYP0nmdxET?(?9n-x?eAyo)9qsF6hupsiuZSqRXFEK< zM@l7IJ`FWA--N-ShCyfVj|}HPl8*W=+aS*ztY2PjCo6|d9IcKB_vm9?1zr3)fP70e zP8LDh*C}=zE|*nVRUyu|9-+fZ=Kds=vO1me6cpJ0c=^DGI)ZrW#zDuQ(;x*s3wsAZ zD?;~onV(skT`jz|jm}9kUG_m7{vTN}$r55wB+#7io_(=^ydtaSP@Q~a-GOU?PougB z4G#$7`rFzQj_R}aBe(9G9qx)x8EI(|ajU1hHMljy$3Df&UcPYZu{C+5!@#VtFXgAH z$6cPlqeys6oYP{&N@Vl9#Dykv!QgE9#P9K=okBSQ+Px9CvhExMeehxh@8!%{%%0<%D@&A*p=kj%~-c%;l8?@~Y4PyB;nOJfVC9 zV%?Nxg)FMWM4$Jtj1gyJGx5O*QYqrdU>+`A_h$0^`&EK@+)F8bf+0|Mc!;>KNFv&( zGl_%#I-O)SFrshg=aEq58nL+CckE3@qb`Q>A^nzvY4%NNyP^7+&S*nrG6EX2-Et zsAuECLP%_*_l8TBF`loy-2bN(&#Htw;krrr#iRD(lw+^?P2?m;e&~V!cV(E5F5%7U zE&~HAYhS9I&yRo(@x6=QKPpD0`R}Hur%OtI$~=qZv%78beUa}U2GB?Sk(#!P_{DUT z?Bcy8;gr_3-Hb|Yi1D7x3wXB4Y|;jr3?(~!>&aOuv4eu}z}g8aE-2}rIhCkTh=4U> ze*8zCGqgL?n}Hgt;}Qc&-_SZq1ZV8G6y{W{M|ROVZMOIUW;Jo|vSr&p)p_v5EmS*jT0BQEIN1{qn8UFuJ9}$B%c~v*wzR zR==nLk`mQ?c^imiXl{vumG1Genf>?Kc0R?8xalZo>s;7QicNx98 z6R}uP-~2@%a;l-@_l`fuDb;=SCf?!0yPfZUobVv50l$?e^L+pydbW;7H7m`JqJy}V zd4E~IzkS5eaSlCTAM-xEaGFXaCqAl2#w*U3!I*q}n^b5EFmYdMXjjf|i1kRDEcF_E zFJY6Y5RwJ72T?xb;$fG|rw)!fDu56XeLq1q$-=MA-{lM>^H# z(utz9#!m@v()OPz-rO9DXHD3FBW_|FSg%~iU!BL~Tqq(PA;;{jwZq(6SzkUI{!8f^ z=U7w$f_=nltuVtUSoCFx9m9h|-wf>_w6*kYVAm{1{(-Zx5k0A-6l zQA&y388-M{L^+*6`TdVCt;_Yw!-i4ndR(!Jy~<-r-GYcIn4*to`_GMOEv_E-3o|y= z$#@JhdxK`7o98(f*Xws(5sRnGlLfE%TK{>_sB$y+;rmv)l`ByV#(#cj{eo~8c^di^ zjDX7)GsCXm8KW8~_JFRpU(WKg+tF6-DCs|(Q9m%_D+lD}XvXA)6k?-d(3zTi~*Ae6w($;+Gl=aP# z=`jdpsU^NPK+#CUYX++ktabP4HqDttYH=^FdF<3L2V8eVdTz}x*F9e>?UvH1{vv!+ ze3bQhf%7qUZEE_KU*F#}TUq|sK>#WzYff`3<@N&PU-o8m)y=L-!1lz7DAl{lK=s6QP6xgz<0`@IyIh`MTOp;>g` zD+3{C$ZR6Vjgu7jimp!d-5os%2^Ddm1lZSLLOd!6HT8l%%N0xd4MjSw_$u)%^iQquvaM<;9rf|443*8W{*$fR2?I0 z(f=U)Z%1~)3^4gVnJJ6aI*|vK?F%F(YMb=_5nC)w0EWQ{WzwVL<1g<%rM`H)zX7wX zC+Yf2t(y0EYEkbHGZxO0gL+}_!%fT1Rax(R#ERB{H_>ZFX#9>Mx|`4yPcpb7DvYlRK>t9tpaBFjvbf!xXfzK481}{0(KXCtx#>f|LjNo(6dhNFzQHB0@=wBglJ+Vq# zwP1|$@amu){>Lz?haf`w-9Dn7+*kO%0&V=AK)KbFtHxS^4@K7_OH9#`WoJw>7m@D3=e$0f%Hgj%^MJw@evRHmWYEoPRk?&-LbIE6(!r2#5uq2^{_0T zAH85#^O7Um!&P7v-@oiKprx6`XRkCE3h&*BS_if$p4cCJ)3cxN@(K;adMp%|4s2{y zjEurE4@>wWBsgJhgNWZ+5x6RSoqFTOx+Z@)c8EJ#I1282*xHaQE{=7wwfpb#d}P-T ztH&M7HD%BGCSx(D)!!8~;=4Hb#Z1aJCHl+`m9^t{bi3m2kojL2cywhaaNn~6KV~$G zm`bKcauSoa>3psEQyfxAiO-HT*Hi%zR+?wDGZJ2wm=3u1O;gu*#s?NNTa+aXb;=bssO&7v2`uw>}@86Y;Znij14YihV z=dk&dQleR@7hOB;TH`$!rt>gw=gYIh-Fi9X>MsjK=np9zT0`=ypU!DdP(N;eFkBn(2?|nG12TiH!IY!bp8|y)J9_98~ojj9J zfnC#cVe%2wRJ`z~?_u|5Y-nfzsB3D}nT;8u>@OrqzCCy|8>xm=Y$M!ly?8vAAks|@ z!G5()(g;jI69Ue(YM7LPQB z*Uvf-ht`;ln?bGLi!zY^5hyq-SAnz>FU5k7mb z13lP6WKv%Afe4L%V(@jUn@Mt5WOEDNe@n8()zM6pJhfqspK1WOUtGYfvlR=W{dk_# z&)!WSU@iG7gVPdxrwBks3^1H__iBVO1L`h0!1b*@qC2?n5eR-W55vkkf_aX zQ2TjS{o5^ni+*^ro`YO}+wFFS<{yA5V~17QerLlCT(7s*&O@5+K}-jbjWOHBNDRe| zp9k0OT&8bUygKm4+N&|kwPtT>7S0BOt~V@2+XqC?WNC5vjy5+I4lQe~)_gNPm*Q;x zLv)RMyQ=^bY~;XToE3>t)Snkn#_qgvdPZB)xEx9eM*T2PKkjX|%I;dt7<$8*l5V%- zAykYE+4m0`jiPu7cuASvEgTe{tKaHx{tjZHYLe0bwu^Eg@r+L)OQ4~rF@|?xi5l(d z=9|eO-$kl*8)8hFXM$k3v(oYZz(V>Ws2iOsY6qMgvmOKi;4Ag*a%^1i;Y6$l<0_B)O=F3@QRQq1;`y+uWI27{Im+0K=|tGC6CF=_Ne}HwlOZLf7d&uUA*#@aRAwmmVn1Dgerh-pFS8lLgOFG9mmxdc!j{Mi@HBfGX7Qp1dw9Hu0yA4}v__oa3Lb0%mW3p`vu zV_tIIc)#Y|@060Un*w;8m8g_*$gJSr9aYZa`?I+Pj-K6Hx5X7}b#+t;q*s2fHgA*? zP3=`VwtdxNensIxsH!rCT092@nDwg(xVhcu+{gT!rnK9^fXr}PTK{p}bHF6*US_VM zv~9DNsY(rd5L-P`IdaDDT9p3rfnoB?!kQBS5YW`#wIhGKw3t54=&peqUgO*RfJJ4|S)2xy_BBXY9AcGk2w z%cJ||bc4fXQ}&CcWpNJ6RwB#*w2Y5L?)JUi(y==jWq$?V*fKhc=USgZMx6iC0>w_I zD_9AJ5vi+mMANnB3{YcWP@F1qd04>#g#`JH4SFKUAs54&PAe_`<5*fnek0I zOJ95;jZSMl$*?w0QSliCWT%+#@?