From 924e677459027a8c126e20abb35a922fe7bcb395 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 2 Oct 2023 16:02:29 -0700 Subject: [PATCH 01/80] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 windows/client-management/copilot-overview.md diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md new file mode 100644 index 0000000000..03652ef8a4 --- /dev/null +++ b/windows/client-management/copilot-overview.md @@ -0,0 +1,14 @@ +--- +title: Copilot in Windows Overview +description: Learn about Copilot in Windows. +ms.topic: overview +ms.date: 10/26/2023 +appliesto: +- ✅ Windows 11, version 22H2 or later +--- + +# What is Copilot in Windows? + +Copilot in Windows provides centralized generative AI assistance to your users right from the desktop. + +## From 4a4aabf26cb2092d3f6c866d05789fc5476c382b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 4 Oct 2023 15:01:31 -0700 Subject: [PATCH 02/80] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 03652ef8a4..557a48b03e 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -9,6 +9,19 @@ appliesto: # What is Copilot in Windows? -Copilot in Windows provides centralized generative AI assistance to your users right from the desktop. +>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). + +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows is a bit different from Copilot in Edge, which provides assistance in the browser. However, both user experiences can share the same underlying chat provider platform. + +## Chat provider platforms for Copilot in Windows + +Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: + +- [Bing chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios +- [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios + - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + + + + -## From ce9bbd317623170639adbdfac43c8769819f2f8d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:15:01 -0700 Subject: [PATCH 03/80] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 557a48b03e..3d37b8c2f9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,9 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows is a bit different from Copilot in Edge, which provides assistance in the browser. However, both user experiences can share the same underlying chat provider platform. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. + +Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences can share the same underlying chat provider platform. ## Chat provider platforms for Copilot in Windows From a31e324d8a007257aa1f0ae1ed9b4f9af5cb45e2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:29:56 -0700 Subject: [PATCH 04/80] dep-psr-8412957 --- windows/whats-new/deprecated-features.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index e13121f3d9..44e79e6fc5 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 09/01/2023 +ms.date: 10/07/2023 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium @@ -36,9 +36,10 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | -| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | -| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| +| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft ClipChamp. | October 2023 | +| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | +| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | +| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| | Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | | Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | From 8740f322058e496378a1e0f6126db3e499f49692 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:35:43 -0700 Subject: [PATCH 05/80] dep-psr-8412957 --- windows/whats-new/deprecated-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 44e79e6fc5..c15728063a 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -36,7 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft ClipChamp. | October 2023 | +| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | October 2023 | | WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | | AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| From 6e6ce0a2979b6e99270aa70d950cc198cd94a759 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 9 Oct 2023 08:30:28 -0700 Subject: [PATCH 06/80] stash --- windows/client-management/copilot-overview.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 3d37b8c2f9..6164173c16 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,9 +11,8 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it can possibly be used to access sensitive information. -Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences can share the same underlying chat provider platform. ## Chat provider platforms for Copilot in Windows @@ -23,7 +22,9 @@ Copilot in Windows uses one of the following chat provider platforms, dependant - [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. - +## How to enable Copilot in Windows + +Copilot in Windows won't be enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). One a managed device installs the 2023 annual update, From 4f9dfe5e188f43ed55bb2dcff92c6f620ac9b302 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:58:26 -0700 Subject: [PATCH 07/80] copilot-xplat-8348943 --- windows/client-management/copilot-overview.md | 45 +++++++++++++++++-- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 6164173c16..b82d5e86ed 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,20 +11,57 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it can possibly be used to access sensitive information. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Chat provider platforms for Copilot in Windows Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: -- [Bing chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios -- [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios +- [Bing Chat Enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. +- [Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios ## How to enable Copilot in Windows -Copilot in Windows won't be enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). One a managed device installs the 2023 annual update, +1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: + - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for business environments) + - Bing Chat (default, intended for consumer environments) + +1. Ensure the Copilot in Windows user experience is enabled: + - Windows 11, version 22H2 clients + - Windows 11 clients with the 2023 annual update installed (coming soon) +### Configure the chat provider platform that Copilot in Windows uses +**Bing Chat Enterprise:** +1. By default, Bing Chat Enterprise is enabled for users with one of the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium +1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin enter, select **Users** > **Active users** and verify that they have one of the licenses listed above. +1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. +1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. +1. Verify that **Bing Chat Enterprise** is enabled for the user. + + + +### Enable Copilot in Windows for Windows 11, version 22H2 clients + +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: + +**GPOs/CSPs to set** + +### Windows 11 clients with the 2023 annual update installed (coming soon) + + +One a managed device installs the 2023 annual update, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they are ready by using either of the following permanent controls: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** \ No newline at end of file From 4124d5918ae3041225d011a8cbacf2d95c9a1bc9 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 10 Oct 2023 15:25:09 -0700 Subject: [PATCH 08/80] edits --- windows/client-management/copilot-overview.md | 47 ++++++++++++++++--- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index b82d5e86ed..3e25d89345 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -36,27 +36,60 @@ Copilot in Windows uses one of the following chat provider platforms, dependant ### Configure the chat provider platform that Copilot in Windows uses -**Bing Chat Enterprise:** -1. By default, Bing Chat Enterprise is enabled for users with one of the following licenses: +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. + +#### Bing Chat as the chat provider platform + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: +- Bing Chat Enterprise isn't configured for the user +- Bing Chat Enterprise is turned off +- The user isn't signed in with a Microsoft account rather than a Microsoft Entra account, + +Bing Chat is intended for consumer use scenarios and has the following privacy and security protections: + +1. Review [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a), and the privacy statement for using Bing Chat, which is in the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement). Ensure you include the product specific guidance in the Microsoft privacy statement for Bing under the Search, Microsoft Edge, and artificial intelligence section. + +#### Bing Chat Enterprise as the chat provider platform (recommended for business environments) + +1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). +1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium 1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin enter, select **Users** > **Active users** and verify that they have one of the licenses listed above. +1. In the admin center, select **Users** > **Active users** and verify that users have one of the licenses listed above. 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. - +```http +*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* +*licensedetails does output BCE, so its a matter of just getting the query right* +**powershell or http preferably** +Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails +{ + "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", + "servicePlanName": "Bing_Chat_Enterprise", + "provisioningStatus": "Success", + "appliesTo": "User" +}, +https://learn.microsoft.com/graph/api/resources/licensedetails +``` ### Enable Copilot in Windows for Windows 11, version 22H2 clients -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'll need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: -**GPOs/CSPs to set** +1. Verify that the users accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** + + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. +1. ### Windows 11 clients with the 2023 annual update installed (coming soon) From 4d13dbacffdfd99be3afb6363259bbe8706b8fa1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 10 Oct 2023 15:56:18 -0700 Subject: [PATCH 09/80] edits --- windows/client-management/copilot-overview.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 3e25d89345..89a8bd5042 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -39,15 +39,17 @@ Copilot in Windows uses one of the following chat provider platforms, dependant Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. #### Bing Chat as the chat provider platform - -Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + - Bing Chat Enterprise isn't configured for the user -- Bing Chat Enterprise is turned off -- The user isn't signed in with a Microsoft account rather than a Microsoft Entra account, +- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) +- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -Bing Chat is intended for consumer use scenarios and has the following privacy and security protections: +The Bing Chat is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without these extra protections. The following privacy and security protections apply for Bing Chat: -1. Review [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a), and the privacy statement for using Bing Chat, which is in the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement). Ensure you include the product specific guidance in the Microsoft privacy statement for Bing under the Search, Microsoft Edge, and artificial intelligence section. +- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) +- The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. #### Bing Chat Enterprise as the chat provider platform (recommended for business environments) From cf7868e20428c47745c9fed019a57f898ddf003f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 13 Oct 2023 16:06:01 -0700 Subject: [PATCH 10/80] add enable opt updates --- windows/client-management/copilot-overview.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 89a8bd5042..d3c255916f 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -91,7 +91,13 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'l - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. +1. Depending on how soon you start deploying Copilot in Windows, you may also need to also enable optional updates with one of the following policies: + Enable optional updates for Windows 11, version 22H2 and later + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. + > [!NOTE] + > Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). When setting the policy for optional updates, ensure you select an option that includes CFRs. For more information, see [Enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) ### Windows 11 clients with the 2023 annual update installed (coming soon) From 8df1cfe248fe173620a8d3bd803c9a700ac1c0ec Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 10:17:27 -0700 Subject: [PATCH 11/80] edits --- windows/client-management/copilot-overview.md | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index d3c255916f..ba951762b1 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -1,6 +1,6 @@ --- title: Copilot in Windows Overview -description: Learn about Copilot in Windows. +description: Learn about managing Copilot in Windows for commercial environments. ms.topic: overview ms.date: 10/26/2023 appliesto: @@ -91,18 +91,25 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'l - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Depending on how soon you start deploying Copilot in Windows, you may also need to also enable optional updates with one of the following policies: - Enable optional updates for Windows 11, version 22H2 and later +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you may also need to also [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - > [!NOTE] - > Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). When setting the policy for optional updates, ensure you select an option that includes CFRs. For more information, see [Enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) + + > [!Note] + > These optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + > - Automatically receive optional updates (including CFRs) + > - Users can select which optional updates to receive + + + + + ### Windows 11 clients with the 2023 annual update installed (coming soon) - -One a managed device installs the 2023 annual update, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they are ready by using either of the following permanent controls: +One a managed device installs the 2023 annual update, likely to be called 23H2, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** \ No newline at end of file +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** + From 7b459fa2f3444cf2bdae60cebfeaeee7de6538f2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 11:27:41 -0700 Subject: [PATCH 12/80] edits --- windows/client-management/copilot-overview.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index ba951762b1..7478d3f8a9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -18,15 +18,15 @@ Copilot in Windows provides centralized generative AI assistance to your users r Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: -- [Bing Chat Enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. -- [Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios + - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios ## How to enable Copilot in Windows 1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: - - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for business environments) + - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for commercial environments) - Bing Chat (default, intended for consumer environments) 1. Ensure the Copilot in Windows user experience is enabled: @@ -34,11 +34,11 @@ Copilot in Windows uses one of the following chat provider platforms, dependant - Windows 11 clients with the 2023 annual update installed (coming soon) -### Configure the chat provider platform that Copilot in Windows uses +## Configure the chat provider platform that Copilot in Windows uses Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -#### Bing Chat as the chat provider platform +### Bing Chat as the chat provider platform Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: @@ -51,7 +51,7 @@ The Bing Chat is a consumer experience and doesn't offer commercial data protect - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. -#### Bing Chat Enterprise as the chat provider platform (recommended for business environments) +### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) 1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). 1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: @@ -79,6 +79,8 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` +## Ensure the Copilot in Windows user experience is enabled + ### Enable Copilot in Windows for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. From 5c6f760b8dbd4a81ac7e626af9ea51798194706d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 12:58:40 -0700 Subject: [PATCH 13/80] edits --- windows/client-management/copilot-overview.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 7478d3f8a9..966866d506 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -65,6 +65,10 @@ The Bing Chat is a consumer experience and doesn't offer commercial data protect 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. +> [!Note] +> If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + + ```http *would be nice to have a Graph query that lists users that do/do not have BCE app enabled* *licensedetails does output BCE, so its a matter of just getting the query right* From 7a8592d9273ef4e04c35151c8c347c96de3a8eca Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 13:37:13 -0700 Subject: [PATCH 14/80] edits --- windows/client-management/copilot-overview.md | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 966866d506..f2ac9a9385 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,29 +11,28 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. + +At a high level, configuring Copilot in Windows for your organization involves the following steps: + +1. Configure the chat provider platform that Copilot in Windows uses: + - Bing Chat Enterprise (highly recommended for commercial environments) + - Bing Chat (default, intended for consumer environments) +1. Ensure the Copilot in Windows user experience is enabled: + - Windows 11, version 22H2 clients + - Windows 11 clients with the 2023 annual update installed (coming soon) +1. Verify other settings that may impact Copilot in Windows and its underlying chat provider ## Chat provider platforms for Copilot in Windows -Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: +Copilot in Windows uses one of the following chat provider platforms, dependent on your organization's configuration: - **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. - **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios -## How to enable Copilot in Windows - -1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: - - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for commercial environments) - - Bing Chat (default, intended for consumer environments) - -1. Ensure the Copilot in Windows user experience is enabled: - - Windows 11, version 22H2 clients - - Windows 11 clients with the 2023 annual update installed (coming soon) - - ## Configure the chat provider platform that Copilot in Windows uses Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. @@ -89,15 +88,15 @@ https://learn.microsoft.com/graph/api/resources/licensedetails Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'll need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: -1. Verify that the users accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. 1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you may also need to also [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. From 6550e91928b62f5d72082dd3a5c937739ca0ce9d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 14:55:00 -0700 Subject: [PATCH 15/80] edits --- windows/client-management/copilot-overview.md | 62 ++++++++++--------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index f2ac9a9385..0a759a25d9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -15,23 +15,34 @@ Copilot in Windows provides centralized generative AI assistance to your users r At a high level, configuring Copilot in Windows for your organization involves the following steps: -1. Configure the chat provider platform that Copilot in Windows uses: - - Bing Chat Enterprise (highly recommended for commercial environments) - - Bing Chat (default, intended for consumer environments) -1. Ensure the Copilot in Windows user experience is enabled: - - Windows 11, version 22H2 clients - - Windows 11 clients with the 2023 annual update installed (coming soon) +1. Understand the available chat provider platforms for Copilot in Windows +1. Configure the chat provider platform that Copilot in Windows uses +1. Ensure the Copilot in Windows user experience is enabled 1. Verify other settings that may impact Copilot in Windows and its underlying chat provider +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Chat provider platforms for Copilot in Windows -Copilot in Windows uses one of the following chat provider platforms, dependent on your organization's configuration: +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -- **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. - - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. -- **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios +**Bing Chat**: + +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without extra commercial protections. The following privacy and security protections apply for Bing Chat: + - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) + - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + +**Bing Chat Enterprise**: + +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios. The following privacy and security protections apply for Bing Chat Enterprise: + +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + > [!Note] + > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses @@ -42,24 +53,20 @@ Configuring the correct chat provider platform for Copilot in Windows is importa Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - Bing Chat Enterprise isn't configured for the user +- T user isn't assigned a license that includes Bing Chat Enterprise - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -The Bing Chat is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without these extra protections. The following privacy and security protections apply for Bing Chat: +### Bing Chat Enterprise as the chat provider platform -- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) -- The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. +Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: -### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) - -1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). -1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: - - Microsoft 365 E3 or E5 +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: + - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium -1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin center, select **Users** > **Active users** and verify that users have one of the licenses listed above. 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. @@ -101,15 +108,10 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - > [!Note] - > These optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: - > - Automatically receive optional updates (including CFRs) - > - Users can select which optional updates to receive - - - - - + > [!Note] + > The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + > - Automatically receive optional updates (including CFRs) + > - Users can select which optional updates to receive ### Windows 11 clients with the 2023 annual update installed (coming soon) From 73ff492e2cd88befe6173faeb09dc4dca067a469 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:07:08 -0700 Subject: [PATCH 16/80] edits --- windows/client-management/copilot-overview.