@61BB$w(oQw+BsPEeC#l?ifjZBj;L^u3JO9@GJq7V7OYLU#sUVunH)6}#IG zM^41Y@%4Ikp(}FnY1c8hmx4wFAX85B=-O)^klC%rz}9bSJ?5>MthKHB0;c8 zU_ROfR^MQ-_^dQFP+cWgD-PkM+eHQ1<1f<89-BAX0wse!0ua@5yZ;EYb|ynlUSl^#pr@v zc0|Hi%N~muk9U{yi}lu%Q(0M=t*t_Sm5IPSY{}vK@#X(GLv#LiDw&N<5KHYEPn?pU zRbpnE+_edXyGdmq&2I&KKLlW`JbUsJFzW>E-!b~$t@+Ti8O%D6jPey;SN9Y(IqzI7 zjz;oFjzFUbiewDot(UJKu3}lr#}t<>MTKsG3`^_gE@)Kq#|a>XPGfnw`;*%aXI09> zjb;3CpxYdHrDg#e?>8%}k-O{FE#bXL=(w=8^Z;y;T_Ow<3e4nY^N93FdaQU^HUMcX zgkcokB_zdX6F?>Rx0pMUvFeK^{vAf+)7z)0Gz!Vxv?mc&~bo)_wRcd zk#K^;{YYs(Bu_HL8t6!~`qnxaaIAQ5m>c|4$kd6g4p65pMHEy2L(ctukyCD>PjCY1Ot^|mSHdit9RL%WeJYnIX8 zjl}35zq?Jzz?Bjr?i0B`tTOqJ`4nv*RLTYvkV4bbNjie z@}|6?_<-LQdKl6w=0lZSN1C2-`?N{!GxJ|OTHjS?Z>b59a6I4=!o$ZejZ;D1&=(1&cCXLbe@Qh!tIZ>*16u(Z8IkT)oYCbNW24$wYgLDOsCb8 z15?Cv18#O~2iz#bJNq=}LOw5r*!;0b19y)0zrsMYS z$xHEr(dtUU^DH-Ro#U%YdC0Y-r(qXN|KtwYu$X)rC7=!fC;!J*9;`JVJ{bjqZX)Qi z6RAbaNV<2iO*W-%zJ{WX80mw@2>MhtCW5zY)pUNn)&bb^?--P%8a!TkDn${nh`ZJ$ zrc1OF11Xr(Pb=V8f_@c**)8QMKvCN+A6_^b*%H$Q-UkZb&=y+86MAZ}jlQJG;sTf`xM1&g>%E6NO?IG&d8` z(3k^I7kMh)Zxt2H7st!dfe%FDr>GiO=`q%nM9eaUV=Fg{S=Ku-u%9hj4S6Hk6LYx-F-;IKwL%Z2y&c{Syq6-|W z++E2=yXgNuyOfWFdTc-6}AN=qylo}q*`^ocs1p9%-MO3|-q!0Y@ znw0-1L-+Bc4ZFQ0a-CsT1PJB_kS{RWivf*9#=wAFe1j2N#ERQdo|+^EFd<-j{bC4~ zzzCn!HtWhm1p=+YG|Lan7sI87nd&*e%f5g7TO{XpVdJmJfwD+I3d3aX{CB&+RW8oh ztCfJCSve*Kndedt%LOC{ZLcGsKw9>EqA4?n`q>@0zVV4V1ev3Rq5$Nfrg~x;^lnd9 zjP#zQp4%2*po)65NT%8C-*|hRYNEpfOgP(XgGR|JF?W-_vZFVgPRUs*EHO^{Bz>%L zL+@MjzFNC!Ac=Wa9{X}0uy{I%fzkz)Q?LewjQWZxW7e!#{e1vn(B#kHk3P*e^~Sd! zhDU4bQ-FY2B9TcpPu5=Y$(xo{cu%2Xpmnq7(g%u1t6-Qr`|@#jv-8G&)n5T{ z+?UkHt;l0^e1$Q$oUG@9*GsN`vjjRaWO2L5$uv5aLUglTbd_WmX6=V>TB?PrjFBdi zLI^7E!K+r}2SHw=>D=;@0>B{ug!P~0X>8}Mk=Cw{YkT{_?)~Gg*(t+0YiT?O{fg9I zh*BESn%=#D>CTmUY>ib=b_?AKpZk&@`Gqm7v;SPJmjRRfaw7)Assxc{un{r$c0q)} zumm(1#Y6k8aI*`$UkahKxg}9@RsMsgVWxw8hw(B9p#!aG(2Xbz#uSjkia~PF-{o4E zQ?4Bf;w^`ewzBFNrFD=~v^3J_Af>HAsE>J}@EBOzecSo9C6P2QPO*ak{O7gsH&Kxf zXmB>2puv{IZ&{%1z@;U9Q4PJPi+kJCnZu?B>R1_yRxD-V)9`?Lb2$JyeGypawC*fZ zw*0r)SMF#2%t!eb=WTx_$`&i+8Bl!28=XD$M^n9KvZdInzsM2xlB_Y{1?F9U{b-s!#|EFr(#QZ zvPFb=alu&(9u;$gF4aLtXBIol?&%EZfs+gjd2@rb(LI=?fM~pW%Z`C`@Qq!RmxUF1 znRA#Z*xcFrjkZz>=A@hHcXwHnwE?`gF1H(Dm0m|wyfkK}gYSJ{-h%<`2M1mRz^VAEw|g1|#|2J5}D6?ln`&p(Q78T$*-A%*ZBu&e7gU6W4)T91!C(&~6*Q?4a%Vfn+4 z$pr6~5pzqhk~xqk(Tl`BbZBdPpz0?thy2d;AkK84e8_S{eX!^2T9=Fxgs*}YaaTcO zdpBY?!iWcPCw!iDKU&t>l?}_gNO^>0o_?DMH^Ud$J-$H3zUPZ(fpV}-MvPj?;Qp;d z_%SXob1Pj@@sfcoI4-5fD`HR6K81$m>m^bq?fU0_C;0>hyAH2~J-+Mi;RouTxtdi< zAK*<2uznBXq26D1X^Q3q=NNDhh~Dpc>N}f@X5KGbWL{0b_PsCX=DVCj^}PntAvC7) zlygM<84ZH21oFDDp>N4Tejo}qEWH-I2qr)LLA0PT=VgJ^mOuJb^pQghyYoYB54?y$ zEgAtTZfTqbkw;3V3hGd|?7}=K`hKgoE8DE{4+0{G6t3XVQOpMi*#Y-t7LN3t(U1;| z2)dAI^ zAO#^{Cv83T)*T^0rpv_v`Finq^yC`nq3slu&A&X`;4B<5atP?*QEuHZ1r zQ%@Y*89cMIO$H)ChnIgNr!x=f)7ABpnuz`G@jmT1Xp?!aicK&G5#iD*2$n~F`sbgw z&vKGt8Yeh=FRRbHNBIQD2o2m+KYP|B^eMHFBIXawX~ao&4PWS!j1&v!*1n^6N$u;C zL=M3gG-PG-SPhz#Pis0bZaJSLGwJk35$TblR!G?C^UV|-Zu^y=gg3!T4tPx`M=%@9 zCr4BTvaudL>%MKRfe4r_EqjqSPK#dVem4!v+JQdkcCf}6lYduyG+Zoa0tFS+HN$6< za;bGZl;+*MYL>cMcPa78k3lu19iVRD0q?`gwo>8bp5P^n&@rp{PRFqe#(%!