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 0a759a25d9..8602118750 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -53,7 +53,7 @@ Configuring the correct chat provider platform for Copilot in Windows is importa Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - Bing Chat Enterprise isn't configured for the user -- T user isn't assigned a license that includes Bing Chat Enterprise +- The user isn't assigned a license that includes Bing Chat Enterprise - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise @@ -107,11 +107,10 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - - > [!Note] - > The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: - > - Automatically receive optional updates (including CFRs) - > - Users can select which optional updates to receive + + The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + - Automatically receive optional updates (including CFRs) + - Users can select which optional updates to receive ### Windows 11 clients with the 2023 annual update installed (coming soon) From 8ffd65adea35060daaa8b7cd0fe5142da97c664a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:40:57 -0700 Subject: [PATCH 17/80] edits --- windows/client-management/copilot-overview.md | 32 +++++++++++++------ 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 8602118750..47c930532a 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -18,12 +18,15 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Understand the available chat provider platforms for Copilot in Windows 1. Configure the chat provider platform that Copilot in Windows uses 1. Ensure the Copilot in Windows user experience is enabled -1. Verify other settings that may impact Copilot in Windows and its underlying chat provider +1. Verify other settings that might impact Copilot in Windows and its underlying chat provider -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Chat provider platforms for Copilot in Windows @@ -71,8 +74,8 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. -> [!Note] -> If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + > [!Note] + > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. ```http @@ -91,7 +94,8 @@ https://learn.microsoft.com/graph/api/resources/licensedetails ## Ensure the Copilot in Windows user experience is enabled -### Enable Copilot in Windows for Windows 11, version 22H2 clients +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. @@ -108,14 +112,22 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - Automatically receive optional updates (including CFRs) + - This selection places devices into an early CFR phase - Users can select which optional updates to receive -### Windows 11 clients with the 2023 annual update installed (coming soon) +1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -One a managed device installs the 2023 annual update, likely to be called 23H2, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update installed (coming soon) + +One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. + +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. + +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** +## Other settings that might impact Copilot in Windows and its underlying chat provider \ No newline at end of file From fea2a184bae412598ce9a7a852bf10272a33de59 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:50:26 -0700 Subject: [PATCH 18/80] edits --- windows/client-management/copilot-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 47c930532a..8184f69213 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -123,7 +123,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: From 5ff994f00243acd5bbb150166272b8db51ab670c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:52:25 -0700 Subject: [PATCH 19/80] edits --- windows/client-management/copilot-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 8184f69213..282c68eeb5 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -119,7 +119,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update installed (coming soon) +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. @@ -130,4 +130,4 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** -## Other settings that might impact Copilot in Windows and its underlying chat provider \ No newline at end of file +## Other settings that might impact Copilot in Windows and its underlying chat provider From 6ab5523eb5bd0b3ccdcce738fea65001de8cb3b4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:59:22 -0700 Subject: [PATCH 20/80] edits --- windows/client-management/copilot-overview.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 282c68eeb5..0da24c3e3d 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -15,10 +15,10 @@ Copilot in Windows provides centralized generative AI assistance to your users r At a high level, configuring Copilot in Windows for your organization involves the following steps: -1. Understand the available chat provider platforms for Copilot in Windows -1. Configure the chat provider platform that Copilot in Windows uses -1. Ensure the Copilot in Windows user experience is enabled -1. Verify other settings that might impact Copilot in Windows and its underlying chat provider +1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) +1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows +1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled +1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. @@ -123,7 +123,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings impact Copilot in Windows. For more information, see: +- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) +- [Other settings that might impact Copilot in Windows and its underlying chat provider](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: @@ -131,3 +133,5 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might impact Copilot in Windows and its underlying chat provider + + Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. \ No newline at end of file From 7f802f70bbee2638588bead40073a565dbd66169 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 16:33:49 -0700 Subject: [PATCH 21/80] edits --- windows/client-management/copilot-overview.md | 9 +++++++-- .../bing-chat-enterprise-chat-provider.png | Bin 0 -> 105734 bytes 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 windows/client-management/images/bing-chat-enterprise-chat-provider.png diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 0da24c3e3d..62dbaa8c80 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -77,7 +77,6 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. - ```http *would be nice to have a Graph query that lists users that do/do not have BCE app enabled* *licensedetails does output BCE, so its a matter of just getting the query right* @@ -92,6 +91,10 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There is also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: + +:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: + ## Ensure the Copilot in Windows user experience is enabled Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. @@ -134,4 +137,6 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might impact Copilot in Windows and its underlying chat provider - Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. \ No newline at end of file +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some setting which affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. + +The following settings might impact Copilot in Windows and its underlying chat provider: \ No newline at end of file diff --git a/windows/client-management/images/bing-chat-enterprise-chat-provider.png b/windows/client-management/images/bing-chat-enterprise-chat-provider.png new file mode 100644 index 0000000000000000000000000000000000000000..6213a99d1602f414ae39b545e7fe52b7bec0e395 GIT binary patch literal 105734 zcmeF3RZv`AwC5ub8gD{ym*7rt3zm=sClK7--L-KG5Ik5QArRcU8+UJ<;O+^~IE^$i z&G+3qQ&Us(HdA*V=7DO?sbhQZwb%Zy-&*HHt17?6#UjUg^ym@pI|VuQM~|KmKYD~7 z3wVaw<3xJjj{14*rv6suQN;-5U(^Pgm9&!dqes;V*f%EVsBKJV1s%6XkEkLZ{vI0? z5QaQ@bYJ*RPWq#_;eHNAFqP(9MB4)7C$syL{0lZJIo9`TANPZa{H}T;K!5^(XLZ3V zY|sla008ttI%(Mt8>kR`W)3UA_Zb;#5c6~Ms(oiETZ5DwnB#Yw&(3V{YV~S$vvjna zud@Mv#Z_kd91fHL&^=?I=tKR40omii{@I}}+xgG-FFF&{UYV%hiB%8B$=NDsKO9Cc zz{r8x4M-w?PW*730xl-@!*M?%{%@Qfr_PtD*qlQB3pj&iM;eg%>3Uv1Q8Z2-Cjb=hi5q)r3{ow`Oi>? zeNQd)VI-HAH>S-WQ&h$ID9D*zrOyz&oD)qULb+mY2WWMW`Be3J2fNBQndT;6!hRr%E&e4ma7Ta8h;o6!J zU)=iCifN()*+2K5-?2YjiU1I~ylhCrz|z>%wD;txOCoH`pO!l~k(L{fsQ$~`tnc%= z&yTHB9~$Ox1y>Ozbs8+`kLEcBWg=>7F8QL0G1hYQE_B_+7BdE3;7b23cEn8E-PA$L zg(1z|QKZ!DMeBuxA53pqUFgXteV1@5-#__*I&q3Xf*#ZH-gpWt3WvHRFa$E)@*?V~ z43K!uO`00^gMqJDDzOS+Qm-&)w&vN`s_zj5b2PaWZMzOuhA)0 zIz_6i_V}+4N4E4CsIx~03aaWCHsM_qt7`sO>o;3%rEi^ngAnuFymncC{}O=1ib?l| zeZc{mbNg2%sK#Sjr%&=~KxH0JY~T1TrAt@<+|H=h$$x_aad*+SQbgr8#0#0$wVPYH zLqO}d|Cnfk>1@XB?~g?5>gq1n65U2b`V8-{XBJSM>%sl}(eW6|3qV3%^hS4rf` z{oRG#^MP zCXrOz63>U*Y4v^o7B1HheHCC=HV9bd`Z^YuD5NSG)^uVFkky&iaU3$r!R(_ay|c>o z=?y$d&hwUz?!Va zqT#bc-9kRZZl}d_SRw$!+TzPE39I{t8x=%ko1xhSXB1&1wwFmiu`b8Te8-$e->=Q* z8w~S@uy$8~OjHt10m$VL+I9;^oWQvIe%0{0@Y77o#xqrN&X+TS!XvYXL&i@)87f$i7qOxMgDwC0!ddobwv z&j}#B%jeSG;E}QG3g}hE5S8h&>Xh$?$zSqZ;>)30I^HggL1j*JJr=o-ZFC8eIBI|D zvioJfc2v@HkhN$w*YCi_Z@)T{gorfibX01E8nsdXyF>~21Q=%wkY;%WV?YDtk-5hn@ z>Qjjmc{kGfCMc88wqioE9@T1D``es(aQe%rZsDxM*84iQcfL+n4F=b$ zb0y^z^A(j&l;os7<|pHXd@Y3~se|60B?mm`N{zqvV(6&6>AH7EC{`}tIK8N!BabVs zXdF~I*c=E3YVQmrPGuTz(vr3^ZVF*1a?niB>R5Wb+$UMbbb7j)pCRf|62!NOGC)Y4 zdb?`hTd8X`J*Sp)f3j^2N{`=affL+aFNcN!hFDJ+<>fbym9riPyd73nX<>ICBykS< zQ+#Mo|JzznciV~o?&=Ju?Yr4bl%^&^0eL4+GW)V9u-!I`+Lrm|&y%1>qu2Wfk~E@F zpX7jJ46E70prHKGrc2Pu{6*`T)=MTArC%LW%-j-`wdzdmfT|F_Xs0W5Q;<%560U4f9 zbGEESP^^QKl)Q%sqI8U!y{q&1JG;B_1CK%>ch`H!CdW7y)$K%Cyy^$%j(|X0hKpX} zauVt!h@U8kA@^(HN>0AXL0_0yg(DW6@klz3gs>Q!@o}P83r$VAJ>xK29?okiT3+^pd(QK%p8iHC(FaVz`^oX0Va$j?O8M87t9jwW&ahx;%c^k ze|IPWS(+cmhh1VEPTP|KWHC@jKEp+kwIqZ%c)@>;Jw>f+n(ES@x zx_{h51aqh_ZvhW~Dow6_3UB8W<(N4yUb;yLgMJH9v?N5fNB1p=A+$$JY7d}xl?~H( z7w!C7+Flrbhv~{S-v!;6%dV@IjuoMrB^0wiD?eY8d7nCJEMX4MW}HK7In6pw7Qc=z zkYlt>)m%~g{fWpEGa0wc1Q8Nfu&oG<)N+$iL87)Jl>od?GI&fngHPEaIzNjYSTpCi zt2aYzCl$3<2c_V3ll$#Y@z0WR$=2Ut#VQFc{cbuXzG^R8Ovg7xrib3tY#}m?izC3_pSEJnuzsGLPPie$l8spu9yY|n1|4q&LOJqD#G>y z{T6!RWLXzudGPsODut>IW+|sgJe)zu2WNQ|+)UuJrI8WAzH?QG3Re3dUP#w>g;3CNvkE5P0o>ACWg^+ymCg%xO zlw*__!v5xe@)x69?u2M23XmJTDnSEy9)YC=Io8jta*}qhK8#ZTOw#8#l)<~a%`>we zPGb0nnZ=Mb?MR!$&dcA&lm6qGSa)MGu_R-hcg2$6{5h^?r;wDzLL6*1+m9QH-6Yc! zvMSsplR8k#IV#gNEBC_JZ5H9E~MyaxP zim8bjKlP7yl=*k-1^4*`GI2o5k?g-K2Gz~ZJECU2ao!G7Kh?CIKizI7tIUrEBKVyc zA5_(BIdpmVuz#S>anYrZ>aP5I^KA4$)WwpQk(7xGO8(7FeKLYCY;Bp;k<4Yi9O43Ha}cXw8V2*LMnmpuQaa#a*X9xiXD#~%7JOn#zYpeTqr z;L4J#_$&J-H{yEnInT?Xm*e{3*nti!*PVV2Spxis6N8;O{J^ukdS{vj^wHVj3xtzX zEqvO!;F~Q4wWn6Vh%A64=zL0$HOqyj9k-zK!qC`j)ODAOmlDKma;PL)Cc5D%)|L-v zoN|CxfkjKSmNt!%@I&qcXwHYgpc*(hf_+2s&*b8rrQN4_gHeRG}tU$o`pLmD}LONaONRbVkwZ#mAQCSAAf zkOOpSJMT=JnupTwumvjATZ-Mm6Va}L*R13^n8JGJGCz>ajHG)W$KB9kc ztoMk@zbfLU_sBkZM68*VZQk7o5kl@{ASz@2!{`F%)E!*K5q^g8cTTJVQ7Pm=eCIML z(Q5xwbn?#q5c@Vl_5=fNn*~mVhhtP$>EJpr4}9LMQl8n#wK}wI#HG1&NnWBlyay*p zI;9SgL+0!jN$8sj;X)409#ZEtP4sTzBvfz>FNj2q0Q7Yh6+FD8&^a<}6MPi2PCYI>VTQfEa*9-KB^Xn`-eoGIZ?1ave0|ewvGAm=V!u zh1j19WQltF#fOgAhdI}~fQH=m1#y@&UPP7!39-_3-4EPuQPJ^4R^-tTO`Clml~;Da zRaoWR-?ppLTfg3d`o%HhoA{@u{G(vEQ3vWkk1Ycin_8>N)=|Tft-UTfr+GJi7(&tk zY9w60mx%Ao`l;sgdfCqf+U(P;wguU0mfWCQcPSixkDbt=>A4k1=Epj#!{)&qgY%&e zTI98@Ew+1cR8^DPf_GO<`y)Z4f>}F|B!_A&?&llEjmblFO3wh*K-0|*F~E_qv(RT3 zDz+h|%Zc>X&Aro!A5-W!3=tLMs;&lot0w!MJPH|pogPwva8*17?DMCa48qMh+DaxX zq2pFkfU??3aoa)jrK2}W)M83l7-1x`GB>R_vW!vKyKb^70fVM1Upm?C?Sx5>I5=2| zuW^h3PYJdzFk^|fAbp0O7(XrTl*Aa7$+8#YV)rYGzON;A>ET0{1X;9?2Po1qM#mKp zh`0Maju&)BR%T+PCUvh2FViK&#Wo}ek*$s;O8pW}`1&+d4HfqiYjS;Z3(g5M^Gt*b zWmX+ap0X}w=boOrA~U9%C@l+Y7~9XlTh>DfKOFw+%;0`AQ2kB%v%{)YUfF}iUrmib z9Bm-+yMAm_TGByUj?P7#-9&2rtKs?lc+?g`i}_1{WhM}f1R0azzk*!e3A##K!Rc7& za(RUCTknn*^g7T-?tW^sZM)gx4$xU{9HG`>LhstMQ; zS!3KR)2`61057@D5d}Tgf=6WCW{0OaESnky!ZU;gKwirJH??_HpN>mLNtrwh{SUuu z+03;=u1}O9%6d=(V&)2IZih6wQ&@*2P2%!hi-V#f|m&)(2x%`ZEstVk~LNt|-(9aQ7UzP@|iV?jvw zZle)p7{SPUi9?@+yl$U4i}Wj~3tqR_%9S$mH1B?YX_+)W-O!hHgiHrbR!IMuljcj- z6m2}y;L&FZNqpvrJ)`@1KejI*1~fDxP#hiOcE!;G{b9hN-z`IvIIoO$CUuT9w8p)Q z_y;;h7wZU?SoBc8ZY2q^!vXD&BgSullhmN^{AdcNy2D<6KHcmuyFwSVI@)!VYW;fWY+ zwKBT-9SQI1%eF4MU!U=u*n?CbbKWKlGAQ#Lq4i(yZSEIZRX~=#@h}ovml5`J^Fp)z zg4T!CMUH;+H7%!{8V7G88eWU3DL`h^*}_QwieIjV-U$rd0Li?*daVRNFN}FG@k2YE zB#-3Ko`F7zY9OMSbEE7k4HcCiVY=Uo3ej+n@Jgh>&3_0Aq7El&;Wcft5fj9W$SC)>` z%#%G%gwQ1nwy{HHm3Q-30I}E{6Q2k9PUXD%7_z6er{~hU)Z865s(6mobo?%G zA78-b#h=RQw(vKyzANeTR97bR{bpw-b+nVx$+D-fFHi6F7m`{lzH z)~Q`ezoYG)jo(qF2maHAGi7dTicNPNeM9rTSzCG=1DQ!P1@}^P-PTX@+hf0ZJK-B* zE`MlWVDfde`~n3o;FtnK#R#XDW+AFAUN=jF?ZpsR3TGFDMkt&h_$SqmDxp4!>0~zsFbj=2L< z)-y=!!lg4LtVYm7CwGq`rE$tU*YWvDmejHNW3vaUdz{?QiP=K~^TM}2Wj*jsWBF#1 zuIT@TrdF$u^F%#7#X}E0mZnof-O6;6;r}e8HUFuU_0vlUn>Ws!FVp)Ss%HdmQkwq9 zvqYIZL+3^{@v(Rv3jgBplVhPIEpZwtRzqo>Wiw-Uzj0A#?C}KqTftJ12^0X42J5C) z0U5G1rL|Mu7yf%e6iVe2J8X6{(AF1Yr{Tur-4OCpgm&becBh{oR?ducjz*`C>yK(5k;z~{YqWuWA*Y?%d`Y^ zA@^qM^f|d{W)dn15cTOZ5jECdZRiw}qu7Y(jDr&!TUzR3Mz%-Uj7c&y$G)5b()$b5 zwlHlf?PC#Q6uD27oZEjNU@iY+h^uMe^pl}a;SwsIK}1U3&?yt4#`R0mmZ$&C1`QMy zdbceW*g=vooy-0VHze-cbsLg4aJj^l49Gm4Yeuafk&U*@Dkb4&30-_me(ffajvi+l4?R{L@z}^I?IRItj#V*R+lm z75BG?l*p^ZD$?MhT;IVF;SC%l>PgKD)dzI-^jcQ`8QJ!-`l{loJT0Z1c^-(w$6WuD zcZUPP;Avf0-+%}i4hmAel{(p*F$!v-@;~Zm#i0)QhfY@p-NGE(Zat0C_(%-glUlBZ zoe&nmCJ7Wy&Ev}_Y0%4a6yOuvO40E52~#ru9xr&Z(12n{{(fN(6i)K~YLt6z%Q(k} zZV2BbS0RHNq%e<)f&!WzBAP>n{Z`~bE6%L~Ue^O{yPdxr4Z7Qiv_mYqjn>Q290uJZ zZ+VpeP{6$99$XZcmbP|E6Z^6H_3uU_ACsgXP^ggMZs;0zoX3X`u|YB6?V?>QPTpM< z_BWTuTIE`|NMV-RIm@iM^wzVN$ZlrIwY}u!r6mUxlMSTeotm1mh$Z2!a7sV~UUt#U zmm1yL+BrF0Yz<`bS;Vv;mkuG^L07O=N?NuI{LW_Jb|lYGNME>6c13kBd8^cK3yReD z?gv0+`vlJ}KiSsnsY+iL8HyijxscfvLKX4x3s&co0piu#KWi`#beXA;Yk`l^rv)$jnmSfwq;{q<0X8brm zOI};+c`bRgbZmdVk9YF_eu1^hs*M8DU@&+tYx#`nUU(Z7d^=!JxhJ-DVc=XsThBRH zrgtPSMDikbf(O!SEr)B&5+tUv<7Qe8JeHG#6Z7qlQv8o&jp~*>7lyev989Q2J20d! zrJJ_W^qLjE8FcQ?)dn;)9W=tA(o%o$my@63i;u-7u~*c0I>kB!?ue}%-}bqke)eka znhChwGdkR(7d7<#`|_}`c8U}49uH-FLeoxIRBPWgcS z;dp*9GCy+Tv)Blp$R^OKIkP)D*m`r$D(_rHlZW{!p783U1@}p%TfS#Vlm=~Vxm=G8 zq~dz2%I(z&WMA`x4u^b{jd^hX6SKgv64HUn> zIbH5ILUmm04XPt|Bwp54zcNJ5&&mSlsA&(rawoe(bE8 zn~#1?{Nz-O^!oKBPlG!u2`XsPiDq;df9ZYaib?&D3* z5^EK)hL46O!-nZ52>K+4^4oumd&0xb4qE=Mq>i-uxuDjqkVoyW^L%%IA!3bg=#}9r z^;!6ex#Dx!*zNqhq(ffXiMi%01m5Zc|IPuUbKvk z@{_U+NdpLJj~Q{^kkXUIjTw?+iL6I4e2w5SC+HqJxucW_z)F6T$$y-WA5i=kkx_QF z8j3HNGe-XU$Lc!*)ZFk@kk|hBLBQ`CpS#6dCYz9)H>X17uXEB8M?c$&kDMTfu6p1x!Ouc7SS0O<#?W) z(sm;0>ybMH*f=5upy=$!5d=Vup(0~?%U~}fw2k59mne|?C2!$T9V~3Yn795&oL0J-Hy!jY@A3BgqkfiTJ|C+-JHykj!hQB_w}{hZ z)y&u@LmTaOAyyy}*8G6o)j2@G!;&PbprqZt(H1yDEHy(_$tiZ4m+O>pdpGCpa2~c6 zWpsCvemAb#j3cf!c<6Fu&C-P-?!X&#=P!nu0DCH5+EG(~d&iwt6i@2LnVZF1oCv=Y zf`3B=5vbEG&9|l)sCDv9LsP}%i=C4HXXJu zNS!~nt89U+5UV5}fy#_-cRzXVd?nUp!7laA39AFwZG-_p;Cc^#8Peh>!uxN=!jYT-0~Iq%8^C?)8V^9 zO;S^)*Yw0Z-5h4_D#B}M_kS#(=Zdbm3?F$jZFSwC4^ju+9D5$NTwK3GdzSksLg7gD zNZaaBwd)XXpZ6%{o1Be-Fy#n^;!(7*M}+E`%puS)IKjriYs%w0Y_wq*ciTR!Mq=J1 zBMfqnqGw3=!4nY2c2E`NHv_p5V>h0M2`~PSAYA%lBv$HVe;*7kz>I>)RtVT-1-X|f zEqZ1fRZcy-Pb$@c4%HNmW;OgSVhKZ~l>;6s7&yd!`Eop2b~~Odf+xAN_qbhrkEwD^iQb>>9dk4+vZoI{g$==)P!_96GULV!5*sqw{qkSovhD^g-=)# zlM~9X0lz11{(yyap3weJkxK-o)XpjqPG~g;b+pB?