%#V1Pl zIYLkda(=fB|G@W(>c-BEcErqeXg+BbH0bSG5Aw590%$@e8ONisjlVkhdv@jiZ)OGU z%vG!mK_fixEqA%7G(25Or)^VR=x%}z!U(UHrAhCn0ISM8Ag{Gk7fce%=vot}%kQiY zJc6JA)AwPH!gu>(bi-G8*U-p5eXMipjwmk430gm?0>QwrrqAmKdLC!(< zc%jT;!%RBhNhJ}A0LW>hR(@@oIdY%nQfq7L1((rXQcBW3$2DcZ#XCjE%@U60hrBv> zn-Aywk5g5}!*)al-zLsJ9SWP*2TXBrT8>J(H(aALtevmY<@kOe7;;ww+5nN4TP2mH z;~pXF?(4mS0-sHYNPAec>e>W`l)gHYt#UPrEZ()`elP4?S;}Dkt0=^<3cGyP)(g89 zxzot;S+m+3@N17$ftw7F3Q@?*lUCd9eMr=t$;+!i_EOy~r{Y1ZJQMW2ankpi4*|3> zAnxQOrDG|Bf+O?tj*0$ri}YilDaSzbDK0S4f%9C#0+q6LKHU<%jQ#poQmXgE`hz_R z)@ie$Ildn@upi<$xYRxkp#~pbxS4ni$}SXq?NWE91mrO=}YSi93NFXz0fUO8{l1VEef$9f!m zj)M9YK2`WV>niLme$B_6Ck%Rxac0)Y4&*Q-Rv7G2Hf)_SRdv6@5?!(Q%$7s$9z`;~ zfLkDz`F-*G+!EOW6H>@=cwGL&8$B%4X;GLjVLND>pAl^TxoSL%NWhIAQ}p4a{*;)u z7MP|iJE|M==iB_=GleOz`zCADmS`DKN%_cHoh(K%jJk*i0}#HlC4sG?VGy~tkD@HU zFh~X-?3Lu@X$u584-c!hwIlc;p?3jT$?5|oT(>X5=a-zsTy}UAz9*DV*ww~sFNJ_Y ze9m>@sU7W2jO1xm@$*l0U~*WeGVrRjpZ7?U6VC+?8~{09&>D*ux%&gVOzpl56@459 z9($_}hs4uy`O+JM{d(EN?oN;+(c@>^V(k|e^RKap7e48`kig%Cksnjq6M@e}?l#YV zN`D4kfju=DHC*z4+OGRBSy$U;zi7|86xxKf-$mCwso!sa_wKTm26Fmb`|so$uw43*3x-+4 zHPp!a7l&=wOWp>m7zRvn(N08BvfQuI;1O(^R%P`W#~RS)S65drt4@x|s}mZH%&~h& z3bee9|L?zyx9!&Mm$Pf5YB#);PiF2qn}(KDM&&nhl;#(z_hCSr!1phUC|d)H)Y6$k5Usa z&(B$Q2*uyezZyusrRhH4L7`A)o(Ug{Jmb+)Ro$MyQ){?9kgslUMbOkt@>lpz9Wm20 zp)Mxv1VohlgBpJ7Vp}bio(XdnCWo*;(SIWd2o~GkbT18TQN#!Q;#ciWFgdJK9zH1g zdl2B8{*3+qP4DQ;Z2PeQh3GpP`p7G3{Fgmw{2fid z7Q-h2iQ}VDp_I=ll+aH*cG0mz_^AI;fhhYl2=ECKAyN8P15eg0j3!}|+ofB}Y)j>@ zJ5YEo_06M)+f($;gTNidUUr(uaZm&xz?XK5)~DvDqY&{ePeT1T&!egOi! z$0+~KjfgNMT`SNu+rPM_40t#-5NCGRTCzv??`T@~Af;8x+-<23=|Fm7^?Z8BYWCH| zN}yHzH2b?kw+_fX`9}V@+8}m-N*>@ZdW4b?;|%k=-g9gd#Cb3{Ms7Zc(=!a}eY{$7 zbOyo|#?8bs`=T@k4vF(mRt0%L%r%IeU5Yq1O)Z$9lK zJq4OMt0np1GlL)Zq&P0iF@Rs%IEa_*MsOA0mBkrAcignLZz&Tj9!~x^Vw*1rYjuXz z-21oS;!Q7W>I6^(9&tM+o@}R4-{@`n7a4O$lYeudQL-)nq^en~|Fhnc=93l+FiYgh z0iWc*IeBb4Sr~pkl>l_Ne06Q@us_Y8g0VjTUYrP*&M&F7mNaxgT~m3r4m2#POI|X~ zPMJ*ad(ZQj0;3K`=HcDW#I#2am!+^zUmZHuq$_U#9eM=Nw0*VDxfK%IA>L0IU479$R) z=z1gAtDhdD{iE zuKs_BAx@hYtxQqXi|?lA&QD%u-ewq_&fmRKg*`j#|=5LaswCJ4!0m>O-n* zkyw!!9-ro|H}E)kg%c*z<_Fy;KNCMibB?NX{QgGnoucHEPd1VBj8a6{#N z3z%+LX;;Z?es4QCF=%IBl2qd(iEa-= z+)ca;yD$rw(0+1G;_`p)zcbE$s7xj3AWV6^Y(S2!JvyQ)?B7wTqyx%a89sNpZ8>q+ ze>?Wg++3&I6(KQ+rHMakmvO*U4?&g#_KRl7v8aH^Km0)S1_hoJYvXS0|N z!e55DU9_Ne!v{kgv1af)khC$2C?5@|Pi9A$lIi0&AigV^p$o#sQt(HWgYaDLV8iyCh3=1`Ti%tK89T|Od#4DB zn0p^On)I)_F>2h#?<}J#`9E=k{xkhLFJh!Za+15OS$~H6rg3`Kx2?i(Q(x_livAxb z=JSE;dwEf;XV_H(Qao+ju0_>?TACCE#g^)Xn zM|R4*4ucIqy?!~ZT0y*ap5Rs`U9964o@nwkpq~8ena~D26KqGZX;@!2ezioMhRGYr zI81KnRDS{1^h-t?l800vy>9m;Ryc=qYh60x3n~E2T`kK|?jEZoipqI(6RK>kr5t^9 z;8eP|dDZ?nO_J$thuH38N6yG-GhVDrDVkI%=0mRP;Tc38FzdYdXF%mmC|YE$Vn~*y z#~)tpIfUHQAIQc#8RY)FigBjz=?Mg04Nn;eRO1mVeVhm+pHY0r2T{;T5p$O3*herd z8aNKeK>0OVOCx>0Z$&*K$n1(G^U z+z3691aKn$&7@H_Ia*M=I9{Y|^SPEWG^7M9{s72fT8H{L*NNin{Qlh-u+uFrD;L^! zGWZ|Py_t2+9Y6*HU6j$$@`Fx@6M7G(GA%mLygWp9t}m}6_up3LfU15Sbt|H04xA(n z+H(1ywt=UemRHWnZn%9Rx(zjpOjyOU{C|@+9N7_u=ZQZ!GM+4X8j`s?Uk-2l;4|mf zH#oa@&(|2qFgNzIoG>II53$GM9cr#&_!)dT1|NyjW!1LO?iV6V{#j@4-28u3cHYr& zZG9gXHzAd1i7w&MB03qO%oA-S7~F{{Jw^rQ_mY~JUeB&3p2^jVa_00 z?KM=YXk-EcVq-qZ)o@r|Eqn0gbilKN6eM(KZXNAUf~Wi=X~bW}oIob~MQ6PsNuP)h zLKwkjktH4FGw*$m_rYIbvgQW+D||=cZ@ZK(Jj46rcE;s|^d>lfH_}G%p0C+4pogZB zQtMe{ZF5u(no2#%DHVQ``8w#L2#pNS&32Nsw=PKw4nQvIE*&K3{th|HQ~8bjlQ3zo z4c2fT(5Xfss08Z4iWe>D7!9xWJD=rNA;zG*c5RWBH~bunkmnosQ$t>s$mA4cnt}Pqj<^9+L`r*y`yeW(Z%ncRW&lW<{CKt z=$mFd6J1{5l&qOtgPfOBXKPjISd!AiyVqBG&kd+34HZCTA&Z`>o3nVjxYw^_OuD*4 znOfXn@uHuoTvJ}s0Rxi6Hf4eZyqX-p+BrJD+4kuRc1gq$QmM=lpkDNydl%*PIPUGy zo#G|`tE;FI(Y2k9J!h|V+u+=o&gJV=KxX2~@kxD6xiBH;O48ohE+9{p_9RF};YE?g zuOun9?2-YB&C(rtQ zcKjQHZZgX+u{^_rboM50Z4_MY-(_WOaNpdey{dApS4`Tq@5AO1I;_Lu zwvcwjD)5XEBvQFdNVBM2DMipvUl1d?mh2<&{l7Dm5Q8 zBxdPcnVq3@^|{K{StLiIxvD8BQpzG}#G3r(0WPeRXkp=4TsYt zs|K@6SzOkNb*6W-hVJ2_6k%g{roHm^=7mIK zgPX`1Eh~5}_%?Z_%;cyJd~^jM5oA_SQ}wTB^g$CZ*I9&SLLQL^T`A!pbafZ%^lJ=Wob{w;)BmM1 z9OZxipDF_jhV@k=eXzlYN2lc2GPASKJ|pDUj|Jng{N#h?>+k!8iX9E5uMiLsfWiD7 zOH!rw8biN!Uspf8e~ZC*omky6oTU^IAMgoSHT@6_X<+giwQSI?5a+j}>c1WBX_g zPlOI?rZ`cFWXFevzl4S)jd&JJyA3m&;3X`T=~_c+@q?g6Z(pfGW|@jz_1x`ORq3LY-?|qeAB&5xt8B$NzmI9vwVuB~zz{!Po|nZW&?>gAF$n-8 zB0C!X5GasuN?Gib&1E=`Jg-ZSx#+ejU&=5NxV1q_B0I?U{*_U8f^QT{-x7gVJzOa- zpTB>xIFasOVh+(#Z*&az^s};xzKNOoACn$A z11Ofm9I%IQ@oni3o-NJsJ(87;h=~F}Oyd}Tr|_+Blp=xEy{h24X!uSh4SX<}UrClk zWsQq+rc`=d;6Gz&o?O1%aD2jDj&H5hh4G(7M9j_rX_L?Ib^cA5yt`C;&(^1CA!ayK zm?c!c<%@A^6X%yhPcsCXVB}Gya*%BekVk`FSJN%oM?<=5@3s7;x->4ByDPdZY0C>n zhxS{;d(Pi9lj3WH=zYzWX6erTNHgt>qX5Z=-%UO!01!OTWFf)53JK-uXA=}*vK%o$ zyl!al7ZEcJ9DY_4RMN`~4*K2P%CiBLAfAzJ>&IJ9J^WOXE7c-Z8#eT|ZqXjL78mT)}D3*Y`=?O9lTy8W3uYDw=oQAtv0K&CMdBqIVuYXG@H^#4hK0GbD;5Dmj@OY%|Codv6-3`rD{qfTh## z{P3nV)&EqkasIu1xPQ;ENtIOs@3YYDCU+z|*ph$32U#A_*DxEU`pG{MS5R|aIN38S zU~@N}ssfl(2Lcv*(~y~p004pgJNA5m8?K+MRmvpJ9<;RN{hpOAv!vuao6++j>tg|F z+c9WcM;P^b^_9=}S;F29Sk?W;Ffi+^5YAHPlC%2kf{CO~{7nbJ7ouT6oG!!m`0+J> zfcg1QWIpK?G}c%I`QNZIJtHD6);#j(vH{#YBvxlW9gXc}oLvG0TKL0EiEk%rp^4KEmY`m)rp(JYzKFfV^Fc{0CTX3` zZe)p8dbjwGwdsb9kAq94N~wm*we#C}=4{qTg7PlAQ{|RZO4u?w^LK-}`S~2K{Pgte z;tL{83p)S_YrXlwWodru{jkbTD%uKnPA>A}(PE2|yMs7I5pc8bw_(c?7$^ea0c+`q z?$7l%F9a_F8$1=BZ3qcIc8~hl6`(NhVKfySyvNQ7??Liii0=s0Bh$p~L&oD=BQqJ& zctw8{@r5FMFm|@)twduuCbgSlu?vSkhF-Px=JQ+gzs-x|VqdJIh+8=KfSQA2~#^ zUvm1RC}gUXn)lc3H- zIF+_RsDq+@*szYILN091x#$3y7El~;nkfTvjW;Tbu+^3sbyq)d0tja=vfY}GdhzpP zlaQV-i>@=9rEG47hTyY$TM-HyT*#Skld4hDh(kfE;B(wkN7r;GDGIuy6e-;aYsT=A z=llaU`2cvPG#!XFHu`8Q z*dB<)M&p8Gw4yj>_sfE5B}^hC#BaGD4C=Q4D^N}*`i@INdr6j#l*icVW4p%6&+Qoh z{fpv_08RatZ2fb34Jm#MOb+gky;Sari5bF;LJrKo6k*e^=5R5el?PpaAFK8>o0$!t z6)G>!&+$YpPx|F9TiSGyp|FJ!#S9#KLMBf*U~fQJt6r^45VyDBHHPY88lW7=9i5jI zqHDXjDQ(ea1jM<|rK!yjTL)~u+TDUzkuttb+BF-!ogNS)C98&}b~{JMZqX8_`z0!7 zl~WW<0@0g?`|(^yW1f!M^eBhPk&;tYJ$NJaCBCa`(OK??tpF(gJn<63Ks7*?8w%|W zbFn5h8K)zP=@cEVyiAN}pSB+Y`Th$XQupF>kNUeLk+0Eybs?IuWNR}ZgIe-zTI{!M zOcJNhTo&mh>OG5ARKaNL+icW;J;t51IdJMX`m9+S3I9G`K$cMe*Ud1Sp$_p&t&5Fj zd2QmMO+9*`r&OR8jJ>>T$6~(Iolk(NI6zY3AY@e+lVlRE5?azt{$argumD9=<+x{%*M>J5B|MB>+knS&gXh`DZQrF(bi?_C>`G@?` z>)Hnrx~wmEU5T^4et$Js#UtreUHlQJ;kW6b>yxsUSdPk_9A+rtkQh-hO!=r4-}( Date: Mon, 3 May 2021 00:46:02 +0530 Subject: [PATCH 019/415] Updated --- windows/client-management/mdm/applocker-csp.md | 4 ++-- .../mdm/certificate-authentication-device-enrollment.md | 2 +- windows/client-management/mdm/devdetail-ddf-file.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e84a683f15..aa3be14837 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -265,13 +265,13 @@ Supported operations are Get, Add, Delete, and Replace. ## Find publisher and product name of apps -You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. +You can pair a Windows (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). **To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** -1. On your Windows Phone, go to **Settings**. Choose **Update & security**. Then choose **For developers**. +1. On your Windows, go to **Settings**. Choose **Update & security**. Then choose **For developers**. 