`Mo;d#ts)|B<%=4eJlqj{qiHHxt7hA4#*f^^aMAF)?o_B}; z8^2tKIMZ&P`q()*oaYx7_F!Y9$*HJ}1{cU3R{uL-{ixUi)&Bp|f|vh)_y78-^IuWu z^#8!Pn_8$d)JsWz4rM01hcza~ZXAuO9e{O5pTIu)a;C$y3$>~%OcONUTd=1LpAgmR zPX*)~_@z{0K+9js@U_vM?WJQ^c;5r>8i-{2`#1IT^mIA$?DC1|x>=a`9p+zoSpa2l z#O|^pbUq(Nh~L>|YRiPprgvJ4fmhex7n-Kp_SA4Xq`A@Qc}{%)Qf&%>#WZk{f3t0g zH$IY}!%JKV<|c@lx&O@&sW(_Po&KD&w`JITsf18=s|4H-gwnmSs9D|>C)9kWM;tH( z$~m-J&M_G=KB{%uM?+sm=U*=&vLj>HpobppF^rSz#(4_*p1?m3thtz9na=jd1y6--}6w_RQv^JMTon`n8sa4p@E8w^Tsys67_4nuM9Ak1ZPJx&SQ*FK(#<3ln z2Fyi=H+FS$>U9iYl9X7?%%~5aXy}#+PullRjn0D>@(OytnU~5_Ox_A*)&F@vqyG{W zU&o=LoFb`Z8jzURP`mrdcTCQ8&QF{op$73X9fc$((|1WLv$}pQ)9*(b(`#C$ zH3xN}*c&I78(5YWMObWHDR!DO#1t`5!oC1KhjuI4SH&9|1;s9Nb9ah8=XI#Ab$L6@ zN2Ppprd2kf;Yn{5H{5V!n8j}fv9P;T`Wh<4L{>9J;&8G*$+3b|*OviQH=>ADH&3WD zz=&^O{7v>a-b82>i^hg~(n+UL z{e}M^EUiq(PH^Mk+6GMA;~_8xU1|;A?!IQ=+Oc?JL`8!1mpYSnhM|A@sR~YeU+U4a z=-}q)w@ln<{E|6gK0Ukrue==TcJvIkqf`_O($6$3uC^`{MF9H8c$$Rpf6m`;*WNAM-ToB?AlT2a3ZW(LHfu=@~hS~99 zoRn6txli%v>u8WS=ZMj0K z#p%&|4O=Yr@XObFY9iDD!^Hg4^LkZ-r?JDidiGQfW@VhoVEgjj9yGeXCeCbYV=``Z zx=n#?!jcWoD)pU@LGCCL#@&EP$dpaVjZGKvxcOO9hO^hs9d}T+bPv$)`&YL;5q8a5 z&r#4j$TqK)wr41uqpAK6vkadTh?)6jBU>N>mru(Bl&>2v^YSwiqm+9FP=QO+*HOeg zah+-*CV7_nt1;l{R4BW+xKVY8sO-iR%GqcYG1Zu@;CySP!mjhFm$Symn;EMi4putV zBde|$RzJTkn3fQsP$M`}gYCEmz@*dCc=dw5o2N^IJn7qOMKqI;+C(Cm>G#SkFJO)? z_xQ-fN()Y-VI5u#h@sWDT4hDl?9LSS++MiHP8Lj-vkPSZFmdTXV=rO&v+ye+hQP9k zTKVPJl*q`*#VEKZsBLAww`>hfVUEbl2mO=i;kBa$H$5#YeW$O85rTJ1M$`hxSAIeH zH#`Msdj23}arjBM`#-JW)bUTx?%9Ivr(7#F*(}&Um8NCgW=x6p&P`Va)V7FwRdfDf z({U0o+lt|bBym>yv66lP6WA0Nn=ovKT-rTPy!5v>!vvt)a$18hy7T-T!r~dI)O38uFYPC zX-lBwvuOrq0e$d&!FGxaSlzud-~OdleV?*U7gNiIp6BHHdAZxo3mDi_m%yYWQBLGJ zk%zRjL0l^dhOz>!FgYlwA#F54mgD*E`SZPV*XTMRkjNh2VlC3q)Fq^7x>=mKRX#pxrcEvgZZ$bCfrD$O&{QPLrv|u^4l=47-Cmb>}&g`>LkP{KS|! z=CiAc&vhZcscygiA|zH!*(W5bo}m}KP7`zq zqD*>6OOK$dfj~yAEovBI2&`XjEg?o_u|%aYG%s3~X2)BEe)B^SRC{*&bkwSTR;s+C zt!jUxDjU$Mc)xmg>FHlwsWCBi@i*WqQ&?EjB-M4`y#=#-ZsuY4vvVMhHwzG5S$wPD zkqMXl3Blx#;$raBE_KY0en7R-+$5ACO#AkqrM1KSDHD{7gKa4do^u!`U+HmpM!n}~ z)WuhxqpbY`)s$U2H2(mjAOJbM%;0ymr ze`M@MS!0^nUwM|+snnrYURO2MI#t`3ThATLS#DJ*XxH=Isi|8vw-i0;qT$9+8-prR z%B0M^>b}?SX`j&LRm$$xv#~gzVlH7qJ?80&^&8Xk>ik8tY5u5!w&FK^Sc$N4t&lO0+(CHqT%CW zbxM=f9^%w_3z@3%VWzy%pap=m^)JWtKYpxLj_ck7ioY0er90rPuR2&p(MHpAnFo7# z78-AYFcP%N@zM0En6T(kLU+| z(2>Xp5;P^o%hnm%Qd{Zo%Pi|F_P^j%F&rt}`hH^%wg)p4XL+oqeXBiaiygz1{5``E zqDq2!Jcbe0{03hhNZ6B>jbD~NGdDa#AX8>o4+{pG3a>5GWZ$~4)T7D)9n#9(^=y(q zWq~0L-7&DZZj8<+9l$VIMviM41(gVWK`b2_)1efrx;62f9@MNLEcX|H!A##=#Ug5=7MB*_JBM}l-6Lsh`%E{!&zv1+ zxLc=iGRRtBYb$Dmq#s5o;tD6@ zlf6A;!j6oY!?&eswiEl2)QfdA^za%(ZM0*cALos4kn~!*nHoWKw6?K#elP|D^&Q|z zSM0MBKvaZx0~b&KA$WK~=i;H^pxJGv9RU$|zeuI}At5|$Y#_cXYHdi@ccdAUEEn{`d zZ>B25#8~FWyirTik9-d?-cnrd`{4ygsXI?agpW*=Ce5vVBg&!oL}OWnE-keYlJ?-S zx14^TZdsB{oGs)X0SRxB1VQ)0W9IPdwhw+lmtS!cYYPud~r6s@AH?E6bs zUKtqo!BU}j^un05NDF*5*{6FEl+81^ofF*uw#|CCJ1oJVxSCLMM4OcudnonKVM7#} z93U#DYF|El4`3LZ`0U*KSdqf*3OVe%eeFTlUGgA1alKf%v<3FmuW)hgJr#j;`G#B~I&?(BeCoqk>*Q(IG zi&)^K<#KI^A;cr{yB=gs^MP1vS@YW2RHNQNQO19vuOBOq?vnXdjjC|ERpdo{E|xf% zp`viqaXin>V-Mc7_0{9xeb8UQt3w*F?TmdJSD3Z{N+A@4)P>8Js~^8fR$bf|NDG1? z%hz$7(arYcwJwRCQ-t8jjxGu~t!l3Kwu(Rmtx~w_2 zxc7QUonIwfisqN*J#b+7g5tn6dhHbWyefPpHi3c;x z?di~f^$%^1>oHAuP3EcPd;q^w?LuDbP_EIX94egTMU`m)#@l01wIk$aY-E0OWM?Ds zf>rC0pP{T7aNVhxsS*;RtJzs0JSVv?^!^gxg#n-+QBk{ce=9Zu%eiT;XQDlSRa3(P zz&8m64P%pP)nsk+9egc&I!yO*MB6t5;ZnNOy83^KKRxG`?wN8E__Z%HHM&We5ilJ9 zZgH9!oh3J$sZ!@4?>uJWvckHZj%LL$k-#LBdx!rDLb6_D=sn2QjC|#1Is$ijN7s!i zg`tysN}6w+NFG0{>a5A|9exK)w;MUqBw5%LYMb))nj6)vK`;HtuH~}+M6HA6-HPR` z;|nA=Q@s2KE(w241F{0|rA#H78Q4{u(!}moeh>w99YarT z~bX@DEUNw$JCIzm14f=-<7 z%L|Nn>X_cMDr#%}$gI5PMXvh8FmEM5k|4@oz6z$JH%+D4I)4_B!iJ5$%|4_a!|5>~$ooq0-Nbu|KRBUI(1Wif(m^0!d2MBm(tu zWsuO(`reVY3wB9VE4aQkvvxl+4hALZ5(9}lK*;N@5)Vhw;d#%6sU>)mSb*1Cnij(> z5@q>hcK$%umv2&{QwH9p#uIWFWM@QW#@QsyguK0S`I_*3i-p>Fsck*0(E_$TSg{wY zpW(pIool*ungCY(iwT<&9jf7Uq^M`)IodD6F6-?$bdstjJnqR!06Q=r^yeROV|BHs zvk7pcX>-r;N#gCLcKc?Ml6Btd%x+Jf^I+C9EcOa2d*xz}ZDgSitWo!1-@VUQ6y6mqQgs36ZD4Qw^?=4UI!i726o(EVY%Q7Smom#vz7T_Y; zx>!?mY~D=EAzj0G?Y}QmSkyJxLWP)Rm4Y7kaIuSZsJTA2l3ON28a!Z8j^%X4xLe&*6(xV^zm2)WQY z`tSquu;V#(Y-{~-wHi&|-YpHU!HL>L>kW(C6<7BHtUmBk)eWY6S?6wUzr0ji?tc&0 z>Z)Dct<|u8Arl`^O7qn^zjeO7PY{`*G@@8#->@rzm8t&ngxYv9r?}HCq{AzE*-hH_ zNIUFoQ*?{2%*xjw$92Sy8x#r3I0tt6@<|z$>-gm_QD^(rI;jAX@Pv87fvoD#2GX9d z{1Z7;(=}JRX?q6t4et}=+l~p)@5QJjs}}32d+vn9JAH4E)VI@DO86v^jkgOHIl`H} zuG$ILNgn67AF4}U)~e6Vi+-5C{expy$yxVh0pq8JTxSQF3keTA$tPiAk9FS-#M$R$ zqj9QHuFvJuVT_8uPPpRUS8my&h)S4dvvOeX783RD0N?NNjd{;bx)lwG{y;PabXnaU zUN2nscFV81|CjA}L zw-9kZk0PUHtv?f#a_TH>x@olP1j|xRB-4Z3m%GX2WLaiNg|?v$L0QVPf(PX&b3w&D z3S?4Yolkm4IIW=iEAu%7FbL{RAW+pG{$08=p*yuj=GXe<1$0R}W_i87fPlXrwtG5a zi3ZOd(uGg7>+AH#u{a$A3}fTXW!ws-p*9J*eaYxORqs&N zp7>$P0T%uE$z|V1s%7LVtyFi)+ea_5Nu?iEDNCe96R>U)MxLwY<@sQ2s~j;Z@G)_3 zGVeL5&Mp^W(oH<5@07LAlIa6Fc0Y%04=Q}&!_(Di)gmyG?5h4$&QQ99cpuqMlwUo!y{Rtm_xn{*&{EBj7CKL4$&PY**tC)Bj-o1W{vZaBr zIjDqnEPIRAdi89h)@w=Hug!7A%#nSjEtgR>;u?L5;CGx<%fSqgFT5$Ig)b)v2mpYz zmSSfYNn(Z{;f*QSTXZ^7-BA%^hORBu%fAuBw>3a|s)xR%GW1P_5~H93G{aWn%5blQ zqs~8;-_eK3uD76*%oFX+rVUC&9*G+7rysq36;V&wfgK%T!Oh4~t@!$5y{{xf2-oBP4P?3Tv$8@9hb6E z1SG-Zk+e@}qaLA>)oH>xb&1q+3Vdj@hBYnbD>6C|v0rBD*=%77Pf>VgqIa$`2HEFF z((5GBBZ{SIC%}xyCXrU&0K|^&Hl>?y=LetV?so8BJKg_nywj=v=L2{yvzv-^7(z4?u2Fc+rc z{dhK?M#sL-A58{!zcv%eQzj#k5gTxQJS_{jil=)W`1U7*A)(BV5R`mo4b6`alOOMO z;++#c5%7Y-fbK(l2V+^ab!RN%i*0M7g6d z3cW)Kncg3q)Aea;y9MKBp=CfUF$vUiaC#SqoEoQ%a>CzQA8#+lTY8h0=7b zW6O$QfjEtfl>TC-P}W%PMKY_AzddoAoo#BaVQE^n8s3|>HKRwY9i=bdk9eQ{K;IV= z{0bzC6QZY$dN%RZk84niH6=h%q+443BcnWK2ei+XgYQe%%aji?w{Jif-;-D52~b}X zXjPN>p)?gxEqVgkPP3c4)ZZ+pMf<*-rj6Gtkx7G|*5$i#^12#ZS;4z{eIr5~x(|gz zGXY#qigeG3!%c?`ef`tUg&R~4ICa5s;|Yaf{F~#h-dtfmMB|HChGvE(sL(n-_hiuR^Xm0WC zw3OtI0s;Ma31YD)ZW?2gw>n)j{6a87>uA}cLW=?Gv{9c`D|o3n+M1@}3#hL!gg)4w zhFfQWD#vV!66rIOT-l&d8qApf{)?V~D~?FM+wQkDiX4mz*s`<(H$0T;+$;8TWSTOu zLN&4F+hIL%3r3!u^mZsfs;jHZkq&!f3c5XU;ot&f_Um=TVFyMs=$4oNllPh>) zhDYkujmi6%H@NQ+Xgm`5bc_B-PL7^|m5u)JozX2Y5+CT&`UEa&vPx!@hXiWOj3?I&KmE{PhiV)@f7?8Ow*9_ z-kaVG|G`ntmeoD1f8BSTOGH%{W~@MV73o6m2hy868Iu9w=NL)tw0J(h6J)GmeJ+7{ ziBWrzucT(^*)&%0-Vmvo$fs|I$wRCit_o5~5c3)rLv=c%Bh~uL2E>a&%b&?^2nmuB zqbkU&i;seG0IX@{^Ggos%p7>6O<)zf7bL;F7;%0;k|7_!7N{D(S1LuRqRIa4<^Z4| zG=uLqzKeCjdB=$nTifP;AMxbMEr*+ka?8{nLt5|0tLu{aJgRZDQPasX-&A-Ki8%C?CJ^6hWLu!TImOHGm57c_;s;pnX1tJ8R=`}g@hDuE5y48Hw2fqhT?^GZ4E}-Ky z)^3yDS!cGy*Vu9DlzI}|@4VB<$zbzNc!K5{4%|AAM(>t)HMRO)9Q;E#xV1`2Hfmo#$<+?-?^2&F~zpRN3f$63XGcLIv*h7C>S`L2EEhX8|#Vhf_bph9L== zq~{f#a$0OC366`Q5sJfeC1@Y*xf~hB0Izqi1aBdxAsv2Pi@y0<)zuD5h?}P^(+{3d zz19_Md$V`?shbT1_)b;%%oaUNe%Uj(IYj8LBSZG**v7=QI6-%Z8?YP1eK_$~<;XaZ zdXSJoFp6$7Ty;<${h>j$f)!wB%rlgA9yJs!M3ifaYNZeG*xxyzqMxs!KrtbgO#s4b}JyZERXH-y(y7gM0` zPHN4*>4?sinIhYM-}6&y(N2?@r#VFBCN^qg)@2Q=A*IZsW<=F0=i6)GNB(J@q1h2C zyJ`8ymkq$1<_3nFN2CQ$2p&bD4`Pf1CqnCke*iG)8Nwc&%QgTbfzzA`?K*t7zYdDl zwZecl4dWHVjn{08a9vCF%)&?A*!1UxTR ze22tu1Rp5g5(R(H3RouBP5=API-7*OM9-DOsy%!eM^QQiru;!3i^hR(WG)=Iq(FKC z|DH!Xv2^l^@2p`+Sr5lXt=oy%`>Sy)fFnr0n^^j0ID&1=&TQDXHlFjM;uK(@`ZpqBG)Aj7-a%Z6L z@h=kci9e?41wCDDMi3xya;mF;)M78kdy?s;?hUMZu=GsgPhBX%di=^Ge{7~JLEJl) zu!Pb^;KaSfU714kl}jLK`@a?U?+cmh)FD2UoQa&0*SC8=(z6nHI5wH$n;mh=uNSC< zjO$9HF(ib`LfLq@-_FhiZM#;6$gg?pB-r?&1fq(`Rnsjn-8eaSVr8QtSjm#vdiR ziyk0}``UWvmAq-cye*vF$m0OKth0XEkTX=|;5_$?Pci0`yYU%tSmGT$vph!s5Ixpg zP$CmVI~vV&^(0$2ebQHoGZ<`4i;GXUQjItjqo#&++TdmU;N9g)Vl@1=?932H$Tt*K zq3O&w)_NnPi`LGn53P)^_KUY)|6{`2>s4wfgdS8SC22mS z(Z#|-Lg2)2Uvn{VGxBQ|e=Pj_t}S^JgB!Qsc?=}svQ@!@NV`<<7U@TvM$$f)%( zI)E#CvB*Z#lTWkW?g5R$hy>=!h(nWdJrW$cswQoK;{C>8pLSK{FXyk-3T=#=|GtSF z#l~Lr`9pBuF6TpIcJ34Ykm=}h%`#ZoeAzGlvVa>N=4%J*cU7cgB5)({Z!!2Bm*ej& z5A!`#*lS&CB*lqXYJJp)`4(i50g|NX0Lj0mFJxP7pa70(1Iv*S^=Mgh#MF@-=Jc2o z#6eq`F0D}8ll6TG>g!@`Ne=G|TI!US%1Sw}-LF-%$ZevjQK8KIu<#NjliS$%@8bIQbT$SiM`0Oo9M13|8MF6>wn&p*J)26Gb%HI`T9#oAxQf;yq2A! zZ!|i7)V0PN=Y~igd;1?=4t=T`P0%ZxWhrn1;S~cxW_Z^%gJ2R{lj}ilQxu3%@4sx& zN7(CF7lyfd_mKz7Ut^1e;MGge&l^+ovpAqw;I+cee41Om0*}!gj$Ua(>e=Vy2n7?B z$hWPyzybvhifP)~!f|-08Ree6{2oumO<31@m{C5YJ&6~7Zlh|&@M055!T0SO8~2rn z?n%O{t_!9w&30}W%H7lNS>0&agA0y~n0yEonW?Vjv2IlB*fWev^W4DfK6NMMQi$9| z93mr8)IDSRBC)(tv~efGyhLE*c=(s6oH`8<$yV-R1`4>vE*XgN`^Apf_a}s(#$COg zXOB9`73I9ZjVK_9PTqLIvTOZ!#((DHu2#CUf6fx~%LUHO4w%5$+Ync*$KSv>Ic=S~ zf+??Kf1iBW`?C*m|APqXAFh9Gvf+7K{n+8#1tWfRrODrgT6FIxXiU!urfD4o`o)A&kj9 z(-kacdZDeN)`OuQ6rLKt+!-8@va0tG87Hb1l(s3o)eppVN~mqA*F>e-pm@d~Q)*K4 z@3n}Yhw&l4$=TRncKHQt^DVf6J!9LjFYrfq?ADRp#@8U;Fgd-csBoq-qAHRgIk+o& zHc@!wQGul=m$7kQ(d2T3k50A;&tT#7vzqz_A9*FN!%p<*NJcKuQwHAp$6CpmPQG|U zoHcdLqHHhf!k#sCiEBFAtQ1)|eEY16-GPZkn;Q)_kizItsG1nwu=fs^5BU76+2KdJ zy3>`uWbJugkFp2%b)rg0q(<>u*jcUb#X#1M^E_$>pOg!9sNwvR z)paN%A>_7YaY<^JpWm#R^w9Gd4R(QrkdWAvX~@V_Hrx`7rI%Uf7u)d=Q;mXxNkF!g zt23Dn`+WGTJC*+!OBB;|=;9T&&Y)IR7SY24)85gdk4H3x^YJ;~54x54l@^E+y>s?Q z8>hQ#vdrVnxgz^W=XRFxI9Q~l@uz8OMXc*j9Y;;BT5?C*)K}^H8MUji99om1T&$sH zsR1t~ij@a(H8^_IHKiZqO(-zAIQx*)wwN%Ca8@s0?eqF7Aw*KRd}4W{s~Xe%ITlRv_Q@ zJdRw=sMBGw9Aq@}-+2bN<)7a(oUIyN=OLWa0Y-R#lbx1e2jmXPql{K;tM@HB3b6=HTb`oaj!zxK$9*72Y`&gs`oB9obv zoB>)8UI)Wvxx*aKe0L?$$~}Y1jaZEyg`1YeByQ@O$Iv>-N%6cto}?OL71mjFn%_{1 zc$JXT@8pkh9G^gBn^;Ffg+*j^<*;Y~^j92L)MxkWAIx^pvPa`vJfMoq^yG0l^pwFs zXWC)RX_V7!NMRv$tiPDfTqzT-Irn!xw}Qny|7)>Ld`4Mj=@7=>^@iJV+Ls1yKzJ@- z*dC6@hHrGd)QQ>efMdi&jOSfOL_zHClL{BTbRhz9N@y+pIm5-LSb?uq7cC^1H?wxXrh(o;*YkdYX7rOJht<8oz_KJR zv!XHm(hTHc@1}z5Wz@TdXnVAOx+1TNC(<2CPUNv455KHTH$<{ctgMf~vdDH;o7M}8 zCD?l3;$^ARa#WIK2tgv=bCp@2kdrMyvwYW(Jj;&Q80 zU7M2g==wt@|L6-#?7@>OM}7Ot2zHkTcYZbxnMq7G8va%7z0?_jJ!e<_y>bL6a7qXW zh{{Q%$R7TF5hSL2 zleap5N(&OhDguP;>~XJh1j4|JIUFSU?uY&y$@|W(hZ8vsyCvFPKZ%09R&+1Y#<8YTI!h6bXRQ6%{)e5PKg`h??FpArJPxgu#)u8sRYGtDn^-(wE7Y(E z)%3z*Ssh!ZVc`I(S{Sd?M?Li1j;|v3%Ys>FQZFE;5A}A1Tt4m*Z?vqkzjxff{H>-`+ZKf)YlIT$=cz&=1=YLZR$tdI+sDl zz&M>udCG3FuK;^!-lp!$Uk)Z$?;%PKs%sdZ1~FZ+=EF#|G1**4Sey`h`BQ8ApD1jN z)IU-{b%I0^>K(axV=J^BWd8!$m0%^+sGS1NXv7>0mqaZJh%<3Dg$$2dBDinPBP(on zrZo{?GK9@<7&)k68r3VG(#fI*p8GSbCNaE^I@LY0#?6HHV|wT#0ke~e&!D{Qa*dY z0?wD>HMw`0um70D!zdTW$aAwdg!}DE&JVx zcciBw?9qW(xrd(1_1b@HCsbPtc?l9%iMN{Zw1U*XXhtc-`*!>j>d+sR2UFoHLWpV9 zM3iSgj2z_;Ir9Tr^4!)ejhO*|C|uHDj3ur;XIpd zTV@OolA-@WrOjyAI)_8(tmhND$j;PDc6_eovMp2z>NnK+7PFy%kJ}Ox{a3YMt#I17 z+CFy1lW@PvraIHkSUlbDH>31c6A6pM)>JX@EgcDw$rc6;q)!?9Hd$pJR|eOFgkVuH zy(m{5iRhGX0(bh%&o>2sU74$-xOJ?rMH1nIeJChW;Js^4YNGgtRoS6t@bHYNp1Kr` z0cS*8=Wsol`EdqcesEK=ZSo1u6U{KS=U?m1($%&dEU$ViSD!>UxN|qsc8T-7bHH=2 z8Ce!?+n7gIxaS+(rbkm9F7ea0an(ZXqz$UWRg(HmjOSP70|^I@?}%mbLo%Nbb9%pJK$$HC%nM-8c`HF3^+u`u24F_&sCZdse5OheF}s9JV(0 zz+n1bU2@sUV5(%3wT@jBkt>IqJa0y8^Ye;{iDm4TbiL+dR&zx6rXJ)uNQ}&FRlZKU zB2H(~GL0Z@WM=&t-p478BsK|MkLs{bzdA$1Y(3A8(+54ujGpatsmUbh8Z7F`ar2%n zKV$t#j<5*NDQd1Jp=iX@^Y3R1FkT~14Q^9>5m+vDt(@Pud>L8DHf4$_k1fY5*iEY2ANoX%4E7ek`vRb~K#&m&Y)R1RjVEUd;*IL~o>)?a7I$xPMi?&Y>%3GXAmhU@UVj+`#*Nd*<{e7E7aUvY`rK4EI%IduyzsI(( z7qqLZ;Up|qVWxPt4|q-(T`RsU8>4 zm~0R=#(a`XGClu;BE-A-^7lnL9o6q7fzgi9qYq&`q%Y2hkS~E?<7pty=%cPF>eUGo zc8q(cGsS8b9i6O#tw?z}w{f#0?aSq8H!$pc?#A|PJxF#{qh|nOYCU*jMYEV>eCe0-Md{wHmmxX1byxta@fy4KLwzQlA5{Tq4l0w5zuEgNlFE`g&Xn z_{qbBt+=J1CT9*JvYPcPMfMMe9z((p;{Hs)pWRoL>v>mcmBrKu;bD3rd06_ZGba~fRcTH=YYMBNS$=JS8&R2??ImXZ)ErfHwQ zo}Zf5WPDGYpNKetMUaq)SvlL(-f=a&CZm|Uzu9l7_9new%9fEgt7y_64DSV9Z#A>R zz&OByQG6sKSup~+izRHv^(Qjz$$k0ZpA=Qd6N(a?%JH6GyJEOYHjd!}dn7hPdr8xb z4Upnm-}xGyBL(8NocfWU-28|yUl#tj`&hx~q?Dkwak@WsVZ6t7dtdd;ugx2D4!KPA z-1Di4bK0WMj@pV;gDJ>O^PO((B5OT-vSviXeJ1WA$3f&c_{}fjG;euUn`J|?+iH|> z%Dy|zJ4p@siR0}=Fy|QYsw)(eH(#{r%&zCp@Q$tuywE&4jOx+S5jMB_O3v6VbN5c} z*%aYLO}g_+4i+b^vb1R*cpKZJ9xreY>insIR~WNj%~j()(^sU%?8dcxUpt5yjj6NIs9(zk zA~(M;YOfYAA3S)W?)vm=${UL+S9rrba-lcTDbV|qUQZV-9!$ZmdSV*}e>3-YiuGXB zhQ#Ht>^8HwcSD|8P{SWE`@zDkviE3q)A&v=;4R8-FKX`&i%jnND>PxQ=?2K}4;+ZM`P$9-3Lf=O zkXJkdeT>B)}v5nT@eWNXk#kaNd&e=1r5aHJHXT=XZ z$CDaUK_o9Hv=^$#o_~AtJ>)mIsj=VWsqewn`O5T&LR}oS|16H!`wF8gRP2Gs`h@&=SK?!+A|GIA$U{2>;hk9Or&`wcROa>NkTaj$=#W*y&+lejw+Hp!YfdC&@t$#KdbvWH@0^lMf!+@Pe%( z6LjaEj-Y*mD1t?`R1aV+OY)R(E`)TxijTO zsK{!^s!DZ#Jy21U7z(AWsJQ2wFK#maW6Jtf{(Hf@D%CoRD#vJF7R*_OZuKG^yR+Iq zIz|LR@c~KZ{;bqJ6%G`)^7zSJ0>AZnYacPV>~ub~ORRK|%%Az*0x`Ch!y+(~r=0!w zL)B@f&RQpiVw{qC<3&!*M0W`8N+!PoZ+E|XE;dt)F}Hjm#rxx+VW@_|$tu`^2o_j# zP)u!w{O)~RaXO$4Zd(2wO(3xx%%kJ1pM2qRS>tsoSoEF@|MyySw>Ykxv_H1j)I5KN<4W#^_*-XcBV6^5g18@Mf%VzyyAN;( zg6X8{M-I|-T(D|avTj@61ILz+fFT7#hFwmGx-YNcxSk>W$B}J#L}H)X%YS|M8Dyi% z5hRp2e!a$fk)9>Sp4MCPu>#kPlcpEaQ#OnDMI56GUuO6Q{(aT{#z1aIZ%TL!Siy!8ytDR~(5BJaTj_sG1IA$G*h^KYq0qfxAwEZQ#RzUL)B6!=S z5G6`1%gKcL*?H^xg*-33c@XG$bMvn1UBme}0A!iFEjspR6bU&ctFE|QW~+s9c1GLM zGotA$_)U0n_D%+xsD;aF^DV}-7oqqC{Tw*szxP$~ACG%nJT0Ve|>iCe@75Bh*-k69m z(2b9@?+HT^E^61K#}B1(c(87;ayU~|gUOG*Z(S{rvTdyXaX%;j1xBHLCF5VQ*ceU@ zE&FR^oWaZ90OLCt8$bBhI_J*Pukp?G%ZDezKbg$w=1S(f)Le2}W~~j22AkYp4Veu( zn6g&Q=3Kd_X*likHn%maRdl{i-6~3hE6)8UO-`yYvPvdnBi~;S#C%W-$62ISpTv!X z|J8RgTB+OAF4EqvL{5g0o!|#|v=W}5O%TcAKfSB}4PpXsJfRW(IWAqP*zjiQO`@8H z0WWaS>$vhl+JFl&6sbZuv@Vh|e~+_DPSoAhU=43G zU(H8t>%UxKEDFqju)P?c-}v+$kN}8BR4Cm(x@P(P;+aZN&myKBJ4X4 z8KCtj9Q4rkxD^cZM-bn%1#;pykTzIVAAEPeSwnPdjc#;|bLsw~LmG6>zZZM_?tp8y z$Th0wBBQ$4SuN#I{!>@I-qFLCw{taYz&-^uvpd*-3{qZr1GWB}YIu>2O|>n9@%yed zo5+C7s!-22(JDXD)ol!x0$w4znto0M&+z=SKKVYcsijeBWK~k7{?(mF37y%ez*v@o zgmdp|#%y<`(g2Dv%4gZsc$q%)eK*zF+4L?tDbg}GGXNR?iLXXK(>$qPw3n}{^93G- z(tF7j>*f~up)iD*(x?wIS?%UZ!Aj>jV$g~&=blLpUMdsy&*}+7kROo4pR^Tddo7wobpaLVNF5zwvbB)PHuAsLnk2dIt6+N(s*!gL>&pMCi_#fb z%iugZObLl-y1-pxp%*2J{Vn=ZqX@bXiu38;6R0!m>x2~d9b&JKtXkJ?n$Fotk^a6^ zoq<&GLV7oF-O80DD@il$FAlhG>B^12_z-ka`nq;6rHW1JaA`?HW*lb-c(`-uRKh=o zKTfUfW z(YnxP5kBD_T%QQ@ZbLizaQVeSM&k0*#}S%VoAzN`(^P*2Nm{k2TIb!qnOuQ^q09d3 z;yt%rFv9Rkmy>hnVT;d~=^8*42ehKzHf;HLoF~1)1)hXeCVpfa1Oj0QJ^V9wWB8>K zGS-+wKdQhj-;68Ugl;uduCm(r>6lYB>!3o{8BSFvPtUdaeL&)wEPHLt`rGlSoa69< zx+}4?Pes$NzW=_Qehw4q<7wvS%N<*t-M^U%=?Da=nE!U-{C=k|dj?Jd88OGYc3n8x zWtr1SSU0Wn9x#FQ`<#*MtNYl=s-^t41Pt;!