2. Choose **Developer mode**. 3. Turn on **Device discovery**. 4. Turn on **Device Portal** and keep **AuthenticationOn**. diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 028007ccce..6288b39f91 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -61,7 +61,7 @@ Cache-Control: no-cache 101 10.0.0.0 3.0 - WindowsPhone + WindowsPhone 10.0.0.0 Certificate diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 25be11c21b..2212dac63f 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -196,7 +196,7 @@ The XML below is the current version for this CSP. - Returns the Windows Phone OS software version. + Returns the Windows OS software version. From 9fafb9767beb886fb7b0a0deb612308337d60f02 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 3 May 2021 09:30:34 +0500 Subject: [PATCH 020/415] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a0b1076deb..8d384e1020 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 05/02/2021 ms.reviewer: manager: dansimp --- @@ -1045,9 +1045,7 @@ GP Info: -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) +Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. @@ -3467,4 +3465,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From aa2b2bb21c6282298361130c8960ea6c283a9099 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 3 May 2021 14:31:48 -0700 Subject: [PATCH 021/415] Creating Test TOC This is a test to see how the landing page will look without having changed the original landing page. --- .../TOC2.yml | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml new file mode 100644 index 0000000000..cbd308449b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml @@ -0,0 +1,113 @@ + +### WDAC:Landing +title: Application Control for Windows +metadata: + title: Application Control for Windows + description: Landing page for Windows Defender Application Control +# services: service +# ms.service: microsoft-WDAC-AppLocker +# ms.subservice: Application-Control +# ms.topic: landing-page +# author: Kim Klein +# ms.author: Jordan Geurten +# manager: Jeffrey Sutherland +# ms.update: 04/30/2021 +# linkListType: overview | how-to-guide | tutorial | video +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: Learn about Application Control + linkLists: + - linkListType: overview + links: + - text: What is WDAC (WDAC Overview)? + url: wdac-and-applocker-overview.md + - text: What is AppLocker? + url: applocker\applocker-overview.md + - text: WDAC and AppLocker feature availability + url: feature-availability.md + # Card + - title: Learn about the Design Guide + linkLists: + - linkListType: overview + links: + - text: Using code signing to simplify application control + url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md + - text: Merging Policies + url: wdac-wizard-merging-policies.md + - text: Recommended blocks + url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? + - text: Example policies + url: example-wdac-base-policies.md + - text: LOB Win32 apps on S Mode + url: LOB-win32-apps-on-s.md + - linkListType: how-to-guide + links: + - text: Create a WDAC policy for a lightly managed device + url: cardreate-wdac-policy-for-lightly-managed-devices.md + - text: Create a WDAC policy for a fully managed device + url: create-wdac-policy-for-fully-managed-devices.md + - text: Create a WDAC policy for a fixed-workload + url: create-initial-default-policy.md + - text: Using catalog files + url: deploy-catalog-files-to-support-windows-defender-application-control.md + - text: WDAC Wizard tool + url: wdac-wizard.md + - linkListType: Tutorial (videos) + links: + - text: Using the WDAC Wizard + url: video md + - text: Specifying custom values + url: video md + # Card + - title: Learn about Policy Configuration + linkLists: + - linkListType: overview + links: + - text: Understanding policy rules + url: + - text: Understanding File rules + url: + - linkListType: how-to-guide (written) + links: + - text: Allow managed installer and configure managed installer rules + url: use-windows-defender-application-control-with-managed-installer.md + - text: Allow reputable apps with ISG + url: use-windows-defender-application-control-with-intelligent-security-graph.md + # Card + - title: Learn how to deploy WDAC Policies + linkLists: + - linkListType: overview + links: + - text: Signed policies + url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - text: Audit and enforce policies + url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md) + - text: Disabling WDAC policies + url: disable-windows-defender-application-control-policies.md + - linkListType: tutorial + links: + - text: Deployment with MDM + url: deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with MEMCM + url: deployment/deploy-wdac-policies-with-memcm.md + - text: Deployment with script and refresh policy + url: deployment/deploy-wdac-policies-with-script.md + # Card + - title: Learn how to monitor and reiterate WDAC Policies (operational) + linkLists: + - linkListType: overview + links: + - text: Event logs (tags, IDs) + url: event-id-explanations.md #(merge with event-tag-explanations.md) + - text: Advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below + - linkListType: how-to-guide + links: + - text: Querying using advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above + - linkListType: tutorial + links: + - text: Creating a policy from event logs + url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above \ No newline at end of file From 4e0b331d0c6b08c0b875d9319a8b0ece7b85f668 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 4 May 2021 16:11:39 +0500 Subject: [PATCH 022/415] Update windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8d384e1020..8beeba2c2e 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1045,7 +1045,7 @@ GP Info: -Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. From f01cc02d6f2565a7eb2977790f1ce32a0023bcae Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 5 May 2021 13:38:32 +0530 Subject: [PATCH 023/415] Updated --- .../manage-access-to-private-store.md | 1 - windows/client-management/mdm/bitlocker-csp.md | 1 - .../client-management/windows-10-mobile-and-mdm.md | 4 +--- .../upgrade/windows-10-edition-upgrades.md | 3 +-- .../deployment/upgrade/windows-10-upgrade-paths.md | 13 +------------ 5 files changed, 3 insertions(+), 19 