_*zh9;3~zZz3y@v&4O(amKFMRlbNt? z!*kP(^z`|2=->G}x4(M6t_@Pxy4QyXAlb9*d|7};0+@FCSvXfdjb56Hkpx1Wmu|p; zO^4=}{v-myqn>oR5BJeoknMoK3epg@4Oy=EiZ85mHESn#@x&Yk-yB?vk zr!_s=<+@+@w?F-%%R5c66p|~rPT3|C+Zm)?g|L`u= zZDwW`z{>eNQ!86x^*RGeEL16Vq+xxApnWw0(SJeDy&`2$UO=JNaBmYcjw6T5;dtTXDk2Hz<&xs4><~p!rq&} z>=5qa;M(BhuIfXHv|A)HRWl?B``U%@DvnPyJGH}%_e!N&x&=wxd-tUdnIlvqgRo_p zmFHx~vf$=shCyE@xkm*yD_`*#T>g2&p!p`J#3idZgrY4*#+#k~UccMnD}{Py_+9_s zou{=4_h`&E*BjcRw?SA7`X9#Dg-JuMpK&RCL%VAv-i!Op_S{`kSNRDaLq~c0Uo)(q zixhe|e2ln@CoIhe;F%^+>fF8MZ@^x`cQ6XE=wX9-k?XzYkFF!T-A&%O=kAT05)K6} zA^qnQJYX{TO%~LEp-CcIYb-)|BZ%10y_brp_jaA|rN)^$p9}TAed*p?)||R1sl*P_SIK6VQFm!@6Rc zW7beDuU#PvL??!+fq@&k0RMrn$JIp!?@fl;IrueYldm^oA5Z1hsrQ~=UU_9IH^QeO z5xSkMCgA`a;~)gak-%i~ST#JHuiCzLKaaZR@;wzV!OwVw`;&uCGU%RvET8en6He}&(s9_@eDsQ%?$ft1cC-p zUwGc@F`VFa#m8mhqpAQz3ri88NtF#SH{vlcw}RQ)HE{O@tJz>s@BiAPt;%KwA zL6i~i1PqBHwq=5zr$V50>kO8h@%{a>1yj&0Zv_nyHXwQ8d=e}&b`|8O4>c$rk4{c*jI*hwZ|%yRT>gAnzKBlL$J}48 z3W;ODyQ}P$@v@aRRh91`I6XF#^WHaf1D9%&k9IfUkdj`x8$8xMI0a z`BOLnHjTaCGuJtX>Mkm)%M*O>JpfYY(uT`+S#FrZi~++cjV=u4&sOIYIe5?jTV%<8 zj=xjmhx(j&!5(Gn8UtKkVBL2(mLg}Z5Z%&9zMECL2Mgfkf}8s{q9ia5#_SsQg>Uxl ze0LA$l&DemhBqm^4Eo_MkL;SRHmWx>J-eO*cWwx7z_B=$|3FFSemK0jP1H#7N8 z{M9#&XMJ{io3D<02oa~ zD>j|={{Fth&e*azbVmq|GNh;gI&-6awF`T z8@*91PZWI6wsslI6M&EJyEfnGrE|c*_^1aK+T!(O%^rY!hey&uq}8-sKwyc3+T6P( zY)I)8d_%}#rw7CMHka2%XJ>#?f&IfWq+N!i4vcx#_czDVee6JV^oy?2!)}oUhvrM zwDOh&d{y_}_;Sv>?+J!G@p#}%Q$(x+W&@=vJdOXR%qz>#X)T+3>#bIUR=8*hY4&W+hIw?L|fBNk0oL>LcO+N7o7X_)k^}?KNAHlcF z>o9Ih<0z?JdGfH>Xrpv?K1)^><(+VJ%=Bm@-AY(;ruu@t=u{Y1g)uZ1tx}9zSbkbuVCn#X@ z;`0QS7+uLzHBn(;8CFG73jA6im|}^-^pENe@I6giyzI>zv~W=kLfhy2?dt3{rVx_& z-wfY!Rf)IFT~X}gg*G<;Jv;^J z$W-9!uryj2)=JRb)h6V@5&#|`P!h?(7lnYA1&zA>hsNaI$=vQLCQFTEi@6| zONJ6=H$Ei74kED{ArNGJ=B|!T@+zL>W4lXzef@U=*D;YGP!oWD?tadJUEQtH_g(5Y zNl?(1$ekTb`mnT}02!Zko0nDlgY)K<6k2o3ERLKQ0|aA75D^8+r37vOsurm5{Sanh zp)0R}=(b#Lf!jgd<}I^^etG8zc60?lhCKjKoM{WhTYX3LZ=DY+Nh|l5&p#MAYUh_j zXefcOu87P!Y`GC@iw?vr=3KCJht`m@pYFDKj7T6yGToa^+3sQiLB-6b_G^6-Lahv*-9en zR4P^qerkFp*x+Qt-f8I@Huv$YJqCJ7H|>CN8|bMzOtAjQ{ZF7_K(?O}tR{lsYz>3g z@D#vGhfgscJvx%_vJd!_=TN?Ndv&@G;7rSPZ0lImw1}gq?`&`Pi8peO*24eitR_^U zrJ^PJGfS`xNC4pM&d1Q2n<%fL>GTG~PiyKxFHkL4dsIJ1%SiShY z1k(5FcZ)UINmr_He9G@pw=P_mS904C0HbzU5zSan4%Yxt#eejIqvD`03Ev>a?}H7> zB$@J-b67#?hB4VPTKWqU$`zpnkzZY15mFa(BqdJ?+Mh&r2fxaRjNbf(>u*(5H5oR= z2+pMXlJzY)R%nRG5RBc*2n3_3HDe(>p4ET=6q9WF)U>s`c3vH1Wu=@>5^lNX6}U+% z0as*l-u2(^?IYrrOeyuD?KD7jzur*R@yN&HinS3L9JM&nWKrorh;0NRd^I;WC7BmYXj zOYmQ4Out-(>$`|&5-!u5+?*V$Kh{j&bC5*6S#1#9YUjAxP-l>LLai*c=HOA$Xg>)v zSm#NTCGoeG266yTdnEc3QhQFVcW&(jcvy~S$CjVRbS;x^MC1XiW2zdyxdrr~&tUS` z{;uZ0b0}geiJ*ktZck(rs!zx;rT{D#)+0~aVaS6Qd=i@{Tsu?b4WlATym{SC?QS{# z@spnEq5H7s${Y?p4VF0Wxf{{A#*e)u9b3v01^eX1%RFTPw^^eC*9W-YpHUfsuY&1v z!WRpkhs0>1Z2C#-e4qM+k!fPj)uqlqz*+xi;P1O%8RgcScsrldw7c-+pq;uOb0W=G zgVzW_T=*5yx3)Avbnpg%J7)#rhNV-+{OsH6PJoar4IyO4jpw9Zlo-X25JYIrN*{BF zc6EOu;)w=e-*90`7@K}vI|Gf<0=IZVvhHzCDInPp(+_7)d@UyqU=d7FQw)!nI#nch zW<;x_@$N_D2&;e%(+jsmjtOk!ql(WrcKHv3HVj3gKi2L5NYc$6X&&Z!CI_Tv6mfSa2@gt5u=-+CWpC(5_-UYEO161J1sUX7Y(XFZ_q7Ob3&b-SC z3qUv$%0j!o9%$fuJ)X59#2~Nz-w~8Kmer3INL!qPB#}9LITR26)+@pnVCdgFBk-M$ zl2jwani*bF$zdm``+r+gYNHA!9FjPc^jwQo0`8j~Ko`64CJ?`!;n_9p6U- z+w{o8AFFp>Ww(H^Yz`Gs-SEEx*;R^+AXLR5k z^m1-fdJ|K|@xC2}WIqcY zY{=aU#1-(KrQZo@c1<%E-UTafLPq_7#EuhF-_ZMPROx1M6}+R8hvmO`CwkmLf=vo+ zwBTz4BSQh+7O>DkPg>{`7#@UtQuPBqh9cw&?{^5f&+CkReC8Ltr6_2#=8mWE5iiP3 z>JySb^Yp2#zck7B&?m_FWx}XK16}v^#5Zit{ORSLb9l&TZ-2ufudOeuPvzlb!djPIAhp(Fl}k_kK#=u6~=<4nG(zD9JDlVEv!^ zD4S^+P~$K2;yPKM1x-K!@bb&!QZ^#;^?6b zkMe^b(`{V4{%VWT;@GrStgAgnJm3x}SBR&^E!p3u~l7~OISKiNk z7qtjzcyCLp2r#^}nwgSOcAf$;tYIn;#z=eDLx$l>unW@> zX`5i557*PHI2E&Y-a213uy{=cXB|0{O~GSdHFi01|P zb5u(HFXn$s$^Uo4utiiS&U*3K_v1K_Y+?Q02RA-_VkS%=iTJPV2mI7PBCq`PX<&p# zoE(Fr5K!=8`RYwI^Z!^b_&+~I$Xnc!Y&uTh-JsHEIt)ytjp4qps37^&`wxazT6WkR z5qj-^CjQK{r3yc61H*!Yo1H9-ml3D|uc>^LkOoKL^PF^C)^Kmy!55M!(ay}zo;Dns z6`DOCILE1RgS}jP9e<`*aXGGgWR-0`T$82U%mqjjGV{WevGuYP0l)|oskZ}Do4LTE z@T9Ql!8=cn`B$3HKUjaUTM+JFx9P?e@@)TbA?ET>?ES}#5Du-#-$<1j|9Iwa{N=(4 z*)kKX^HUqSuME_eR<^DM%VSHy*<0ZVwim26<>Ai0_cUn&O<&@}#Uy+yG!bTlg&a%# z@!||+_dSI<&pb^_2DQ`6qKrn#Z`T`9fQ z!SN}lWS~4G+_7%2kp^()l+P4qvA-Vh;7&eu$0O%F>d&iCGpOT(!9hvEUBa?pYtO{j zogSW^-ZWzdfKYQ1uy1g2aa9A6IiT8zW^EIXJC}1;rj;0rUq_>tGZ%!>fwQM1|?k*PmSK!_2T*x3COtw_l8;ex&mcKD`K4(eC9_5O9mMcdhlt@Bf!e0dZ&adrexe z9+6x8%&_$Rxx}gqy9MI>H0KMG{X#Y?WPA4)WRJ?R!pKA9i8qac&)riAQtK&a$7-N= zb}Hi2yhvfeZcmi2_WOf&8!zC6nFb;S8@4R3a+~TIGkt?c>+I@cJ3)^kcl%#g)E64V zW^AGA`kemRIfo3=JtCw1mPVX>PuK=oWVx(HhCZr-=as!){Ovd z%kG`{W+>dmV$XQB%qH*nvVCkPWE7x|gM}A>Qow&E@6`Z8X;HOjDf`ukp&{uTYdWYt zZJR<-m6QLQMQh+aP4?pEXE|5%WV_ahJ~@$ba19|;PM;vdu`7g2{?76=Yu(PfR%$C1 zo1IS1F8<_7n_`?Z#g^+*0Oumc$Bltdxwvst>aZ-sWwuxPdNkUDPf_b6p!Ct0ER-se z;_jPrwLB`-4sUjG1R>NAmA378j!cefG_uosTg}!E<+B;(LDM z+=@vt{X9S22vx;n*>55t%j!s8?3D%_Wj#NBM^K)P1kx z4|jo(LWk}%U~fkP`|r3K5Xd3`^NckRY@d5S!42b=x{IWz1t z=>ycHrU5<8FHsh6k6#CSi|-v;>PPk1n0anL!buw`clZ0We@}`GNkid>ibH;rCzHa? zzRgX7yhG}cJD@|;f{qd~+R^h(9s>D0+_0T1^6fpKYp}aHXeh}55}pOnBMNVPDGHzJ ztUVP+?*hR|%fiLlM%3ze0RkcfAT!@Sg?dhT`0i{56$mnQgQ~)lI0u% z#q{brgkp^MhCtSFm*iPl*?dg(kofN9s+zZa7ph{(({z~=P3L{~7D5Pf;seTWFK?!5 zBk66qn=XxRxFd1vn9*af-8f|F>JY3_I4K6CzuS-T zoS)O}j1YFTS54{fZWen1E~V;dAoNH6285wL$cn5Pz=pJZxL_H7oj};lwkLO#GQzt3 zQZ(@1p1Vy$WtwfLlx7y!CZ4>H8P}UNCTmVa)Ox$=zRuaqz_0-p7;1Y*Wutwqy87HXm|{P$NJ z3{osda}=aAs{KoUNSeyt$asiCvN_k|+Wgn^N^xug?^wCqb)kgb_=11CJ(TlHFmSqg z5?=Y}`w3cDvn9OxHO_h-+RK)KjNfEW#pXo6GQ2TNlVu*oD_3NY?PvG4qZEHCoG{Jd!$ax%T16F z0MxOkkU=8w)@XBMQeNvhh6kXITWD88=|zsq#kOFAQ0JV!3g+C_GtlphrT7P*Li4#y zDlA&XXvd~yhnD4T6%PP&IM539lKF$vc(0wBd6ye}^HQIS7Y{Rp6!Xl65IV1;m%iQj zx_*4q17%AqckOidBmarXa?EKTQQQIRxwp7(gUVNO0Wh%LWaoGu)O7<*hJ$FXZ^o}g z@6N{ef9GeO&<4MGf-1=avfp2|okGuDQ3f;v%UqUPIKoGSp6r%Px>UmI{7#Th) zBYimPruxQbJ6BsjY6$T+WYpLs$-0E?1GPsN!0bB>q-17F&zuuP#4|E7e5|wXR-q$o zbI16(^ajXjV?y6sFu4ctK;O#_rv0zp*faqA*G@E(dqOIp4WsKafNqCz6d%c14NKn? zia4He>=EwbuUZ3+I3HWgwvb__?N$R~5Up2~7%h&pB-kyHJ^ax!lrN#%1;muj6Ggqg zr4mw7zw<)kbU?s6i|x(#wP=BM?PYk(P?>xlUs)o*s@Vqk4oFDPQ$WVsKbN}(3IH}J)obI$3mO6G3OE00@=Xyh?j*8C zdaE^1)BE1tY)Nt>nc8UwzSZ79W*wWVL=ohi^CA3n$l=e7BDKvLk1!Y)Uz@4+2k_uk z1b)2DTXBkJU_V|!y@`i0r9m1vQD_p{4ro$^A+1EYe#a}aBBbS=g^BfP!x;u@3O2ZcluZTI+e z!FW*&H$(DjO$h_0KOhOK{*kewOMd9^Y}EVO0@WdS^Agh|Q9>|91VhdWkj_<#$W{hF z?izWY)a_m8)D3lr0=b+$Z*dXJQvKCQZ~Q^@Q#!UJS1Uc66vkShbet06Ebz3w$zkY{ z#-4z$8f@A}Pr5B}1M_RsFe=zW$2vk)dF|+;dw>j=&Q7#<)ydC+Ib)cmJM^pzbS*m| z?u~Ih$cJ&Q=6&7o&^kiv*u$V-OFWIm7~>=Go7@gl@%!-e%~(TnYryb&TQ4!!R31_=d_N+B4DfzUJQM()Uz@{zQU6n0?TkTN=*q21K%ZYi zphi?*TbTESt^uz+&LeKs5Pa?+-E=<1xlzYh%!8z3djkw*W7^ig`sXj~3TjDK4ifR0 zDU|SODfGMGp>-f5-QLyWC>K;Q_y$kh)lnDhK8)__UHRs!72L4vd1*iU7Qwac-16Sx zcu-1n@3*##!z96ikd@U}GwU?IkBH9DsC+wplcIRX>i%hR>T%wk<6Nt`XPG3l;Rj-_ zE#d4G77@}EXQ*Bma>%u5-19LnGnkyUIIcT`0V{@o?*^rTlOokEtvg~O=fwwCmUyjm z+}Ex&woKc9+XOr8@yY|%2JEm{@r@MYy`8@$)u<{AwG=*E_fun!_NOA3(&c*i#0W-v zZm}sK98=K4pkMcoRf{W(uEkdmIl{notw3qP;G;&6%YjlGWaR$Q%+*x${rce#qVHg? z2nIxcmNmtynmcTQT*rDjauJBnoOt>!X$<#>o?1iBf**n9qMmiTp(JpwcW%DCA#O4j z6fa@j7(AdXJIN<*nznW8&LXR<-|1`jD0GCGKF(&uof1xrI^Ct(^71!8T3MwJ zDyQ2_cLL(j%6{Y}CvXGoiS&oCUk{S-d(|9$m;)r0_otm@`6X`5+idEB-WLsv=Q;j& z%aX^G%M!02KxXOTYsYk9ZHfz-tF5oRt^KFh{fwv=z#!H7VwRW!gN)bhmmW2_Iw?t5k ztQYX(Bf$@(_sb7G?%jwRN_|tAYrPO|<5J@zW37aCXsrKiZ7vfSJhA7BGi&%_RqGhY zveBdV9d*n0=CkNu1JhE-5>!0msz_4}zV>5#KUo3o3^i**rs*5BoM{anfRHY?QFh+E zaF%(jpIx#?2-=3VH9lA=%2JNrJySy!w&vDHAr!gxojhLJ>2BIuzk&B3!jKt?yfR_f zl?WKIs_#z?)fu;3&NfmmVi;oxQK&lWA6^FZKbBI#@TzDyaxoLDgMRGDs85g+{)Qd1 z%2?XtrZMfdI*hR*oY6Mhtm5fAtmn2k39p_VLNycR)c^M_?LsYj>b9(rs`88%_$OV2TPX=hZ}SLv1_F?<}-E*#wPS0%|; z^|yDL%0XLGu&eX9)6ayoJh}n*uxv4MBW!=tt@c{>o=A2qtH(hFud7mrw*aMjd;>|V z*cJTLZ_!Cfxrecg$I~BPZ0DDAlOY=%N=Do+M8e_>n5xSSQi*q832rh3+X`b#EctRH9-mF-rW3EzHbT7^6UW5m3i7!ee zo>JrpLLi@lqvsjl^Y7HS8)5xZ{BJyTP`KS!H!OWEU(IcTH93jDJbl?|{OwM8Au28M zY(AZVZ?Z*ZjH)9p9nWr$0Pdyks9eVc&o;iL5Pxeu`i*W2vjLEx$|^`w&Ja?NFMhn8 zv*uQRX!=9s1?_H*XZAHK*_6v**Ie zTt%exGg%sZDIV;TTJ|vB{MoD$szFZ2xJ19j(Dq15p9E zeSBRfRnKY~RpafRmnX+k$`l+U!!pP;(|+-2e(Co3skPUcJQH#;-|vuq&gnHxc@>^r zcJ0e#?18E)Qr)vizTp?f@3wE_voP~V3R9!o>*=N!Dmj?@c4;&0rc2}BJrbutgV_}p ztnxq*{|_`j2OUvJNQ~58ZLZ)(5SjwP9A;q`x_0-|tI{AiF|n2D*b`SsX-wIv465Im=PvH1civ{}z{&HFn-l4+G?l8=OJEDvv4rwsTQa6b0&0)&7Z zV{EN^GtPUaS5ejVj-?fs2v)=bmRLk3lzEi?QrpHvT=WJ}-0bY;nz7SYuOh7cYYqK4 zS4&5?{Mpiw((7RQ|rTYR~0M~tGGws_IP(RotIniwDJo(L)y-|77BcFwt=#8zQ$ zm_ZGST&l!$8qK41MT3hhyvj}xK~H2ATJIX!6`mubmB(DA(j#3En9{M<%Rx5U#H8no zNbe_)WnB26!FGm~enl%3Nl;0gg2fOd8`0DEe6oBcO=f;Pkak)|aiX4cg&TIwDe~#^ z^%ch)e}{21snpKhejxl7j_0&NrXUsFeUWkHVK4MJVNayUXC_z?&e_hECB*u%o2hrR z#}zGjx_)ceCHrgcUv~@@k0(F5#bwXo5#eQoTjq;Zex%HYjC-mwmZ`s3xOty`=Sq5V zGm1jxNe`)2w&pT%2(?o4IjWJ=GPWbKR)3XlHY`A~u=Q!io?5I(sg;=FQY{?7G*eC+I($2&bTCVYGZo%pp;&YQB9#-BJF&3>J` z7!P7Te;qlXbE=?QpRh`nIgX_{U1{JtIU#;jrDu{LzjZLT!ty7NLFC-jo7Jm>v(K%q z#^SV+_DIJQldx}P` zT=a=G-&!|G_z(E53MKt+x)F?t@U-gsuJFfdJbhX7WR=+CQpmS_E*pC0wxY zqGbOTUnY#l&n3Asr#`yY%X#?u@Ht*}NkGqSTP6}EVc{D;7$+1;`w{^tjCUH9*~@H&D5ONDFbFkZ>Q~pcDDs zIK>?Mgay|C``1rm?`;mc%GI2_lM5DnZkJQud5lnuyP+CFN0 zE#*v2?x1e54MGs(e;5K^q|omjW37I)T|4q~QvC+Y8rw$v2?}e3Hk1^)qj_?(;Djj% zx0p%aQKbVWP%4FoE&*Zrz{=Adm#O+SwL z+MvfyWKp$4wkUZs0!GGSZrZ1#XPv~$D8>3ion+I9@2nMZvkq0!hZc-;qDL_+8HF{F zSvDU^vINvK+h)2&OmT@g2rMDzTka9TN42Z8eJxJ_At5`5v1Q`srvu#Egzn5B>P!~f znHwGbWoH)rDi_MHn@hv}6>o1oY%yt`kV@#^{>OE+?U2lpew5c@S&CMUwE0971NyuU zaxc)d@HR;Vi68fElxKR+Mh8fRG3G2?fp0+LprO#aHBXvU4g>;rs zTwioR!J5n7b5iU@kB}=%omaNY*!Y~jHmtaSx|MfCcs)SfZ$+!|poJJBJP%7eGKaal zw%n_sTKxHrnmPPcCF^ld6{WIJb!k7j-EL4vh^*rDY;stgvq52 zyKRKb9)1FuO;g{7KqH!S_ zIl?2KN-}M^kJ^QNCk%7STJ>L9CVVxmitFerPZO2@#@zed?58T?+Kk&hf%@%vm}@ic z#q6`i8aHIekEV7GZ1l(1m>D;MHj^NyNEV41PUYp9h^5(hcvFyN4O+8aEVNwCxyu)Y zaHcq;1Aq?Pj@V5jN9sMoE#jKg`&DwM?*h0mCo!Ki%NvX1{oMP6&EF=3`XzoNbYWN3 zSyUn^TCTU)Qk4b4XFZy#zNx@nJ9OCm7wqZx;{wp!p;|5DXFE06Wd)J~^(oZ4V+>^n zN1&V#1xxA(%O7n2Rh2-Wj0mij39_Hrf2O{)r)rs)i1ZWigW~IDSAJEg#f@&_aHtBl z!vJzseHxWMxmD&fZ$kJp4u|8etpfje#wDI8!oEOnzAMSs(5F!#DxCmA944u1FuDimWe4blFbVY5fuAQ*)?`H0?kl#axcpr+=q8#7j*7gi|EK)tK zDGNn7r`e`!<-@YMw9=S=`fQVqB(^RV)fY zGMaCW%#l;xHVRvCeMGRItmwZV{w1u`9AU5@S7k(Z_LwsiF{q-@>O*s)%SqIoLVcvj zQN=P!eZmwk_9Uv4+W&Icap&1v5&K=fpEP50hh-P5EFIS?xx11zxRE|REdk-;qsVF9 zX7-@(w4bUYZ)0|4R}BkU27VL!=S{%By%$3IO)7tVq327oFHNCCWV5W$A@K9Pj-BLg z0juRyMxNob1dbLj@FGPOq?KxUb4!fVO7st>V%DjulEAMc*|ppL`#rz7KR>*X8C{%k z4SRBNA}p~`o9tAPdNIn(m|f9}tLt}C>OkwBI`^?1;hLc zIGij}qU_V;Mhm!wRK6AH@$B-AH1mtPms+KTt+O(fd_`c>vY(OY zn6O5;l1KBWtkE%a*E$z=b}PHPl)EkN2r2(CM~b7d6yLe?^3B5x#G`Lmv@&ZiR}5Tq z%|m9G6!lYU@X;jRw=iwhq+&n$=!KAqG4|{Q{+ag|UejHbhXI0NL;iEei+7Yv$2(oFE1JLsz*4xawp(wjAa2c=CMw)EiE~oEQT#9kX6N0(BWd77sIsRn^OY-1cnG@$fPn|ZMLigL-6 z3sCFDl2}$Z-#(r-^F}l4n}ogBYWV?|yODl6D>!HE+b`sVV(XS*OSiFnSS^2P!1+_6 z^~sDMKWi7}4*B;EA7z4w4%4*AJVysq>VbFo8B8hG3~=9!dNtW1aMa#&YFRexL6k_* z`ABac8Y2s}6*|e*iAM2Jx~1rDO5B|14kcRrBH1LKdi)D06zchRW)%LH7lztO7 z6TWByq$_|p(MCbYcWK?*?IZDu5HJ-}r?C3Pllk5?AZbOp$Qj~kXCz;uMC7XjvBCWT zS5kfv1I`v{YVi_4n}Jx*|L9fJjXn-Rrf8?S7#P-o?%e42oNlJs@D}8rEUaPls~~v%u6Nh z-!eBJ#soL~Jo)myk|wghc;?8Wet=vR3>%@xwq`08j500iak|XPZ27%LY^Et<7l=#d zay?th!Q((D8I81r?5k+r7$4IuzbnVwNgPv1p#tA@nu&!!?n`bMzoZwLv??^gs` z;z7T3?&`|Q!zS8_x$F0IDZ%Tm6R&cRyhb=qyEZ=s&CILo+P;4M8c=)30`|U_li8A< zmIs|>yVSK%u8=#2i>uh*e@Y3xjgM>9oFVq4i$pfIhNnLbc*U!!TSz%>mC7+Ogpro= zS=!>_Ij<{$S6cmiQ5h*D7nzOTOU67`3k!B zaT5mn{`JTP)8!`#q*+vdzhwAF0VSh1NP#3+Oeujt1oZH&e(?|g{-tj8AOE&}$;eFn zM04jlxOCKmwBXg<=TtO**;P?@daf<~T{K}7VAX3-M_t)}a?^^eF+d_T2FR@T2UCHK{(zyGa1UtIq7s`68JHoES#mi{ z;dF*>@cVcArN0k>Mm?@{7!b%Ef9Oia4fPB@@_OXE=3vhL2^tFT-{1NlOgOcKQ5py_ z`y(WsGuO&GxZFyhuV}#HK4lD0X5r-zGJDg}t&IVm@3Wqk(@2h^M8LZNrOM_$MT`oa z{7+Eqmj7t*5l9xQM?i_i=Cg6{ps|DSn8T;9vv>W&Y7y1r?lE71-laN5lk-!rD^E1NqbZk)-Qd$ zTmY3PtAUzmNKbA{6_D=F7rSXMm3-Yd1|K~!J9_8rW675;09kV7;LjmZMfszrBbWb< z_Dx42oEheW+AVXPQLdYdm#w!jDzyk^A@2=S%YFN{9Ro1oF~DZF2dmcL!~LR)iXXJn z^Y9a(eqm3$0kIWkNJ%`T4$-Mf&ULqlGu>owds+~UBjt`H4 zz@~VEn+LOe0QfgEV{|ju&5xdMFzV!BCiE1}JRALf-q9FYF~4}$ICTNYBTiHP2gTG> zs!Wp^t+cW|X-v?Vt)MY8Aie`$TO>M2)~lZRO>r5HZE{(H7>h@J1B#oap+Hd87y)JC zm9&m{&J`L3l+IR(*Vk^K`x1YB(;-zKdl)hU*GzRH^Y=MgNc&2mI8QXHV7Gw#$UlNwq^2p`dzP|MSPl(Fq?!@yZ5dq0 zO)Lu-CtpelQngyImjOlvd?x7+Dhu>zi+xj%>AXu8i za*{lojG~nXkfW0(yyxOD!kum%oVHMbHb=HaE-ps2VfcMTqeDsUJ98Y?0}S@ybtHX+ z$>t0GB`mb!u6IQ-GmoD|dKsbuXVMx^Z6<2Ub=WNY46PfQXCk@R4`sJ?mq z_wO+WN>t+bpIf&^xJ; z*!u>T&wS!L!VUFJYv@DmQTgGdDjcvULUCHj0yI(_<>H&PC?&?k8y<@~vQT}Sk>yjs z-p4ht=v++y`5orNt#hslN52n6(k^1LP`~$pfplTVsF_= zKyDr#o7}IuOay`kC^~u54(<@|y0ndFy(w@zv5OC{z zCDtLzr?(q%2YQw<^w)(@?|!_~-RT~0o};%5s{~>IoapnCW=7{?k}Hs5Y*i)Q@lMyqct9@?RLwY9Xx!E7f(>dEqEUsMNo;JALhHHLhW zSirdf6!$+W49MKKTLE9{z6-?y`ay(r5~ChHJIsLxSaEaFM<{KkgavtpY8cSd%DqyS zCTU}}&72vtG79%H*{p5J zlK0F@u<0jC^oY&>R(94*cHQ|>AG_T7`Xe7ilVhSHy(qlacmf8kT%@OIRHTdw4Dm9Y zCY=p`7`O5FxG;FaFJwU20MTTk)67q2S2; ze*hk+-xf4^ioV|E&LSgw&zs;KUq(sE!cdfZ;ue zt(v4P6Qfx`2Ezv_$0ppnh4-r)&xG}~(xBqdKG2FzVZdQORyVmkNv>GT79z7IMtyHBj+2%HnRwtrnIo6Q$G-^xn6JziFzQ0-^J_%_}||% z`TVd$VKh;Li#5$}Avb~DrQWT+>W>@52!zg;av0mtOJ^@FPgNskM$?Q*xs^+R;fu(p%{~&ZU;DtLx z;UXp4)P9c-S7RRo1+BfjygZQV%K85J@P78^_ug$k7Q?-bjV|>L?0kM6oZQP2?3ra> z*PL8-xcAe{14h7JNbd`%OU3uEjevpu1K5{ZrpGU5Ky*;`2y8^>eQpotfr$DuP`cs< z&3v7Fp)F|37o4oc#l^i(N9_e)OE_grfUsg8=(>(8i>pSjm5gu?>>SnWW{7tVIaq_} z;`7#A#~4s2td`WRKfl+DIjF^t0InWZRAh8)Z0+~^oPGak(*fqC{c#WcXaD_?jO8;RMQ%NjPV~;mjo5e>0T3vZ7DsddXH7%BJg*gS~z9 zkby9*{O)ZiwsQbl;;J8dvb|9F5_lQ~kxB#oAOhN9Ii39Oi_@2_BhrMAA8xuaDu`MSMj*_`H(6f;-7jF#D=y=Ex%se zGT^4SGPgCs+kvFlaeKbgES7%+u%7ChT0aIK+AaPX2GZ_gBcW$5M5y|Z7fs#G(yCJ8 z*&iW_3A7oF0ScuhyHjPNKfrWiJfH)tH)`K#dOcvZtYh_Un%VZcprH1KS1(kMIN__rJ7PIf#*NZzX@`zvzi!%+w{J3+x26nHLnqXlOm z?YfI((js|Sz%xjiy2m`1W_zo_4}?K$lAkPiWMpJk!I8e_L9gt8 z+~yZn~&%d}OBltnsJ`r#d1-A_RR*>M@L`Z%p z-gjMvlQ=kX4lJxXmdjv^o?{p@18uifTgKr;9x5VVmh+F7LOt3u6L46`6ugF51JD8; z;^!e*6wnF2;Y(%35RDd0%-b%-iuDx+nvrK%)KoqrF00R}o=Z?@zywA-^P7Cl8S{8; zhw~V)3oRgKFp$m?ud$0S((KixTR;4>T0IpIfMLm@-cR&byCR8IYuM1Ti}d)mPhpBr zU-}uF=bVgzh&v_K(WMuI)eQ^X!g%zhkKDDcx;|W^IM%l1;BcCS*A4AA^V80eGHlh zHEsEU?eGjE5&G0@?_a|akTm>0U=dZBhRBeTR6SnJO|HlmvF31cTFjvZlmyjB9fIpG z{g8_6nVJqce6MiU`JRTvjOI9+z>1q2ENZFu8}&CbL%(xhQ;~nVQe2(QojN18U5h*i zM5Z}G)e^AU1BS`V+DTa>j*o(H4Ri8V?3Iz}>Qdyx7m%*5%A%Rb<=bz@9K&1%4wpW{ zj+C8m=i;&wyDs*7WL6I`E-uf0yguEUkyV}Al0hoh;9P}J>Y0WEL3o-R8qD=Pe~bdh zMz6$JPhfylyeXqa>CR-jWXgsWpZ3RA+e|0dV*baCHC!`mHjUC;LV`<-#mfhrgsn?7 ziM>7+hY5I=oM;+};U>J(Y+Wph8usM%-{W7^D<0hvwIVX9g}E?2Ijk35L0@Xs_VTK( z#)k1+{&zfC)?3kB!kS_6mrHkgwi8>7h7@M-MCt!dmfr2z}q&C53YmSh{IuAD>s ze^IeC0?XD3w)KGZ0WT05y~TVFnVuC%?F3BdGpp^(D&(g9i=T$18Xgc)L^FX*SK?ls;}E$4tj@&PHqqta+@$ zuW;zY(Kgf)aAF~LnmXqpClv3Xx00gW2(l-MNU2{ODab-|G~kG7P_IlfJgsi?mt-Gy`Oo_|12!o-l*H+r2r?0Yr z=rpv?gF?vVYg0LgSiEk5CIN+KmNgkem*~L?DIp5VS*Y8F*F?u|N1{7Ts0xJ+B5MEg{8V(Sj`NlgeJtH#q>Mt z`m8dqb-7_lk)H088~m|NfD(E0B38yreEe6#42?^a2j8ZQ>v!uy;<=73#Ui&dqIlsB zzVUXx+o*bqq}yZ&1H>Qc`4Z-Wo~?f#7p6vnwdRM(c+?Y2?YWs>yu1`Dt4*TgE)`bi zv!8=yAMb-bbW7{XQaFQrOX`)H3YxaKq85tDyPx$OX2L4*o$vclb_m5qRgwf-+nuSXyCAcoa~r`7m+N~E#WhM3dqbAogVUr4z4CPy=XozKRtBbS$*Kk=s|SG{YuCIdR3Vgzu3^C78xE>~aB0i{7>J$=iZ@-g#1lS!=P z+1Y&ydEfn5WwGfeO}QvdSOUoeZ)Sp0I$<06krrut7+Ujb==4qAwHhb(FOd|~rj=2N z)+??`c765Q1%A_CXkD5uR_U3&gIfr`6GQ}U(MA#DTrE@)KeaBr{e`{-*e|gzkj*Hu z&OMy2iB;;{8>GvQI}W?0ZEKlxfD1Z6W^3rm3(mT~cB-#23I7|i6ecchW*q%WVHl4O-b!POIC&1|=?t7#-k zUFiZ{6h3WZqTa}@7Z8ATr^r}}%%`a)ygyEhYl(rc&84fN=8DnqlDuBkN!v|PfN2K6 z9&YjoFH8I2=wC(Y?Ypejpv&ef?o(4!okRXRY4$g5d<9=qC7_Afoog&FC9%g6FtM-u z2b5l=?Z|8Ah-8)$Stp>A3GFI>@K|mfZn{87rhS*PU!hlXTgp_s3U6f_x*q1O7D}B= z^$xumAUk&@iHT`tcV*`(d2yChCCY8cqZrmd&z3YvvCTN6VJ^x=XFS%~;9yuT97SfsgrE#xILjtZpPe;6U_?X&8@OSZa`Ush}@?9A2 zVgDJCZm$>_9M|!CQ*LIV39B@sEQECR<{HLTz!fk&a?<2v$! zw*nIbGorcTL!K==xf;c|9aVNc&$r;}(iyeEGV0^&q1MAM{GWc^dAQvqhDsV_{p5wrFQ-?Z z`|(S0beT8TDtAHo!bgR;xlprk(?|EkP}in155Xp^zc;v05!U}cn*`Z>KxSuo_dEYr zdW5=he%|LUcL{xB|1(cF*R?m{*rcc1QOv?)sDaA6N4NFIiAzyJj?km*)(}B#YI%`z zag&KeD7_}^f)NvUGIm|#B_WJODyGa^DIJ)+kW&$NzmO8dU$siUp>O&{-+SSvqO^*l zyWf|8P|v-;z)!q=H&Y-S?xs%^0+|4EDsBa-M7eh`55Ic5dEX>c@Q4pC4`Fm|z$%k! zQ`4MA&u5n^;L&q@@Tr-H4y)3&>Nq1;ShmybG&27r28-)%51G$1a<}`%{p}yvuHlc% zA?ZyNGw<3jYhQomkehq2^T)M!Z&kwEiBs1?WfU7FI^N{B@$_G_Ad%UUrYo3!xVU!@ zc8v*xdnJXiAZz-5Lz64VnJ8ZEvJM+66>-aS%x{<4t?j5#?t|(F&-Xg7W*a3sPtI$P z7w8EQ!SzrrsT%9*elE>GK?ot zRw*{?+y_bJO&*G7NUB5Ed!|BLgK!%{eKI^xhi$%FP*AQ=Qnee!l5rG%r}ZYXMM{wD z=BrP8@-emFKGO{)u1wM=ILXy*-Kap}Wy9#Kx3t^j*u|eMlUe18+bb7}r3&g{`=WW~ zxb8C7G`7w7@S8gW=@OeLy^to?^F>0-C|BF(6{x4OE{YfDn!$EAS!i;2D5zirjN!Bg ztkF)LptLy%!zD4x@Wv#-zfS?lIbj=emTQK~)^c_Kt~{{58>GcDZca}Bp`D8kgXc>_ zzDrE4xw_+Pu(o>_pW#+_px&|9LjxQdgqz5#4)sX8`v2#U*Azg1eS2oFKo;7?%rD<2*cqkGeWtw%ol_w=MMQ$5_4nt!3P z3LMt5I01hGfe*Xl@x z)BLx@JIk|?o+4MdQg}4s89^wYwa-J2b8(XUE5ND|vYXdk1cjJtfU9&vNR~R1)y#W_ z6m*Lyc7n{#1hc()sUG>gNHsL`X@^7~7j>*L)EGDXl3UF4=ck!ZFi*_y-knt_=yvz< zsb#T7Vj4BsFo|@Iwt=$-4;~y{^-~7}G-hC6&hPYG8SEXca$+z3Y%1fm?g(6aVh5SI zqbS1^)zpB<$da=x$kjsGV)_A+V+*cINb@nh8-0C=}s5LLsgeW(EcZ zjLc!ARz%<7VWehpr3x!;FAL$ymDa{zOLNOH2jd=V0G%%dsBaft=_$adRsr?@uc^&* zo57EUq9?$n%yOgQq~zj*{j5I-wErS`7qGpMa==L+0r~to`D6DU(Z z5IY_~2mSL+sCeV$u-Rsevotf zSpbs|wcf+9{)@(o^OKW3UCD``ImxK1c6=fSV}Hsi4YB1>?S{3P98efm0rXD|?a?|+ z(l?Z+LLTVc*NUDCb$I;@U-9zt_8Gt!Kio@AnwEYAz&DmlrgSHbz%FPXXo-dac4H4@ zi;ezfv(1WjFix4D5inLO5Y<#BD4Y)`7%EwixPWO|X-)Oz>2G(fN>jQx7v!BI^qstW zS_5BAu9H;w1V4vpj0F6J)tVA#GcswDtFAG1!@bp*=w$=i3! zynYX~8$7gO0w!R+j)$8w63=$+0!?9KK&!NV(2km?l08|iSOXa1-nw@z#gd>487+q$ zWay_b8AZ?MHx3mPo*k?^IgM6sVJ}6{urJ1OY#AC^lDZVy|6*XS*=(UcTgiHpyyJfQ zu;TI2A%sWmtqkE~VAIb4o}@9Q-w2EpeX$)!BTE3%EQ7$S9Ae_b?;6}ko?AZ-+8zZQ zEv!LC2ljk4^W0W)`HWzwe;Plhte!%CZ`KUEIgsybSHJ=XI|%xQDF z8H4Gth$UY-2jJ35U3>tjvyKvyb4+hswLb(vr{gP|)G|V1vSCn>Tq7kt;LMBKoR*uP z15l?uwj;jSC%#4Ovs8{SQgy{*eZ02ed+Q}z%Ri|GYh_Zv`K`X}4Uxjpe6s&_F05Z0 zy~c3Wn6pEI{C;|Z7r<~$F3!&!j3-w$x;=CJ_qQw&S7*hU$WR0BxLjAgKL36ta-V|l zpB)URZpEnt%8;!BjcOs|1(a^8`-0-xPCnu0eV+7N+S+Sf*FP0S2LdGS_z8?n{d_u< zZhwmyp=bK%uNaFAw+-qKyY^qVaO_T?s=YmgS9Rbjr~@GUQF8*q!}t`TkS=bYq#$VN z2#(T4mmG}$Dv-o)4XOH>S#sX|Cq)v6SUXm{-EjQpJJR(|otI>@Hw zonF>Ip=31w4ozgy7}rD2Pku}9K0lWvr%xmqlEI17PB1YF=xmZbIolgLu&jK6Hi)_u z`

pvSWDWEGpFP*;YHt*AoTW^$YNY${TkpUJryUH{~k-WeE%KG~X7je@a<2_ev?~ zyKZSNxVx0gayn5pkcsAdKH8%Q4Z?&Uw6d%4@WGJMX;TVvvIci^NNFs8BT6ic%_`wW zuqzLyEu3VhG&>XA(dF;pj!Nw6iSAD~%V*KV$}-85iF;bMAz^7U6W2z<6je&Og@1s# zI#zwlEiVTow>JyU<}8eo)Tv!-u{F!Mrq6T;S=D=+T>N=9_x`#t*zDJho8TNz>{1m^F3ODq2Sr*Y!Hrt`0`=Yk|uU3fNv|sE) zB-aGeQ}U7LceTmTuotPamykw7EXMD;?hD1R6egrbbRIRPZ5cV2k;Mb z-X1%TLV28S4M58MS$ah3R%cBn=gC7NnD<&rQAe*YF}WoT{koKq@eY@Ad0hogpjGo} zoLWvFqIxLMPEvjOfcWM!Vv}~X9b8Hv$F5|gC?&$!4bGAz`@LT7Yn#WI_)9Rq_j*~U za_lt|AC_0dJV&H<`&G`GG%y_PhZLrp09no5XiZ>`#|2T#XOkHNb*SkhB5(1{=kpBL z+@1oh>&AA+BfQ2Z#7T1vF^&Pn<7R2sclzjdMuxyPo28-o!xk~sQ^zA+@8zl*0L=MG zTUdxgQ`-r}}UYh=ZVH$@YWKuS&Y7Tsp=Xokgo)&QDywl40QI3C31F|EYjScBKMACzy{4=0KLTjl%P9y z)V7FhN?McF+YyEU8c~CxYZCDa=5k1duVS7W<}-6?>34)ZkW0^1FA@7_d@=6U<|lqjB-WDAm7GUJWdZXOp@daYf_sS^bW;oKFtO{~XEJyfQg8vH2^ z&V8qVX#oX0<}QY#wzCLR{%pF(s6tbiS?rIzt)cUVH2FU_)=-s5(YC+rrl*P`8~w1k!*`fG8H#GmmpE+;_G8)St+WBzu06xqSDo6 z?2clr0*V$TrD|rE{!Bn;*qO*7H~`&NvXMq`>s9^98R=T^Szn`&_)y!+h6j-#K=Irr z+uhLLaH-6Qi7?U6qk9$XtaHDnezY)g)yh6{Dacu%Ueo(BoK=pmhn_(vit1hI-)PGax!DJ%g&+UDM^>t4LJ`CFn}; z&|FkL=rDLO`moCXCu6k#O-^1}e@lq@V_0J!;=(_4d)xi`l`H)&Tu|nrO%Kei|CbB|%2YJt z9y2mqj{i+wjJbMk-tUm@n&;6+_Q?~7y(;bMy7jTJuvFyHm&4}Q%0g?J*3@OY14-r< zO=kMQ^@WO>dZ}WFI(hx4JTnp<^_LJ^sS}c=XL9-<1J_3SF%ucrmj<1lo@S6hzt3L? z&cd0!*ZqSP;)$(T9xf|jVqww9gN9;9nUb113JeF!<39zp%iws&I`1fk;j`sUh=-tu z#7y#+PuaIvW;9%q7`|_$cvr5pFYGnw9+pjwOf_KMM}p^ETiJ%&1MygKQBlwH=gK!H6kguu`20tD&|#*Py;!tUdST{`=`0mKYpyX5G92m)BeLk zaA#ng*EX^Kphb;elt1j|0V$MT^VSJF(=z|2{#+|^YZh8C4%Tj?)fOJDm4!z9kC1U{ zSRqvh)rkNw?6Bj;xAC9tXpK`!DJrX;8$oG!+kkS+rN7>RMmHW-atpISm-q;|>w|0m zmkeFXGB5ZQ^eatrL80CFuTVNap!5j&_eV7Uo4gt}VWGpTJBQHXrbtu;q<-*^|5H@) zR?3)qyRv}o?d?B0e{Tf{G@!w%{_~%^MXLMH;s*+yB2A9Ta9-Jw?6i4)V{Qg!-Q1g} z)_&VcgZk4$`ZY^izB$4=6p2~$J4u#%$%HT!O;E$RF}TQQ8%x(AasW)5xqi>C213xG*)oZ+q~!doONA z9EPU*UHSO$zeV}^E%+6_RhFs1J8%58LQV@s_1W$r7oQi@JDat9?S6@;SqQ9J!fNpc zaQ>u>t1UUKa@RgX{?49||C{$5b2(~#qHYY`!GQ(c2oxcq!efv@mxa>G ze2bUc)@&4Nn^kSGqMQY$z;OWQF$-t_QRi_fun5FK=}+BE1pDb1c*`o}-y6vtFf39# zpLFHTlL`PaA3w7MhA&mbbaE)FN1laT3~u~FYy^9Ohcl65086ohm@x9d={4XP@cZ{4 z27FBBcEvPO*hoOMNsyx!^m{(E3};IH!i?uW-z0}fMr-l1>!skB7p2PLj=hAV zD)?mt>i^Ok_6+&bAl5W@oUHeeuFl>r>E>2{ERw!0~eX&^2KIG?Hsb9|N4m@#1U?ipv(Aw!*-}USZR?EJ~T420~!7+T|hNXefXFaLg)&L z!RpU=-hfRcg>^$75g&_+Dgi~g7Xy-GJMC7BLWoe|arDQ8ux6N*u^GMG`kq_7Nh%t0 zNi_3WU}9GYsE7FLgT*G2jbJ9(?*nG~udOJQ;-4@^z0#}q-VNKo&q@^&>L0E|P5*1& z7!V*$`}_Ey@q)AX*V~4j#Zg?-Jra{Nkw>TGzRP;YV3M8IgmVX;qMzFYSX}dIJ|u|^ zu($u<56IN}O~iCRqXBr+apW<>8U$dSk)@nKXMoiuD0rz9eI7K%_-BU7SrCi^J11-4 z>=X}}_n$#g34tvGn868J;>~52w(iBFLog}+A!8hPuUkC`QAtc<=gH@6p@_A^w;q6O z7&HH{?H%wU<2!c}6`0K}Y~T}sdp9@t=4INJ@2wF_NBV{5Sa)u6Iph`rICJ-0wh0`4azw- zt=8h|N#o?Ht-0H&_V8vlhoYG}%~bOMpX(wb`wOA|05_2i22_=TeX?}UzS_3cSl z+5x5Ph$Z3yzj)OMqJwE6&enIYn}8YiDzzN;YR15?GJt_TQyQqS)mI3jQfUc=uu&76 zmk<0JPrzE3rxvzoBcoxP9|B}y5A#GnfQK~Peea%EK5rz~)(hb(uDww{AHqS^r#&~^k59B# zFP7`5Sz?=wxP7ZeZ@(i~v4(5l8^%+KS8+Li&WC5hlzah!;($c(3J0GW&;R`B6Kg|% z(}*P@&Ytqy(dBL|6R#?g*z>`Yxk-*#GY0x?$Jj>rsTq~VVO_I+YNXKj>DK1MzU#6B zI}BP^y>(VMs3?%*yq)M9ot{hI?9*_%t?k0E#Xb3OozyDH?>*P7&tGu#>vXpJMZo!y zZD3<9%Xl&!=CCP8Y)nj_%jyN-5Pd`Khps5Ox=vkjm}j?1@N_G=z0ZCt@UAs(hAZ21 zKnqj+=GDp!$2{wjBHT?!b48lr^Cfi;`p}k+(B9BNqbo)C`{W7>ona4x$SEJ_gYLQL*cP$p|-Sz+T zP|e)!W|YMh34koi{C1?8mmVtr^Y6#wL6PDi3xc3jR79lb4XOV@-CKr5)&6h4ASsOq z3^{~^bV*2uASz%WC>>HaEj4s^sR$^YHr+6EjDob%J@n8uz`(Gtxqr|9Ii4NQj^o(- z#eV65Ff(h`y4JPM?|FVsS+fB(a$L^l2%RU+eeuceCjajf>i2l!<{*U zA>0fc$_?`~$_MYNpR&IM3OcIr1(R9urI&dWAbJk-7oA){#$Y*Js?|twwdyy~ATjZ@ zn#W_FMho0PwgSA^r}x+Y4BiPhkh|NZTOb`QEa{tkYNQ~O^}LOtMkeG%fH zh`1|&D6VBJ@rKVmeBiFlM=4@a8U#YHUHlz_PZ4rc0~t0nQJJwSsd*0eS1605=y(?n zxCkKjMNyM0t|(Cj;;0GIUmMzmj@Jomo$cJw<5CFA!R5}M$f4QiB)(Ox3LV}Qq+TV z$9{t|oA6WZK}~Qfc5oS!(-S<5WJ~(hTwI)p|9h-}H^JIc?A;2-^dXJWm-?;zeB>yP zT5&6f)TbYxE)y292ped$gxcN8S@Y7&Lyrp+j#8QdsYmutkUUdh++A3b2viUeVYoid zg^mVMXl|8;CFi>uOlILl>mBm(k5w$d!qe~7%VTzZN7N?l^?Puvc})WLyS>3UZvyP4 zTtTK~H?ZMXPlu9L0mJopp$Mg=b0Y$62&=}u9)es-fx80Kd1^5!eI;7Ol^jBkj55fH zZ$14rG?Mpp5-h!NT6r)K_{WI58m28%s(0R9rBl7R0Ia^rKIzDUt{0b}>(^jxm8sgiJ<=Q^jJ%hm&=yX0rcX`R z#MLt(Zn1a+|NS@&y(`+Y^t7LpCT2gfcvIPqr%fia&%6nx$eW8zo`&C+(lQ#sL*9e( zr4j_zRj+>$f_PCCkreh3=$gCM-k!Twu;K}(CsV*7y@?Qi3|uMGLx@hdzfbXRv^QmH#mjZN!X#g9zK4D*Q!9cik!)W#0S)A zBE3z6{iB!8v4bye%p8NwQVS#LjBDfMdYna@i@Htbj#>}%@DN#!5V5obmLulVEtsiT z$DeEp_#;1QwFZk`1Ky8&B7~w#VV|ISM1zcTd@b@3GD)E=@U!9f#KzBZx!C{SG#U(LzDE1X!YM4&z8@Nq57 zW8_AA_I*c=qbKiN*k8>g>xi!(^-I8#gX{Mv-*d#O0(1x1=-zj9*8a%z@Nk=#F$Gk@iEk z*^#F<|HN2uFxhvbjPNyX_`VB(UH@GCmXh5h??#^aN3vKMvZcMp2+TJ*18G$TLOqfC zT-My)#6uebWbg4}&`Mtx`8Df1Vj0z04*P^+5)?Emeh|4_c$C}x*Wd0{BK-ZS>5$i& ze-VN&OTz<}0^pN)0sf(6*{2s`1`0}j)%@ZjpoDz)lbVv1#U8~T?*rD6DzR`^mS+Zx ztG?#?w{|_=4ZXHwC77!)8B|2X&MR*=pZCza%`?S^LR2Caj;~`5?+TU#?I93xPWG6I>dWBorf*sfzhArmr(j&iLq%DTD4OhzVG6&>VssGy2Yq{|&kN#4 zA9~+D8PG3)&+En~q(MrbvNJ4=sIAs(f8n@YouHz5pF;{pDmDYK)>dOm+vhLdRPX7^ zT>e#1iDrEr6a1V4d3td;s3pFs)}2I~|89|9{2F_kkJCB^Xd>IW1l3qNY%331Q=tM@VgZ}NSFpt>LPp@6M)Jyd~3i`6~CXEMbH zECCvRKmFkj?x*bd9f>m1_k%^4|JygPXR;JZPT=y(e@D?bLX6BhfTrU8onHA_su;ex z3Qq{Sv!npGePF0rX|k}Qs_zjD;h&l~ zvJ3b7h*3F1_^SqX9k!ii9+=!Yk&A296?_E!`HfoOxu#EHsrxh+uYG=1f=qaFy+ziS zA+-Q@*%^fXAB8Up{Q5ohPm#M$>ZfAl9T8;N*M6%fWYWsW_V8fC)gWA5B*KegVgkkx zu&q<5uEvv9)=UnRwLQhtm6jzzg1LG8Te+q9U5mY;?$HQH=LZ_m9EQ0;K1F;Z7%+Uj z^%js=WsO&Ts=rzdgO$q>1MSYuRZJREbxzp%M2l?&DUp=dqH4I@eU2*I-IWo3Ch)B% zh(l22VYK5)#;<4R%Nu2DF#QCGjew$n{tkDk$HDvd_ea7q8vM%dTlZ*dWF1y*`0d`` z?tu*YIh+?D};`FGWl3U%0y*$RwmL z8r4fjNJJ40vo9T{kwj5+GASj!PwYwi`$@@qk|XG#(*VDVGK@EfGW6BU-`=bVw>4#F z{10**?c~jgidpfZ-pRroes;QDiGO?lcVXCyMU%;r^&mr{2m6B$#kr}w6z!Mj;pVb5 z`n*Gtdv>euFjRI$u2ATSH*+S|Y475(D+&IfIL*L&--A0j15!DK=OdL;1$us>nx|rv z1k3y%8kDkyH6C(|^JS*rv^SOXCPYT2+p8)(R*UJ$7iUn5F`#xm9SZBt7Jb60afq8! z*dH&nP?dWB_kaCcAjooafAAqWX9mfCX_o)-DskQU-^+ym%9H;$h!zZFL0OwPeWleK zmoo&|F`}qkHKnccPA6PK06nB)}I+Wc0J^JbEU?mN(Z81QCZofW1+Aw(X#8Ua{!sDhu z+RdQW@%&okdFJF7ZRFP5IEUypj=})dqO2e>LZPa~bDQu@C$I zrK$jy{vwHHBj#0PWF)S4fJFgT4%{WCK?&+vxcM7Sw}I9b6?J|4{@ocM;7>qm_8d9n zMf(DHu(rS~x$3W>`78p=I*!)-fgRyeMQlMQ8JE}lFB!r5w(J_PE!hDN)VJi$1(Bq7 zC2A0j&MpU?AtS(r<%o;1d2LM$fBW|BLM|up9mXD9;;8 zns67LcINik7BMSsI=TLgZ#p<9xJVZsUOU;JG91^M383WmB#p+4bX`L1H%UmH-h-G9PGJr;IM|&yt)*Tz7(RPATc7ZI6wT z9UNYsFe>>@?*tw*r7P1v`9aaev)ycJqQIN-Nv8s19z5VZXW@Ywuc|ZMn|E|NJr!3H z374reawKTlsc8D4KJD#w5T$UnOP+j=qFQbUZgPgFZnqwb)ILhz*e-6kUi0pg zq@I9Rj_}(O?+oWpZ@V-(Rj2MUb14>G&blfeqN{#7w;r5&1k4;_4@EQYdNi8P1=}IkxDlCH_pb^o7}?^{BA^h@9bYz)6ftf^&gbunk=x3Ag=0qsjhKP%AySq zr2GGF0n62X2mT2NOM)axkR8r!hO6NO)uSuW1G8qoNrCS_mgW~u*9(&`I)8Fh0*P~4 z`AeZzaxD-_rhwMt3`#nG(9_dTg1@v8i2!MRo51s<{nQ!oXk)iB5c1@S)r>Os)H-+$ zr}*R^0>OIEAt9Rc#h7_;V6ICorzg%qh9e6wUe6z)81Hj8hjCg@EZ~x>pxAJ97lGy0 zOehE2zcZAjm`Q!ky<;qI^$jvXWkJ|bN$F9i$GIz)(>EcvKnp0cOe^=FX*mKZ z+XF&>WM8t=kIb?^K15ehoy!i-oVy}^TNqMY_z9M-q9<*$6Sw>F=coD9TWSWj<)?c4 zj_dv!Kwh~99akue9Boc@mY&W|)(*5i&tCXoUlwrEa(U6GF>O(NXQslS`i9|RQikk6 ze29s~2Lx84y|^J=rgkvkv{5E0_pW8w{>)f0GE7~s`owu^QVV!ePiGB90=sL61so^8 z^-=$5(3N$o!Q zJsmE3@7C;E$d}fA^m5AF5P@ySQ*VvGl)N}tb^Ku`c(jQ;v|XdDtKQY5tg350`=iK6 zU%T{La3amo#RB>H(Mh--?e*Zh7q>9|Y4VfsgQxx|l-`!0kIw8}uL>`cl7AFUGnO0{ zKcut!H*S|>ZLt~ir<>du?=HQajOnSkouJpy)%OE6*;xyrhRVV7tBr7@+1X^t6Xl-x zG~?_SXA77qYu=5ql1v;lMVb8lww}^iR}?jLr|kS6P7l)5zH8bq2 zKp)HgAQf?|60Y)>Mauq7Fau6o#bslIZ8yRe&!Dnyd6%ci>G=9(1d@J$HI^ zw{@pm9r8Vd(W>cKx&krpJ6RgApnTFjvsak?=umOtT5; zTs5E>l+dlCH@B7?8ftS@MI}4Nv?d{cbyZr+s0^HzYl68gu7Q3+)+{BBY5iI92=l&g zm&8;1{;caGCso=0nCE705!GdPENqMs#U9m?=P?3MA2h+`ovY)V%&l0o*)byUY!voJ?Z7@8akbc*}^G*?Kr^F`r_mACH=LQ$bm|)%LwF z4QF-KDZ2*i5;r7-f#&h#aDht9<5)so(5KGV_BY13*0jmn%PghP>xQ0Qpv6&&$P)pj z6U1TII1eL8)YdBR0s&#i*cg96&qn?H%M1faOh_r4{5?lon}ILls@hK~oExX^&I#^s zk+>SwU>Hxmm-PmQlIn6y8z)0-(&N=6E&hmoz*o3lT`$LOMy4`hQO<`wkDtX%NqQye zOpp)o8yMIqTqh^fgncZXZFYVV)5HMFQ% zAvqIU^4=KwWp;kVw(A>nctld>zyCHKO%lAQNb0`#Cn0OE>Uevu?;O2}>WoTYv!rg> zH^~m*G$sA&y^~Wy)6K0+%hUS%^e;lsd;C?Q`t*se8=G}=lPGdN$G7`>VkG|HHDX9I zF|pE|&Myf|c(2aGz{7sYrB9qNY0ytyVJ}>zo85Le;6aha=n4(XZseizB3dgFX&0QJ zAwLX|NtN2AArmH9#DTyJ17GynD2cQ`qFrltH@DK%wc?%hciOps!Fjj?WP*MPUMe}YgT2ES2* zhAPnisM25L^fSn81{nD-2+Sqw<_2Y1A~m%h*8I+p=QHXJ`CM4#D6IFofQa+$t8b1r z(IRm~k)>2U`m7D3N{7YSrNmv=973L-Qab}hB%cH|D_9YBSk!vxBqSGY?tdiK}7&i3D>^+}cpJGMtUx_Ubb(9LZ|8k<+3oZE4k4QSNyRyt;JG+Iy7k1V+NM1}fP3q+PUdQJgf=Pi3=wmq zPJHhXf`}|4EdVyQ&d@GxCEfE-!VS0Qk9FbLmZ5Qg-;7&3hu z5uJhk4eCESz7$o813bgLD;X(`0Cc8U-%KB`{-Jx{L5m{6ZG6#oFu-14(+^ST3aDDb zxdV4bqBsI$a-GC}e&@W;he2+>`mI$P+e@5oU+YXR`FFheH8KV5hYWi=v-n82t-;WXES9k_v+oxF$TN@+iN*@Czj2*nB zZgGbVJ3-7NT%LjP_Hjk|pwF|H;EpC_bW12r1!5k`(MFE1@KYZGm&~O+mv<GMZ zE38r{p^3wEvR3%FMzDv7Tju=P2%Y!B{6P6LSNI1kgkn#_wW#`;lVdB$@r|&v@_*-VxR5Oq z5L1P!&OvKNTS{m2CnK+#d#D1vM0 zE!zI2b__5V7C+sL2eP8iYAXjlf#UsVBgjc0(YJ*$V)a|H#`*mh)fSM1d%5;EG}T7e zAV&0-10g+5L+KAMaChOBQhGQej$~yDTa0XpkMtO+xe=}O8|U1vqgv1G)|nbIB=l{% zH4PyxjlTTqNh8znujie3eCkI2-@BeO_DxHnS1@Elg5=%$-e9ki<&7%4^E%pd;b$^X zMg|I#uXHK1@?OUxSGTIaF{M<9aqx#YI*>MUturseDaC^}MX`ygD}Ev@k$=?2Z)nQ1 zm{6OlXhZl^eMXNas{&+hAd06~5Ea~;aO^K^Ujxh?vKGb|aoKsA8m00Aezv03@_qe6 zU2ku^S?uwN@5%ZAQaJIJ0-r*>0w2YMZoHe>T&dBA(ul~w7X1CUC8`nkEwZ#k7>bl` z#Dh5i14VD{KB4=a0r^c&(>*_C?xIi;O5#v)3E(B5MqAObkymCVO16XAEutTHyNCq$K1#_OF-fxl~Q;LVKC zagI7;pG8d8nFygNDg0{(nt5sOfnC7R21$5pxg0PdB%xe)2BFc830HZOpPGM?L&Wa#A7;& z<$o2NLZwVD%YC@(qflTipJy@4i3IVLrhzI*4qbwB z4gvA=PekGQwA-wiYXUDx_DuEz?nFiUws1A+ zo%7J&AjpFq$EiMq2mK2F{ejGkj~tq`sOU5I((aZFHMH<&Y%9*X^B_Kr`tlR79)C_A z6xWqoxp|dHy5u3ElooFMwlo^&L8i`Fu8|UeE)6v}ge zYe1^2P_P$vx65^4&L+)dY_bSSXw2e~&J0FsN5xOw_uIwH6s^nuQQtlNd>zS;ef#f<{`E^AOyfu5(@^ zx*u4Usdn)ELCY}SsBQld@f*W?GNys1!9fY*x;zhe{pV`aWPvAeeX#^lf}f)1@P(fYU3u?tSjGFbT0!