deletions(-) diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 7715068772..101a3006be 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -40,7 +40,6 @@ Organizations using an MDM to manage apps can use a policy to show only the priv - Enterprise - Education - Mobile -- Mobile Enterprise For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 2864971440..823611c02a 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -64,7 +64,6 @@ Allows the administrator to require storage card encryption on the device. This Enterprise Education Mobile - Mobile Enterprise cross mark diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index eb784753c2..7deb34d682 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -531,7 +531,7 @@ To distribute an app offline (organization-managed), the app must be downloaded To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required. -Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition. +Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 edition. For more information, see [Microsoft Store for Business](/microsoft-store/index). @@ -786,14 +786,12 @@ Update availability depends on what servicing option you choose for the device. Immediately after the Feature Update is published to Windows Update by Microsoft Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer) Makes new features available to users as soon as possible -Mobile & Mobile Enterprise Current Branch for Business (CBB) A minimum of four months after the corresponding Feature Update is first published to Windows Update by Microsoft A minimum of four months, though it potentially can be longerNo Provides additional time to test new feature before deployment -Mobile Enterprise only diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 71af1da585..4dc8588285 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -39,7 +39,7 @@ X = unsupported
✔ (green) = supported; reboot required
✔ (blue) = supported; no reboot required -|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise | +|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile | |-------|-----------|-----------------|----------------|-----------------|----------------|--------| | Using mobile device management (MDM) |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) | | Using a provisioning package |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) | @@ -63,7 +63,6 @@ X = unsupported
| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 57994ce79b..816a17268d 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -50,7 +50,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar Windows 10 Education Windows 10 Enterprise Windows 10 Mobile - Windows 10 Mobile Enterprise Windows 7 @@ -261,17 +260,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - - Mobile Enterprise - - - - - - D - - - + ## Related Topics From 42d9f0e25c7f5d01a38873d006ac34651fd0dc3f Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 5 May 2021 14:09:17 +0530 Subject: [PATCH 024/415] Updated --- ...ficate-authentication-device-enrollment.md | 3 +- .../mdm/devdetail-ddf-file.md | 21 -------- .../client-management/mdm/supl-ddf-file.md | 49 +------------------ .../mdm/w4-application-csp.md | 9 ---- .../windows-10-mobile-and-mdm.md | 8 +-- 5 files changed, 6 insertions(+), 84 deletions(-) diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 