_MEbVlM9cx#Q08 zSI2Bu>sJKr$>nP-;t;)F@u+lHaWTkSyLh`WJ6;7l_+4GdAlK}B)hkZHn(9M>+A4Xf6uoL!T>Mp;UdgUGdyA}==U zao76p(C7UU zL>#?8v|rqdM}Lj_mit#yS*R%wOa;e%G{3$-^vpLx76LPhph#O5%*nr!0#7FpQ=$61 zw4|)z?wkRz=xP#I@>g^WD)A(=_r@v4yTtF)jd#gkEt+EPb^l=+Z6*&aUOD&g>_FdI zcMV?4)Z4ymx3H=aP9g3I;Wc|$9ND@Wk{S>&R|`XZPu{MzgC0Q5!##|2|Q87tYfD9 z(Z8rmXXH4=+KQt^XqQHWrH3)f?w@r#3vJ`?OavTT;&Gn3F71-qI`PHdxV!CQ*)P!_5 zF*oaI@_;^!^RE8SjH>y-zy0se|F@;u|0NRtU*}f=0EUq@S#A{~4~p#yKr#4>%Avte z&0`w^m)wGqg8>j}6J2^7okLMu? z9KiwhfDbqMf1RAoFQwr$q5-~-L>!?*8i2awx2s22$^C)u1cz>phYYP&1&DgwwRq>-gwxqm#XmudlF`R_D z76i@u03#TM>;&qy)%UWNMnw=Qlg0^Kpd>kP#@MBy8#w6H9Y;SUD(?b|nM1a`Pc6ux zDQmt0D9{t2D@=p%^lq{TP)w%`jGb*jzN|*smNm&8yj7zzv*xXK5@lI0aq>6-l^HOGTRE+H%%I z%^r!<%=}KaHtu!isfJ%Hj65mS{8wn}#FZ~kTg40Ge6!H_x)=BP*39g(y_^QJAS*n1Vrj4jH>P*NNNbnU7l2e6{%Fp`5DR1~AY%F4=I6&`8)T(iG_*}wKWa9ARh zl@Rg=Ke?Sj8(#Hrp%%s(NPZqlfkpD9IZA=&6F3=?2*I1_wA2X_UYp%&c!OPSp#;r% ze!#?r3ousV9B1(#z_&l;FIGPXMwA^uWD*W$E7}L&ZE_MvguS+X0I(3?cnx^=ESv@7qr|Ev}^=7|I+Mr$Tlu(dvJK@T%2kUrzXkq6i8SuIGEf` zE9?i)w-yU>25<}^j#Zi|>t2BNUSI<^7S0H~4iwFTYz$e;Wawu?9BohZ)q3yZ-D_D$ zoZvZ^ynN?6rx6v%qYH8V&baek_aPJ)7F^Tr#De*!uXPgbr@mWM9bD7Vbu`oo{p%ye z4{ttwcyJ1%+>3hiiNj?nfkkG(pH)_womvIXk#v5tjZ&lziOFM$LL#r@H+n+Q?JwSe zly|{EHOM>p=XWZp#iW7OVDP~cWJn3bS;AmlgT&TCVi($wsyEJ1_zhe*xH>KW%a<>< zLwv})mF==*8hCVKd+!bOas1_e z$eur+rzs%~4e52l>qx;pdk*O(v7dCR9kLWjY$TjGQ<|pZYVeP3fYvH;ZaG_h5<_F< z4l3`vo)Qx%i4VYgfBEo>0FT$dI9VTI*h)&B0y6=0)oOuvKDGYhpl`c_T(nwpK(;gZ zy(4%IJIRR!Cth$1xZ%c-L-2a>2J83mlzwyzek+Rh+>b+nAn}fQRWZwQmd8K^ZbpPq z1YCd%w8-i62@_KZkXQjd3E<BIOf0tlgXR(L$n$|Y1rOju7xCM#*&o;1m<{OCdxD@=b5n6NY2b6PJB z;-Q|s-%EbU7)H><7y?xThoj=<%}Zo%4E(=MW$v8 zZ!&jl@L61GOFlj~G@OQilysVCDx1!fxf-?A&7g7qHLw%hGO~82=i2&@UKSd|Uu{#> zC^FLE0zhN}JxwLe_RkuUx^ z+bA*I%3Nbdk0!geIMEjuOWQ1$XO!=n1@!V>>^a|T@~Rj!BdOm|$vi~e^xx=Jo<^WA z=K~7VUPZrF^UY7NFv)J*>+wl$HL>a5p3UX{Ec*IVX9<)(%iix6gBSV!8?)6 zVI_B-{He`O9r)2#yhF5Oirwb#@z^m zCsW=hDY@!+k#91Cgw?^+?*wdA6f$MXerpEpMJf7kyu9PSK04UfS5;A(THhmrIVCxX z>>I43q?Q|NL_=ShD_@qER1LO|YcZzo6Xh=- z0RWQU>CkD+Rr7EVb~XM{)~T=bTt}m@a$6AWSkC{T<5|hB5vpO^?xphQKjaS|T=;4R zfB;s&-)_niIhn}SbxG=F=7&Qc91G{OF*3`?jF;|YWbs@5nPt`9rcI)Mnq!kg^AvvP zoW}=x?gnqAV6ISgcGhQ<(lx@#%CqM`T9PEmoJ+n{j@Uk8bv0KA$_<2#mniAhR`8fB z9X}ouzdtf>Cj-$nV>-@SAT7DYiGvl;-IZsKM7OTg8noEC^ z9%BQC>Y01`dEPn{Mi*ky^{Jj)uLjKm(w@H`sOk^)|JGNQSW*<|uUu+5cFFc5@NQZsGamo@(p{GN>=5TLzLW)(ib9uGUOD9FJxmu#*XVo5 z;)-h20C-CDWjq$u#@RDG-hEg@|`n*F2x86V3D zHghbvv)}1Eoo<~R9q;64YS2j#yv^h|UXfW+zMp0=B1cCuro4CGoL^pebh^bC>y8hhgIp^vE)L4!T^`L7uC4l*!Z)@o6aJUk!`X3Xp9QsP^ev`j zakqIxu#^_sfP{_}uvx)tqQuav)9nCxIoADr}WtkGx`-gE^e$e~*y~sf9PsJ85bMuc2*ksHJ zIm^k8W6=D`tl#-s(9V$q7Un1q`pZt5rcc|=&lS4xo+SmrwtdZI9;u%#KfIZ9Myt?5NmfIW#IW zsAyYe?$c2AN1dFbwS34QFXs{^cc&!UK{>f%r!?fyZA=TK>B=;6&PN?uS{1gYdum`U zuLUx_jP8T;Fa3F1x^Y>mAsSQC(l=K-GA4hQTWp419<4DyVs(YlQ|PKIc)a1bUD29M z4zw7|umsQC>26CcCACtIUwv;vZ@4uLb~*C%1fih=$0LK8f1>Sod6GYw7{C2qB+fdc z+@)r}EwtX8KSH2@zlCT%YgPB&KQwW28+y`m?@>3p>x>WcT0_o%BTjizf$x^VWRQ&O zx>%eCSLfrqc4@9p+(k$8@;&RK4#H@=?6-Y?{RMY0^mNNr{V$fC+^olKDnzeSWAWxx zdWjPg@k>Rnzsf=X!?L+UCnkdYG%Is#6X}1?5sRoZ-(TCRo9j`c3MZBuKlYc7&>7l^wOkezf!*gt!UK0h-Q2w@ z!=8knrPMR8Q%s2HHOMdnSyFRl$?=U67IAbmHUn>#>2IET8C8<9nfNOFcDHZup)?Ii z^O;F)OnA1>e{jm7H6ZVMnmh+PF|tYI_xx3Odt9?GX-xYaQL_v@F$@Lko6mOfzc|Zn zxn~3=jdJOuu6|j%qVZjrD$1reCih49_aTSuJA9PIO?TcinykWqm8UuWvf^;aZwW;G zJ@n#P5ukIAYGM#O`x}fDzP#(IxxiF(PjQ0jGv4fNl6klE%f(6b_EsG+ru3nPAiJ0X zbzfsZpZ6{SD{8!gyJRizdB8&!u`JI(V*C{H1f(Qmu8qug#m8o^zQ1PgOKV4S=H$nQ zLi)}}Orbir`5JPHU#9S#RzfX8guR%@DRlf>7~w%?%x}xTMAtU^8>?#jqgtGx^5>;| z+k?=AFCU4W;9s9F)4vQAEb0?#joS{M4R&sBrmj=_>=Ye%l!JEqopt`uv&aZEdPBqT zkixclA6ZN8B!259%R~`A%o4C0>V3G@@L+eGzl%xk^TKuNygAMWQMX4%I_*RF)GHKr zH<4}$wb@M*L54F&$LCs+yn?wh#e(0*1Ntv$@xEtOAsB>&H)!rb0ooAaJX$N^gjpsd_cVVYQjFmv|%I8yHCmZZ-RMj z%J)ZI?F)l$#BnZU8r@_p&Wnd6dL)`uwQ^^y)5l@0m?*q5^<=y>frHPmak!ie;@4>sx#g}Uf+0J|9dPd3kf|K5# zZLdh_ZO9mf*uOZ<6a4f+f7}iT&%gcqb?R-Kyu-@CX7LAMd7-dkWAjF14`1z(4-)Nx zo#B%$jy|FS=Os<~&;SUrlZU9`ybVq~Pm+EZmudTq(bh0Uyw3`6WB8h5_ztVQbOw1T=_P~d@*y}e8YJc~B zA7?sLF(kOecm!t~rO33PtpDD*lyKW+dYrvIhgkf;+JreExC}AL2_)toBeCI&LExb% zUj5MfBF#H{T*2QP+iP{mX}Oq(vHI)mQ`L-pZQ5Ur@lBr$`8($G?O1%Cq_Gn^P%(>z zeJ!a%1=ThiD`ByW&V$N!O2-MOdH3qu+qEWaNiN4~l`pxbPs zz04Y~?cUX`qGJ#2_m;bonAdAw1G_KXX20p*zv%v%)4bndtVmI6Lt}S;_r&hv7aQ_5 zGPOlC7nb*{9A@aS zDbAe#Xvjg|?LsJUFhk_Q5E$h;e!h0thQivJruV@cSx;9#YF#!b&in7+`!b`Y+?{%2 z+(de?3Fk-Q_I(!|tUg{gYh7CAb=EsUQ}es?7l#J&n@M~Zd5Bz-My6BJYHY(Ge6FEg zRSV-1(^JH<7c+dXbNu0Cx;RICL6#Ik?%mm&{=PaX4$DP;5s~WDy2)Q-v(C904mH{6 zI$gmZ3-f!hjm?Kn=kH@{cg&(E=NQecGg%M(1)WCQZ7HBj=wQ^GF?jH1uk{ATm?S&1 zS1eoZA(Vk=`b$=n5<;j z^^-mL?6dPBrmDI9qr~f91{d*%Q>zVe9~n4z`*)AW9WN~8j9$3T!S3C(4iei5VC2a$ z(`*@ZPhE2yH{H={7A4(6V5=9z_#L+zlY>puDu{RI&s_a?%GNZ*S#*6IMMTLv%h7X3 z^Yx3*7fwHrO&4C4BK_}7<`#K6*|C2>9F z<(R{@;UKuadbsp$y#REm$7ptUAR@dyT~;~x$jsb_kfx@{YqU_WQaHPQYpg7|aD?)G z*@g)FMmGoAI5_3rQ{4#qQdt=}U*pI(IuRV)u>L4V#Tp-xRdYiB73`-5}*ZgjSr zTR0^NCj%jFWMOsNG8H@z%~Fv|*guQu`4`et!rH>u!Kg4kbt%*0AC`P{eb@v?z|au1 zLsVg{j4w{~=ZOx+gs(#0>s z;gqogCT-@cB9ej%E>6R&SF(t*!9Gsv7<-rh{OlJGDF;)IpbIJaH1b)NQvoMCpHq50 zO+QX|Ruj7Rjw?^8GB&E5y|#NCDRqnamWYN2P*x*o`tOf~*wGPo{TduBvpzy%B9Fyr z>+MH403sLFprfP{AVH0B zT|3P{FUHNC{Aq_l11NtQO`Z{Z5t zyg@c#`k(J52A>~t%PoFfkQMUyv9x3bW#B#GPC(v>_LbG6p%ap%P1goGZaGbSHsF5@ z`QQ4o3}|~2fF!ZKRg|LpuXUSBb^&i1hvWeBuvjbdVKE$l_7e2+RkQ?RG&yad0ehj& z72OQA!Ydq2p!1h0;U}2ZK1rPq9R-QXHV~UjZa1+ zUk8l69FV?VQ4ZoI-Be4VWXHgGTO+> zbeTYd7)?2_$~W4YA8;uVuK>39fy2_dHX6+O9C0Nv7axGTtLXqh?Iz9X&S;Y84~}sJ z{&5_p0dtI}iNbaDu;cfLY_;QTV0itQrnklP4f@7{><@CSct%X!%OPwHMm8*WBYf&&-ep1$J%-hTA< z8+ED*T-f&nOefAS*2l|oLGz9mHlra5%p1>kSSbQ&7)X-<2X|-?hiydx&`7^`#Jyy8 zMW=8|>2iROo829(sL#RSRSf|Cb$2l)o~(-)!`B_r75M@}mc`X_%ZS11Z70WFfxX?< ztGVO~dr}GnI5hU(e^kcxXUUBMX0$=3m}OW=!)it?Fx*aoG2FVK{!DMa1kT>Jg^MO9 zGD-FztXVpiLH-$yPyhkuEpXk{0Z^L%@>{Kd?nLo6nPI6{9rIg^QPA6V#lYo3YRpP3q+f?&f{j!;B$Oy9Xmf^ z5wi$s#p*~;cCommHSiiWK+Gu6;A$0>2P5+>9I+M$?8I?C<^?n<-kJkKz+0W{yMJ@z zQMd*!XV7GYD+m3%EJ(LR!Tn(Fcx!UhT+-Td0a(Fnag)p3L$KDIxR=&1k>$!{?P4*z zbznY<5h(?6hkxh1h#Td)9&J;~eSN%lC7~q7LE| zv{>KNs)iH$5+pHh0iWa^di^JN@{vOenA2XsE70r{KDhbwhA%h<+p&B(d#1vqQW}p+ zcj$Zc%0Pg8ZRxLdfO%0U4)N5rZJ z#JKdwz!Ww2U*PBq%jz!)i@3TXkW2C}468uc4_RSHbFs^mS75bTrIggPoDW1FN3G*1 z6YeqbYoQN5S`Qgg!wkfzKonH~!UHJnunXCuXxT>)f1}vr=13JmdiAJK+J) z;ahTI-crE#or8^@^N5Po;vkLYU_ojQ{GP@j5pJzbz1Ve+)e;80U{~w*AJgs-hMI&j+S77F=>WoC13Pa1SVi(At=a_C!8 z_x-#YBSs_s~mps4^`1v z&>@8b_=pmP=#$#&YjccnV^5i3o-lrO{)H6|R!cmHAFs-*H^H!E8sTM@xf?r-T&#<2 zmq@d>=Bxzm?SX1;9J;a$rtDdcz^O8q8Tu1{iF@ed!$<$Q8PW^Pj*L7t=ZwOlqw-Rt z9hDjD7sRFXryz;9^y~Fo^nd72=r2_}r9=eTFSUa(A+@p#-hM}YB&ZJ_OQz+RU6cg| zmK2#Z%L0~=qX_F);o=aPIancXSUiUZ2ab;x`aZ8Q5|;zt!&TqTG)e{8kkChA7409o zM*lu;xweEqNKhJ}K{QJQd2X}>X?TN%s2&L9Fm_R%v9}%GjAl3imh$CYws1d(6=h&x zxr2PcAoZUEV_|V?mP%(41QyD6YgH^pguCyC5iUkU$krAD+JB~qD2S3uMG$q|6xV9u zzDdhQN*=+pA6~Aa@CK1Z{p9Cib@7#Dfppq#0rllrj+!aq0D41dXaRH(4d?(>D%RYbM-S8+l?hL~b;Cw3#6#+-+ zE<4#0Z#zpUZ80V$O-2NS#g*q>jfdd9n$LDFJ31gx4ZdsFRpa;~91FHmh3}yM*Ti51swl1Y@TNFk%NwRa9D=;7AIq22{hqYF*rod=toyK9=GOtT7GIB zVAp_6VI97YT#4@7gSMah24p4omn7QW)?K%c9Er1A3V>P0=sD6BhWhZbKztKe_BVXi z{%Vheg|_3lD^4yjH@M90aOlbM`6BL&bgT3+sH(D-CT|yI;{S-bra(=h)^%@gB7mri z108#4^N;#%oP-uqMkl6i0~f*ZC+ES7ZZI=k@Pp9M;uE+S}nVStAY@C;1x3>&y>VM$= z4Um!&DQOT;hNRLkDFs20FF8^eFsV_}Fr>SsOG3J1)aY(Ox?zMk8p#p=!|(n-ydU2@ z@!76R*g5BO-tl@zeE|csXs%^y-m|OYgg7N(Cxs6_I zYqeFkuk`A7Jn-vlexFpq#K`>U%h4rQueG&dWwVtP;VQ0*58s*KA|=-?sKHf417q$A}1)F_^>08C*s}`jhs9Ur)=W0!{0{c$F+PhRWASI`I!kiV;LrzA7u__Fl&v9TsW`v~4k+(UD@{!I26 zdi*c9*w0?#>majG2Y(V9Ne6apbS`WnK&44dPbfOXGJDd+O_~7{Ar| z<OyO7se*10%`82=B6g?3;!n-5aE(P$&6hmq&Bht zzu=bt9|$mP<=(e9lVeq1EHoPQDE3qgce6LT;mJg!ifbcU6w&ypnREC~iB;)+0h2B_ z!3%0dj__h|^6ZG7@aL9cHN(vSiQ&O&OJV*qb>d{fpw>wQOZ6i+r#16Fs)R?wPWnIs zGQX&3V6+fV#(*rLSddbE81=KVi!dx9qtfEjr|5m2=m(SrAn#aYPx*Vd=r_Kd0k8q~ z00BYLE@|817Ud@8#p|i(f*ni(G0}5Y76@R}A%`7c;l2Yfh}6_sBxWX} z%4D0bBG~`aS>M{4PSypPZJ3Sy7dS@;vd*7;xtd>(UTwiAnebUO= zwb@?a7-dPStCSD~ZHczVx>^2SPmDcW5L?}F+dyy)fb7&;hF`v@18AO8WsRk^)j~WG zJlv6Ax|S!@-HqUKvUt~bvDmrM5O5LMfdA5Y`-u#9`buTj5`Q(V5|0fhX9eSbRp zvwfO6{+PgzrLIW6u|E6=OMu^GZEmnt|>=FjJySMeWR<%q!cmJ$Br>DS8$ z_#SnqdzzTB({Ei);%KLaQ%@EtHg2x;`aYL|c15OC%eckY{ZgqnImDxx>*F*Lr1rN* z*DA@^A~HHa?pvPVgp-1iDDR$e*5TX}h>1V0WyD^T0oIx>poZJ`KC!TPN$=L7>+Do# z8k}si8@G%(pa~tGO=QZF()3_s4Wpq#mrz+Wpbz=hC7`|Umu=U|7}n_?-zt=Un&Z~%%Z2%FWOnw^_4ksM z-~d6SrEoH3y~L}b!E({JoAs4`@^W1(1KeXGCwtSdcUfgS_ud9~+U;IhBp_1`>~PBSp6q+e$h8{^CqP zB1@mUIACg}x#i>L^Jmx_X9&Wh@=5DpL`$cJ;l6)|?iCJc#*nU?nj2=uB;ErU(;rb% z@^3$lGINMI@BHa4jZaMU$QpZMk?g>EpH{i&)N)yr&_Wa^hk{VrQxa}hRT|_L%p@lt z9E4${M$j;Qf(UBrm}#0P+el>?jVQ-!COa{0u1)&CrzkftKh455YNBr>5-_ekw90>> z!krOCH+4bXVWJ*Dbhfo+bfp8y8>%&*r&<=48fFrv_d5=B8uwSQ6Wu$SE~zP+%hOIe z;WAtzcwGGiR3YRhe^VOsfOFyxU;nY=8L#v5w-b4O0+s~Bs!80(e;yl#eU{Z_Rq_XD z-d%Oz`t8|GV~@0RcdtXMHBsmvtuzZq%$~QVW`$h*1q8uvrA}oi6P6xUyxQ%%;%XAcUhy+!wXM63uubxhM>2MGyd(*DX zOODB;^97B9KW}nmHiwUYJ&s)y8vFdhA5Z%0chjQ;Z(snWdlm7f7hrnZTVmD|hM%x= z>ps!AT3GpfZw+%um-(7(b`4$l;stL~dE0q?mm|fqhsLW@X$5w4vKrLvqc+9llp~*e zB5VU+5UVj)D~F#i+etm*HP1`&9z(pDK#8?Gy!Ih2C&EtO5c}88MW34(JUNs|{@UID zY;cP}l&XD0etUT6*ppgMll=n2annFdyZnfpzS56lKMGLGEenD=CjN`5(0N;5xI`wN z#5s-bnwB-jKP0E544~A4XoxN&-Y^nT>qi@X#tmQ}S)mpS@Sz)G=)HBJn~gFspm|RU zbfRY3xG5O(bR@<*L&3^D_@m3X(IE!nX6>0o4&D9!jzcLlwcY}b-Ys)48HJJB!$Z6i z+%Wvgzsfu|$*6lrl7d^4I+05BzDZ=1$tvmL^~^*0IUKxz4u4pYJ0T13$Dh;Oo~NZU zY?4i(P3L*T3-KAlM5HoO5489;#EsRSQc%(KD9hD7&9qcDtGd@1vEu6`u$ZarAb2?Y ztWl;zTkN`3IroBe>p(Gl)9CY-4cnGNM*4lQLVo9{D;DCl$00ggfRUAsyjn-^pN4ms<>uX+)MGFYlC>JtvR zPrmPoPg4oJ)q7Q0d}G7WdXY`|WFDWF=L^hDMOou1)eIoQl{oB~&L3VG?3PTA)^^%T z_G>MFCC1F;#0dv$syx-u5cpI%&UHMnm|j|Q)xibobJ=pdJy&8Pd{;Z(UH&z&y5l8z z%R7h~WDlt=y1IsJxXom)C1&a;W$Nz?J12H)hHYXy<)b{`x1MR}PJ6#kgs9WZzIed7Ul76?$d{;fVGav30 zd9?zv;~a-t*WmetgkXPpijc5CX0Ekt7Pn6HA= z>nZ#$xF_3zeGTBP`_$tHhXtQYyyRKSW(y8kPYUJBJjJ}mRGN_Lne{qdxyx%dXliQd zFseI=>%n{9l;(cSh);;uGn5agEp+bfG}?ED>B}KnD9E_AHB#cmw^!Eq_$mpdSJzf2 z3pTAX;#KN3HkuARdBr{uez@w*;u=hEv$GF94)dyy6WgoDRZH~gv~dg>b_FRoeurm% zdk*on?3@wS{W?L<@oCvTc*p!ryA$%gV=yn?8rG+kPevdsxhbBdI&GI(i3h+nSKLvY zfHn1HKp&g+I$N{>F4zj74Z}`Io^7mAmXev<{H6bnE5H8HjFFmn770sbT zWd7ZHD8#gaPSj2iXNe{!znB`i+^tWbtOK|ch(?rX{3C0vO%H-$?!rqa|-Cut~erOjQMuMLaYI=s}f07&ro13s#FP-LUwr&{K zdJRg#z&|xmYH7_iikDj%BpS8%JkD6hku9v{wT7}&vX4w{LF~6qwFC;fNUpK>oi`n+ zXCX{R@ZMI37zXUW24tt3hh7k>K}*!kw|0BB$GO=7EWTSBXM-6;R{Y)vPmZ`^BX}T+k6BgP7aN{A zY#IfTQMI0a85=#Pn16liZq2UyubM2a?{_11${=7!%zN=^Yl5}hnC`!6DfI`5lfx`aCyC}xpd_Y7Qx;aX0ov`--AGAGe zVY>cba|*j#xAf=E#Y4;kIAkb*J5E#WOyY-H1B-Lcfc>}rH7kt$VLXWZeMk2FwKbNZ zIN+bv=mlOLuC>G1@JqYzwLq2Yk&S3yQF=vRwE)PW!zAG2<^0#W{kr{|FPr}I^AD;` z{N>Fu;=fwhavHeDo-85rKcQP!6(j-|a?53M)i zoU5{1(pink5%@t?eGUx#4~Mc_uTmwXZ)5+iEH;uZKCdFa`xF3^0b2aE_BG(QoxI4U;<`+un?KH(ue&t1ymq*sl zM_x4%dmTN*ZtrRDpa=JB+>AymZs@pe{e*Nn#lBPNZTXT+wa9v4Zvs?z7p?Z|m<-)V zxy(nZHtGz=#QyDBFE5@2dVTFipH6x4&a2lg*{b&rRld>JO)#jvOc9 ztdv)5s=mHB!8u%cp&R&xol&cL_*GAWRi{DY+NzU6UW1UyqQQb>wG)#8T4k)%Am3GLIh<4pIhk+U;#&biJD257(`uRcW z5MbI@0sF&)8Hh`Z|8+9~>h)B!hf5RCEAtZR6}fZW?pzRTP)#s9MSQWmEDv@pHoBru z`e?I~k(%0P-JN+Sb67oQ0X$OQj<)`jFIx&7jYQ7nVRY5z_oiHqCrhBWJVK5KUEvjd zgPID`x+ht3JSVw3ttPlTSl3c<^jAeIV|gU+mT#oUe7J@r z{kUYeiXpAyMQzd1fU->7^pKfc;u`Fx(PWxRucUhC;Qa@Gx2gd7iL~Yn^i-Xn)(diGH0!njlgH`!>1yL6~dpw6(ru9gc_VyRL%>_{re zn~1bpZf`u>v0-TXT8)HX{PP$=sxM0|t01mr#JA&#O7|O^t>MPvpcj_5>0#nJsh*KL zK@PDxt@_k1HvLz@<>q?kiC_4uH8`1NJteJG{6l(<0c+@-Fnx+SUa)lNjvfaH{7l^i zN~acm``qjLg)khd2|NhCRr2{ScQIy7RGPiCug->+(#n0dJnW6 zZwqZ@u!wsXQMndrQ=0Cv6uOuW`uaD!s0ug*2{90s+C<5KcE9f%@t2ZQjU0>?4^<1e z?1gqn+!hy1s_1+lNi)NBo76JYG8Tk2;d#s{r;1!qH*IB$?_Ps4YR`DQ=az2f1y8$P z*3CCfOIcHZZ~Dckoes+LdT;}7^&AP{S$i832BS#&Va&RzfMLS5Wv^5{ZtGBHN}E`i z3E~T6Jb(B{BLIRJsS^O~Mz7oZIo1cop&BcIMH(SvnYFeVv{3NxVF_O6JsLX1W^%g| zFh$Vg`P*$PeQT6A!CIpXM?uGw1^&-3DL5?jtpkG$s>hY9YM0cX)Z4b6(g_Z`MjFf> znQP9Tt8zdT5qd72A4;-|`UZ-(bS)rRPQVio+VafSX4ARq4H7b$r@~-i0NR42q69Dt z)#*+X&gM|&#=His%RgCZ*`nWB&_UhZ>8>Dm>%nb#vr zsQri7zX43veTnKjIqzF*k-tN2hRV^_Jt&9@4vw+fdy;zp_s4HNC8r&TaT*I-T#Xms z7xQL+d0d}gh@!1k#rJUPOGCUbq*$hGjMqYw>d-BN3&o%MN!q}Th zmJ!!Yz4j6l>~`XQiA~gl;*3wmgD!ty^?c88Ts^`5Q z!QJYW>~-7q{`96+RkwTn17jL5inUsn05xZog0UiMdt=iRI|VB)rzX)`?zL{ByYjqPcn#jol{KG1tF zS~Zq#f%V6nqz1RUU{4)^tK$l=fpn5{3q0Fgt>%%X!aUhdKOESPF3knNf()B5f7h}8I3w;tfNc~vnZZkXzhd}oTLMWLCIF}D%|VZTDqD)DQM#1 ziyuk{3UQ=l4RoYgimM2x(sf?g_wqQXvjh#g$YlK(>MpLx4&?&bnY;oo@1jdg6`fkd zRWkV9vlkeGYGvw5>-%;wAA-f3l+=G}>LhD6xW$L5JH8ql`u$7b*i~eGhLe6ty?UtQ zDw~xMa7@M?=vW5G^FT)=QiJDwBPMQy)f0qapHUC(*_cR!*2Vl?KOSnle#)5X=y}^|Tmt>D$dON(Ha40x zsXX-gi(jD`V**PhBdvKyl38TTMQU<)LT7fWHk)-vrAbh+EH^@DWT;b=;(6y91}-|! z!}7fqF~Fz@7(pg-jA1hpJUkDKJ(y|1p5@suGeX}ANHk9 zD1RI3E5Uj#GJz}U^D4;LN~WwG;fea!$6Kfsr`0`@DE7(}309*m=$5e*_NM!^OQXrDbj+ zER3so|3=|PRc=TxCd;|?nF+=aCFjUQ9}v`Rm0*JHrE;WbdZ(I@{`XPk)Tdm4t_dhw z4hdq$F~jviPMbdUF+rwRz$0tT|GGnhj5G>Ras?BT%c38*Lsy+wR9_zo$3B&N+`%?P z5Xuo{)aO6l)?mdd0t_TlD-18}$0aN9DjsY-o|pxv$fj?chq6`96+nmHH`Cq4OidEF zjLE}Y7Ls}++>>BAE$0oVVL`BYrdZ7V4#8V`>oUOxFoKEWX39DF{AY>{x1i(J2~lJc z6}~A_&Yn%+2`diYsB&&?BUg$b`QID=q*|g#SLT?t=UQ8OXQssAxG-^r#R~fOK=O7> znfp!01GeBw68{tHRr?Ni352>Nr7`0vDdy1ahl*z_jz4=oUswWkp4D;x2DW)4!aef- z9lhzA88duwFcjHDAWfctQTCZJ88It>oWUG1PAWRLEpNJnDv|^<0Pjw||34P)*mnzb zyWH=j$c#wWSa`USdY2!BP=I;-PxMz6*H)KyF3p7bqf~jgIasbVf-0EQJ!e-{RucuS z;D(MvkK5H_MO#S+tfM#(lC>#PDI&E^TZVyoW#afn1gAt0R_R3rzz(H)SZb()lf#IQ zne9OPpPWks6P|WL$vO3|_@crB-jF3prg{E2juwx92N&`|jAH$ozme%)} z(Fta^b;!B)!z~^$06j8lUGdXRe$jQ+^6rglU`ho|{|URlGUH@A5J+YzP}h4_s;l!!6pt<4N>asBvWv)34)>uD8r!QF z$axm^``3*znEJ04ez5AEs;7f1#qdo`;pte1oCt+UR@Fk$xxP~j#LOumK0aRT@RQj^ zKtO_#RBz)(A|z1=7m+Gx1K(FZ>~sD2z~AlVs!6nYtPjgq={M>+cHU^SCEN?E=TgN| zA2hT^PziKxHu>nhwx$IMvrCK^TXnFz3mJI$m+E`(By{nbNU=Qxt zE;Q$Kszb{+(sDPtPQ3H}An}-JNbet*$+^y6l-@~GLyo-qBNSOYC4OLd#fmWhz~E*> zCo?ypbwh-9Wje3Og4VqK!