6288b39f91..139413ac41 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -60,8 +60,7 @@ Cache-Control: no-cache user@contoso.com 101 10.0.0.0 - 3.0 - WindowsPhone + 3.0 10.0.0.0 Certificate diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 2212dac63f..de26ad8620 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -190,27 +190,6 @@ The XML below is the current version for this CSP. - - SwV - - - - - Returns the Windows OS software version. - - - - - - - - - - - text/plain - - - HwV diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 2c1db8dd46..1e1ddffd22 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -216,30 +216,6 @@ The XML below is the DDF for the current version for this CSP. - - HighAccPositioningMethod - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - - LocMasterSwitchDependencyNII @@ -765,33 +741,10 @@ The XML below is the DDF for the current version for this CSP. - - PositioningMethod_MR - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - LocMasterSwitchDependencyNII - + - diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 51a1739756..d6b9110b32 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -67,15 +67,6 @@ Required. Specifies the address of the MMS application server, as a string. The **MS** Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. -## Remarks - - -Windows Phone MMS does not support user–selectable profiles. While multiple MMS profiles can be provisioned and saved simultaneously, only the last received profile is active. - -If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values. - -For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). - ## Related topics diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 7deb34d682..608f2041b2 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -800,11 +800,11 @@ Update availability depends on what servicing option you choose for the device. *Applies to: Corporate devices* -While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition. +While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 edition. -Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to: -- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. -- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required. +Upgrading to Windows 10 edition provides additional device and app management capabilities for organizations that want to: +- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. +- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 is required. - **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered. To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). From 33813715be906532b5f00daea8b0c148288b4955 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Wed, 5 May 2021 18:16:11 -0400 Subject: [PATCH 025/415] Document ProxyServers property --- windows/client-management/mdm/surfacehub-csp.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ff96d2c80a..745f408e3b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -61,9 +61,9 @@ SurfaceHub --------SleepTimeout --------AllowSessionResume --------AllowAutoProxyAuth +--------ProxyServers --------DisableSigninSuggestions --------DoNotShowMyMeetingsAndFiles -----ProxyServers ----Management --------GroupName --------GroupSid @@ -571,6 +571,11 @@ SurfaceHub