#eikS-6qJRr^8}SoLcj%CjzooLc!NZ4AsrF3@DktShm= z#H;+K{YG`|Mdb$BlTIe#cf;-uvV%b$OqntbWHJ*0M!Xxn19!VjFXU=o>y}moYXi3- z_p0#`B;%$(>=<}0mX(m`8l(abq1Qu48|R;uVj<=%Lf^)BSE1+iQY}Qzf`MRH$rV3= z%5#>g4$l!aGqVj!A=@Q=kb^Jla=>bg$e-Bdxi+uqikqf#TM)^P?P8;|6E<)!W5`XQ z0>}m`1nM1apAvDy^4?nW%N2&GSMPD$m_C=6v*xe-k2;njPwT;19Cni48c;n?fo;I^ zkd3Jx(XBLSXCQGkklbY^BrgpChKPIb7&y1be;2IA1T1QSds=SwaObK1F*BEMK5N^} z{SI_5rp_Kbf0iP<;}27}WlV+5sb7s6VnbTLP%?F8Fr4@~(l=bMRS|1(rGhrKh zo|Rm}pkcFrU<=rWBSr+)p8Sekp1 zZ23MFVNg)b90~BYkSvmpJ;Nc9( z`O6aw%=-$>^nXs#uXN3aQ_MW}8uE$hMScOI(!vW3;EG7E2&UWSi=sPxJHr^Hjfocg(?jq3nKbH(m4b3@Jk%EqfrYOOuKaaij zKxJGN5}Y`jBWWg%?pnHAZ#*Do5IoRTZ68tC)qn}-C$17#=Z5$iTiB^pA*Dv0V|Mm9 zAy;}u#eX2QCm<8+g-}zO?YZJdIlFCWt#`>f8T!OGB{>!kG>}=LyB@cu{54W7Twm*0 z@354^J+7c}wPbC*d5s1#)`1p7cRR*jow zJin%90uD^E8=bzey5qGk0^5~$yA9$y6@I(GRHmA8Wxc`_^{W6acJ8%gdf{;v3DGEu za5pjvdsTS>gn(zfoEeMm#S@OzJY33eSEe)8)pOWmjG=~w9ip}MP_H8CK#>Zyv>(M z)t6XAlqSI!o17~PFXWNR@=PEGHFI``qEeG&lhl>d(iaXLKXTg$KZJTd+ln8pb(^d% zDN=Pw)kuN;+_;$P35oOlQyN=k#0iN){fGJG0>S<)=^8-1tlQg7d;2mSYA~m%rxwJT zx`Wd*MCeEvP4Nn$k4L@1+mCi+Cf_WCsKSH$o+(c&V|=lrpXaR?0DV&k=rn*I<^1@u z2O0%pL3c>AeJYFPmS*Z_*&F0Ly=%FX_+h5zRgB?Ie4AvXcjpKpRe9v~!;##R>=Zz#=@0&g6kvqmTH83k_fXYli{mZl)K0R7@Lb|lTl)0BgNjkeg z(tPaVJcXA(KWm#|yoGYe+x0qKLhd+tmB?<980ysQ&n^iqIthyJrR3~hosCpGE`bL} z&R1TGpU?T(oTN`z7m>ILL3>_{?&0~L$8hr3 zLgmvdTR~2h+EdU;6$7v69OAa)!nr-Vb(X1BWK_lb`sw_R3tbaKgIyvFF*4cP^_D~2 za;uhz_DQjmg;zFfw35zB;SVBzEvP<9VAHpf8ej}ZFom`M1LE{iJHpe?1TtZ*`fZNJPgX9%p=!`V)FbjlD~j0HqbrnL85G ze*0ZHz-Z}(?A?rIdR1rr<2~WC@AV64U>rddqmvalK={ycmWm10a5Mm#2dpCP{HrQe z2MGoBftgsD1xDQ1Q<&OsE`Rwl<>zV2s?ScyNQ@cJG?;mq8wYJTQZCe|Mlf`;_yunL(HzFgp%ZIiebMBn`pMP(SAlow|tH+jA zDhB#DkmDo8^N6h-TXZp?m|!Ku_jr5fNnpE{HtxSZu(e&(-h&^94%%o<(hq{TDtLD1bTcRMbmoO9g>J$sg*+!rF%2OUtlE1p%zkZN zd{l}h)QHBW6HE)+2-vm0R(GzBh+3Qz<5sthcYRN|Emr6dCvHqL14(62Vqe&IP5x$W z8^BCa)P{o#>^?O!FzcysiilpjSO#25`;xI{~K3AWJh@deS%u=o8wF=Lmptu zSOjpl<~@nN-*>;G@OfL|bhhJrB00B#CemF)p#`%KtO6hUeNbEmzD2g)=bcR1I<#bT zce|0qG<Fju4hqkH#9(#0DRa8T?!zb&xL)De)QiY)_bP zB!l=RcH}xm%BztH6hjZ1NUDnUzusnDf5qv~f%OE6PA%bZpvj_Ek{8ckX~%u2%1r6N zH%C_fBaW3>55*Vd!Ii|R*aI6moO`uA94bzUCG_e!P<%80aP~Cpw^e}Q>2C4zoHq$- zj8SR>PIu9*pl5X!;W<4J%saRn50*5uP4{SRM*Ouo?QgiPJW{MKnSZoslbCZ>G2nc0 z`s+5MibXZDYKzCUF9Uq)?s3(Zx^vTcW7D~W9kXt*#56cCfy%k7&X~Lg5uV=l!>@!v znQ^d8$(yWZ`)&%M^U2ZD@F=qe)3J9vaM>{4kJty7VJKhe`OybS-l_CREIcft5VnQQM0q%%Az)5yAZ`57pZ`udgSaT5mj%HVz9@ zQx?fjpd#-zeZG#;h}# z+C&jouKTs2)#D#PZqScz?bY&b8!c*iu6}4>rRDT29V?go7Kac1CkYyPh!sYbJf8(x zNY@Q+BqU;gm|IC7r13KY4i4gJv4xp3H+|^{H0CMA>?WDqyI{b#A?I{ksEE9e|L)s0 z`jFWzRG zAgK-J)vdH=x0=u8!}I!plr}Dya7nV*`lv)sf$mKVjcC;wg1BH497Yhf}7^ zx<`bzi~EKCMX*e{)Gi@A+(EM_e#hPUQA9-*(x#;At*r= zIs|Tb1#NEKwB!fCNAMDs4g$XCdU;4C+gIBzH((>YS=$%7)m8fxO(WH-X=Pp_4q}p0DCv?SA$EDD<5bEm^WFU40Z_OSwI@L>QrP zySuxWh#o||1kJux_z&+laiB0epXJ00u(bMsjurDvdUy8|5O-|+dmR|#=mcQTF@m=X zzq~+@5e(5?4oAOrko;D$;xuuu7b8{BBzSXyJW&MA+K}I=2fa&h9TY_h~Je znVmh?)H~ZqaOz+k6?6G(Ssiw4y^BUx8Qi!O0LK0P&cc~$UG1sCB;nxj+{s%V4PAT9 z1_~-O!?#bLYC!^&u-2ShLm{E3Wi)(&*}l};i$AHUHs*^Aw5!{V5W8AO))x_2apM?U zz!3bW4|7X}hzt^ig_8d?)X}M9wfbFNx_en}vs|{e2^_lj*zw^R5*dJga%& zFYnFCJ&<0p@+u|;9=+oh>*K+9>(v)cFk0)R7*zFSfGD2(l^jPGj-PO0fyD`XuOOew z10SCsZ4u#o1*)H(XASy&NKD}H`UM;W%trW$06b>#nGV1XVGg!)LyO)Ie`Fv~!{J!j z^UO*I@U>9ivRYGH_W2|)|Ku#;j=VX$Yxa?r4gju3_gN?BYP|jkCl#X{_eDfOH(Oh? z7jWUCX6k`5UbaqcID@!zi>*=xQy`PA^i_)h1JJ>2At5%PzxxaRKnZI3?!^Hp&yGZ6 z6sdj6e?46t)p8!(YdvD{o$3Hig4J0G%Kr1igY&~AwENFia#GnQv&IWMW<%!b!_Svp z+ix(^xfQlj}%>KvO1GGTg$)3z%mSvR{*HZI+@* zZENdQ;%Vse=17K`JU@8bg$GRV4Q*Y%CEq4pB(HJ5K4;VR*<$S?zDCb-jQ5_C`jbpY zR*(%7EipGzlGP6KwxUW~F8?llh9*@@Co6U|XFpyg9&|QJJ`j+G4tx+&*aD6R+s$0T zEIpbB5}rVZ_B3_*s;AfD11$y7=o3zE2U?3w#T=$gytP##bm6_tI4L?CLC(>Cq_{?t z;k~5C=k{@!whMAf7W$lyhoYBZW2Z-8#=0P0*FMAgD+>?ooc7M7m0`_RIbuW#@y8}r zThk(lu`aXL$h^$!WN6Fzgi(8*A!y;V>h&oVb~|KLe>aN7rNcL9fFNvunR@}u%S}eV zmv+U2-{GtOqHV>)n7{XtxH11`KCQXUkh|^Nyw;L6F=oZT``or?wyylhvZ>Y&`z&Q%W+3`+fUBr?okwb$BBST zwX(ArOQ^bFccL!u{@FXG-L0I5 z#UDh32Qj+8h@S#)@GeQl=4P|9?Yumrsj{Z<+OXFa<2kneR3<;@@an!OXDC1{A@Ro)~;a_L3e4>McRdiDQSC(577($CL|;(@hDfBs`PfDHZ-T4 zJT4hBhrDDesrryAUOqv19LC)m2T^ki`N(h)Hhkfh@-bsYw}3%E%>J{sV4aOhH$9A= ztHdTXQcHhgYz~>jx^@3J-=WvMVUBkJ%TTQN=vA~bvAM=zc#QbWjfsrcOS49BTbT- zt{DvpN=Wtl@M$km=<7|tN5n^7D?|@@EaimD{^e zaW=PPyo{L#qkEpCJyA5ayK{BbucDU6g@B69#p(WRd48$OFY}xBkbGgpLfh!_%}$dH zki4|P)GdXM93+Yv^G_>=&Q6sn>0y4iW>SjF{uixn?UsI=w(8vDsoQYEwP(3IkF2De z+Od@s{vmaVWua={@KDD%|}M?!&v?0TOzQg;SraJ;Q0DS>tfhlQ!n>3hj&F2 z44njFS06CqU)<;>T+A@PDyx;Q^+7JZuzN7ZvdDLR0SkJ%yx)WLnOd_?0z48O4%K$?=}=hG}*M2k!(Zd`!a+&xOYDIsEejbW$5{?;-2TqkNlCw|dg zy%XHzy~T-$-s$s*tSeQS8PJ;ZDosJZMgH?fOk;1LdXxrA)}6mkYai~3cb?vyDIzhH zy>qL=nO}mIUHyp{?4yTY@ziE9MOC@&9@})X)m2}Yi?&5x?b{;{<>w)4WBQ40T%24o zDIn{C2?8Ov102};{H$T`o;99PW0Xzpt@%j7QyqE37(pyxv^KVR@SeM!6rs3M&oKIQ z*RwA`dvl8b$Q9ZNzL@PHp@UBf4wl%sRZ=$Ac%S{N6Iz>JopKrmfJjVDb0l?4aE~SX zXoj!*w${sdB$W@#7DhP|N$Ns=H@r{YEA$o1X1!^A={1iEY5(J_>tcM5!GI=Q^aqjOZuk%oO`G<@T}-OPcjYSZ zyig!3m3(&v25{v|L^2>-=0B}f83@Lub_v_uurF_^m&yefm zQ=l(sAV95e=L2R$iz%>Sf8lmHIW*^<@p@l`F`*Q}&0lEkZfOsaQMU`~j||3%WkiYX z>9~M{+-HH7;H_`M0WU~h_YOP{((E$+&jmNe820(QUrb1xV0M)2-D6nc*em!qE~&D-B^x)pdK`V@I1e zmV@O>vs(Ht5IyMieXaj=KW9pb&IEc2E^I!HpA&XLndM~Cnd~-gLe6&Gbzwn_ccd80vC@_USwV761IIHU%7S%m%Kc!I6-2pif#D% zE=lzl&96mM&dmRphQ_R#VV@AT*BeUA=go-nDzqB2nQav zk0L!1sB7}2mcDmaG#@2ZnXRMtGj~NA#>v+-HC3vdcRh3=Zdn`JqB-ixw(RopLbg*H zsal5S2H1bd0sFX;kJHXtTEBWYhSOk@Vmwe>N_l{Bs$f;EPi^(P)K4=i)0$G{`S&f& zMw>ky{M6V7sY0;8SMxbR@jxg_6M!i@jp$?M$|5%6M;t@!wto(GghZbXI#;bxUe5DE z^8kx4|D$3?yapvi(J3ZgGZA9pR5+ZjXUyKsP+Ac|!F-$tNzFb*tWAG}&6I0NKr=L5 ztT7|$TjML?mZk-QU`z%ia`?Y26*!jCg{dP{oOduD$T!r+m7Sn9f#>ewZ`X3di9GgU zjY;+e3^R9<;HtDj0yR*FQ!Jo9S5XE=8c>O8aJIjXIld^KbOQ&kJ_!L4sUXul^Dt@& z+{5b!{RijnWd|ZB-9*O#MV~S3t$@_@Q1OqYjZbRu3*3=|`oaNP55#ay(GYEh1Lyb9 zFz)h#zN6vc(iyJe&H7zOuR-C~U%R7qjRrLmbw*MTInopQL2XLEdT39cxP0mPJX9$Z zpu$~WI5ew~SM-58h@j3Bk=5{BPtED4=F@uix{)>|gd1gCs!?~8xn{j%Vw1+x#=^E_ zn9F185Pr%4O`et}4vxopwz$e>_dVJ5sh0v)Uryb)ht zCz!ge-27a91(@C!{+Eu5+LD2A|Nq;)4y-l)$hy* zgDk8g58cf*TLk~X_qy&s@F|B<#edhy5`4R~zq+QSt#w}aijbx@H{MNg7Sp18La>Urksk7+BDe>x8Ah=~R+LBGhBZ>3FJAMJiGq z4O>+j2^S9apEbK@J>*y>)Yl0JQ{P@=gIy7Het$>}N=Z55Z7~wElofqr(PM{2MRw?u zG=NW@m(Z>vdO1S~0j&Q3@F**=vkHgHAy4>74-d&+n<>jD1zlH{;;qfc0nNNL;aoPl zL)Vq*^uselH(u_A$~5MK3_R*C;TNGF^g;8($BQqIUCnB;JB|!IIYm9G<$$+OQdb6% z5(+A>MB+|KjY?=!md)k;`b{^chzl68=b1{q37h^ofE%2-~e z6?={A`vZ7oMOmV~h+DoxAet7G@S?6S(5hoD1Btr$_866jip>2F(w{`aLezS#+RpFm zUu#~#TdxSIwTvlM_zy($EE`pP^&{pxGo`uYafZ%fnb$l%QscOlk`n&H($&N0=7b=g<3KSezQcm>Rjyn zh#@Q5UjH*{aXs9J5lC2!y_tR$- zLJna?$@U#Xt>@1&^LS2L2W2v*;Q@1IaMkO$`D&lSLhe2(Ah+>EhxL)INwljMJbzDo z_J@j>RYxq@yMS=i05LxM^2>eJb=iC@- zK=ITF%5)39jJqGP@=@aU+CJyt&%(%4^N#k>>K2w-BKbA2z@>pl72_H*bTPmca;mgw5-f z&Z{CpZ#BD~+zmcQp8q%uXLuvSC>cnhx=oVKC1hIFuUM&s9X%sA9zLmmOWodG#K!$& zPdCL>m3s@SY-uj?eA|gMM``{S%64b50X(}t(0>EWO!}TPnV=c#8_w*`K?OgBcDD`X z>$mJ*5Xl7pjQdQKL`J2YrNYep_#mM|N8wy?;q+p6_W*&#J|>}M+LYG7QI-C-yWsD7 zweIdoa(JE9;@W?Zo6pJ!L6^yKdLXBTrW-AwEH4JNW69E zBan+vtEgBT0_DTkXlRXN8WM&yJl6le_TDlq%P8y?q#Nn(?(XiE?vPGtq#ItkOS+Lz z0Vx%g?nXjMr9rw=V)pAdbLRVTX0Dm@U2~lubNI&_&-?6n_TKlp*S*%=M7rQb85$@~ zt$}A{z4@{Gd=B}%H9W0BIWH}qgN1LVsFe`oO=BFPGbhCX#3_x@nx$Z2`$u?Y*k})5OZ7<9}!JAw6#aO`Y98m}%xO=Su ze&|HcawW19X4^`{f0Th;K6CY2DE~Rd{%7v0?*xf~euH>u#8%x9JQG zqjS(DS+q@d*iQ4pMZ=ueXT3?cgukK>_D^B7*t-{Emxp5GU;Y5Dsn!vzy?W}j4kRu~ zYijrq$DF_fAA5sAzH||^N!dD)DnNlGZ2Zdd%(+9Xf|2BW@U*}h%if;lQAqBWL_w@p z9)FG{@Zt$3#YKZ&t7cmure6i(%aMRhg|6dJqSZp^gELA`TZ~@-fysfcMi=7cJZzluZf~6SfPC%lfji@8L6EnXUAGxP|Q}mc;lXq&Oaf!~(Y#WM8 z7?V2t8P+GpwKB;Upf9AmUq7z-%0XA{9W!vO$u|3qmfia)o0XlH1y>CQKY!jon%sbc za;(V$3q85Wgyh`9dfOr<>HE;8y9;6DOCsLUMi!`D*{lq66pMzLM~fb?2j}nhWFWIEEP(a=q)h73k7q#%G)>vVSnc%1uuWZD=HcP6aj;T%d z`KJZ!MAF(DbGSxw;w~@cu zeCmy(Q|M+Rbiw&QZ;-Ht?TsW+9P~vKs^lNAXa7^4btCqk@}TRZE8x^N4o%8KRY>tc z#RD*-EK*=)Pe@2``OtpV1ei7p1}07nrXYWNSXJQG1eHrfLr1SL0=FM!q%*v~(i!H{ zV#Z~W#f8U_S7*r2V)8N7}?dz99J%EwP2OJ_1y|Kbp2;G2Qx;{-4R1b~i4GqlRP z>Uo|usPnCba!mw-Z%!QD|1Fsar0?PL)s4&mV)zMY{3=Qlt1CHn%`wj3LPS|xt62OjK#z6*9a#wC&=2S?wIKM`33^DJgq zLERB6Qbb2UZL%w|+8#*#45=|`m z^eS;8%--$ttI12ZuTOtFpUxrDz4HlD54)O@6Qs_yYpE(vqDyRSY!6G!Nu$*55oQn0 z!zbKstAKZQ5i*2Q0Qjkc#URt)DWUO)X~PU23FE}QCk^QiU+VG3<{O}}Ie&dgEaU|; zkV`*J-CaRy`QnAV%|O!WgL7ZBhxh=>cPSN7pnED&vNA~FXEuI1Ix-SWxeQ7R1^rJf zJKc59*Fd)OVou3~m6i1XFc3b1db6V-QkOKQY4 z39XC^;~EmX+PNu1#IMh(7ay4$Aag&M)HgBNTd7Z2i5=LqU>2%<^Z9~D|9pp(ZPFWIvz$OfFE(s0z>JEqi zFM*xvZ18mf4?COj-QBs<#U4QBcsUYy z|J&oC*@Mr}?=;QRa}TVy-$30KLH`K$5i0-o&9FGe;5G?$-DR>f$~9w> zkfUk{cI<{nvbZkn2;3yhAf^wMQ+1N>(Xxp1ubkSs8dG5Io14Esc~xjnXBetm@B2Hz zA#9wh^S){Fo0*S-++>*C+%hp(snC|A`CroiP|-iEU}#=KvsY64vIh4ja`kcwF+w$N zP7lZ!Pcgp`y*iXs({TD3go5gA3bxTYVS%Iw3qZ0H_;xytf4`$;-b8 zkU=umlc&QXF0#LtB-yDYoHVQnztR;9=zyDhtHX?Rh_ zlyDg#Ln2C|DdYq|YYypfo3{qk%QU%J9j{tQa^uSc}2;kbv4Y^vVa87UH%Y}jT0(oiT(LwdW zt$`rN77R)Z%iUlztPk#OrvraJ%A_@pAXRXC|M@=OAR?5UrD)(Pp(RO4j3dhGGjcuc zfg@rj7856fE8_#!p8iQ4$-V7#CCc~@Z{Gu*^a0p#uPpe+UP}m$-Ku5Rx&Q^^3!&@R zpJXDrA`=7qjCf#X%m5gvnVDQ8uR5Uqr)7ifr4-uF7Fl-~pAQFtEtXPm`tn!72`CjC)VwR;=(_#3et~ukgWibqr!(^V*^+c`|pFy5Q)2rXq zDZsk;r_rO{PFE0i_65Tc=3%1fMsQN~*3obr4qerk>#YgRu#ulMbFnw85@zTt=~RBr z9_~6pRa6Fil(uEh0;nP*9))a&(u^jPGMCW@Bp09H(Alw5Gq06Os-EQ$e~+b+s^|Gq z$pIE(iBp+&&%^r?XEr69%W?m1ff={f>RAGx;yZSq^nrw`JE_C^M(6q{RUhg1hpGxP z+7{!{1Gk{_a?JISgrZ0&D3Zx~OLGn4q4g<^vOI6}93!ux1V7L4>Ql?U_ptD46(WBR zn$?s@V+wA8T5NxwrVe!4De`L(`;cP8109iC+|l$9DhLZ-`p2IpY=XF}!LvA?gL-Zl zn8`;^55kZ&BVN(??OAw=q5+J;f-x6SjuT1Visq9dW`9u$3UY`ks+khy9y}xlM|}=+ z%q7>Z$_9lNUus1uwyK!e?bmXUQGs|RsD8I1>s4!^Pk#TaL zid}%l6w}r~_Wdo-{H^HbGVvg=24?7Rd#0X@9MH;1=^uve5ghhzAE6i?;SZ+JGPXr^ zBi09Xk?EW9FB#SJVVdXMiv0R3(k1=A-+wlRWdBW>w=#2l_e8gz|8=|E@gq69y(C7; zcyu>nv_9rCxgI|Rj+2s<>w9Scx13t@5CXjDND7%WU2XQ}-a7Ew{|~Ebj`Q)7~uY?ZTVFSj}e15?AU$lB*sf)VuU7HNO$z3 zjOk7&6IeMGX$~3p@2VtmxW>3)D>OoQ9bpfVK9Kkf9<-CU#anWcRv-D~iyyjfb_){f_-XV#OhXM@)P7W?``g$40%V-p4p-iivL!~1XCdBM<-wff3sBB)xHZc;HdVH8>_SCILb_;k^ zqEqpZ#Ly)~aXm`J0=|^;mBMd|>~1K%tcb>BjY-ctm^TO;sAI zNIR|8n?JT@N}({S{Q5hy1pE#ST2?o$zB|t?P_gv?4TXD1_vRLzveDkht#*<*q-yy?TuZ8=2OHt|T!v=Onby@f~~I z_0^Bydb5@F;*G0;Uqy!nW^#|AIgpO5&W^S&watEao5MWdjM`))SM2SM;>^o8kxlhM zZ|~ZFS6K7oL)G-T&`)<0*-9G^0e*q2*YJ(1rUOSb`3uY$g`Z<;S~}Qvn|~yg)TzHm zMK=?{;HK9yKrf-mirjBSaiqprZyg*7U}$Yz7H%U)6@`V@h7&M%TUACX$Gs7^8~gu8yNManhfao;#iG7n z(FN(kLPvS3R#hpZmw+Se)>5Gd-^^s@I@TJeVn7oi$Jy7wWfm%5@?O2S6_@vFJpz>_lh>6PRiT`{`+OF{C?*!_Nj=Tc>zwlamb$MEJN7&yn8*d44)vuEH5{@7ACU3KEU z`f=!bbaTxKBMI3jFFJ5Ne>W#thLdohVA5d;R_pWfUl(R-EZ6)KG&?2iol#9(s!Lhn ztWe#fAkvEI^H)W)R$l^Fn-5XNw^_(bWRn8&O;-X;DxN+^89bM%&enaSy2uEbi_%gjgkc61CdOjb6gW5tEbI^C2^(!pj5n=s zQ^5IF7~9irLal;&82{rWM4oeblKoJQoEl>&pYc2|s(t{;4;Pta{+9em07+v+{XtIP zQVZ1^1A%%4k`6ziP*JZ)Y)!6x?TsKSG?p#m5V~#3;{UBi$v$e~j?ptd;sc8jkF?U{ zPrPQhN5+}r16K?&m2!-%J_`{kRBsgArk#S9$3MdTBI(;(G9rBCj9WDp;V)mIt}?_cS&nO0VAE3Rmlb=gDE++(wf`jl zv1n2FclZHgcoInxkw2$#fE*Ym@nsjYJOHXP%@|-^B zGScf=KL$O%P{M$5%&B)BOh|ORlX<(Vl-Atr$f}8lR`FkW_eE|uGu570o*`M7$zgED zQINtI_by|sTN~5J*$ZGoBGPY&zs=(a*>Jm{@^jCM3BA4{JL0uGjz0*cqJR9Z@?{qk z(kP87I#}BK4tiC@ScdnVcT=mkB~N-j>&W~#rll^S2girghlUifPZO$6_u*4LaoVYl zXYzh+vqmiyg0zkCRdV;OM<=fb&Gt}Sbu!QVRC<171TGOLJRC&oGAjvAHq%%}R0^Jb zXE1j<`%BK2K}HKg4+4f!6si;6*b#9SwuqMZ1B3FqEp-oMMr+!hFo|rd>t^+lVOx!C zQyAVpQeUw}O`ba>>1*ZW)U#%4J?!C@T@dTC#qi}XZJR6_oD$;lO2jQ_6hPD^yqBcXZ@>O~1eM|RjC(rU&0&2gl0%n<>IJp_!Xkgy+?^RA*D3}>{ z+|tW*1DGS}($uFCaf}_YS25kH0hD0W^t?hP2S=C(SmY@#!;LC9h>HBQQG>bI-WX+1 zuyWjay(&9?bvP^FGXQBUMipF{!B+nP#%$&(v28oX@v=l6dEMz=m8B@%#h*2N0M(2f zlZsBGx9<;)@*)|A^g{9rdDe*T9L#WT%8TSrF?NamM@ADPUWQJTx5-)Zd+GT%I86wA zlx^5!FxpnF!5X5wZ(6Nke@q@AeU^InO(Fp;JuoVdk<-||V}|XUnfzX=pn7lrW&9{{ z4y7Bv^^6O9zeXB|&q9JS4>hySO)NLARoB2-puBuj%k3TIdTrlR92RaE1Bp6UwDO^J z4@r5X!}8T8d3>CnYQd&aTwI)Th_0>(AuTQKG>_K5|E-wW<>lqyaN|Q?)FDPg$HBp2 z!HA9qpT&>qkp=Ie$yw2W_oB-huyJtGd;Z^kZORG6sZv>wZdp4_W9D~i;EJNWY`%Y6 zF6LVPH2&vH>XD;4aTbaBJqx+JK;@edwgJ_EI=RB0*16&VUcu0t-;coDo&wr^-z(K} zPJm@mtb508mAmQj(J3H*D{w+Jmldhy`Bi5sUe{>^e5Km@vO_ zU+K`+gR;^R&_G*AVS4RiCZ2Y%Z4tn5Q|mLhLKb7qnMk5`o8^0=*JcV9za6rDfJCm{Uw z)hDsQG9Ef$()EaIY30m%|1o^sXz9So=(YLBLfL4A^kFJ+m(zl?wg1K@CHa43z?8|F zhiDU{0E)>g`B_L56yvSNPOos-{|?x}1ZHAByZZYl(`sD(JAf|EDVYdv5q-YC$aj%t zOlT#zl8y#i-)S|JMgy(5(%e;E;+uKS7Y&7IF5cPw8(=4RfSc@i%v;4OXrDqy4M-3P zNdhSM-U`@@tr>RS>F*X@{=4@#uZ>^6t?VH*b-{V+0E>4Iz}YCEo74?d$7o;!IIp=H zIhIAQuUsZU+xq790w|f@I0r@Py#Puj4AaK34J@p4n+e0-hPV?w2!Fp zNPIr1NZhL++~ykzNqnQ~pwJ54=ne%TqZ#0aijZK+%kZW5Sy;krei}TIzwN4VVZ0 zw=Z?cbtl~SFzTB`0L<5QgC0kb`(W|~L0|9}*4Y%6`vGI6JG0?i*uUllm?kfdF zjlEHR`CxPKYqC{7@U0p=4g_#>53pw=&BPM=@-`7hiWHQzd=CyB8h@ zN*j2S-8z-SnM|>oQV;ygUm%m z6N1c;6ux{0KsEFC`PwajUSfho06LH#4av2NA?X2igk)gG)q8-|LGu>}XSW0Z8ba1r zz!GC`|9+V^Am?P}AU;idEun4*225E^{0P3@gg9@igzr;AbNq}h*9gct+01Auh)1)Fn zXsP3kUv{xXPz)$|2OH zisp=70`)V6QwS3@xsVJ9lKqM-^t2P8hqYmB4a+UxK)t;DlTlI!DTCM(s4=KUIav&C zJldf}x3%a$m8vH*V`U{yp2WdYnbUxG4azv|)g0fzM!F&WfF-KV+etS z4%-??_aq2efhyj_L0rHn_AbQan~?e!ugOw`)_~9g+e5Xd zzf>|LPh`ahq>B{g(Ea(e8lSGio`^=f&QI2QE3U191aaIk>{XV7L8`+Vu!2jXB%bIU zBgaCCA;OZC69<+zQw`1Df`0=>x_92DiW8fL;>YryhF&#>0eCy?>=Edx(gXwSUb|IW z%J`(#av29FPAEH*5hnt-N>b|(r5m9iRt1%U9)?=Dj&?dn0sN-)KbGd6TYPA5CQ5>g{bJ%*7dk5lmR`x7_MExOKO_=GRzaG_BZ`(4ibA+Q7 zO_V1yU&*9JkPZK3(Q6ky1E(*j>e@#*bc%g*#*S3}yz=r1Fq0g$U-#af-U4(yPB7f_ z9C$y*Z;0cW_x!le62((E=mk~n#49D@pZwSNlfgg{qhla9Z)R$UI_*JnMOks^ie3bc zd>F(Tu~bZsq>sQgyrFu!8FZ3G15R>Ss_AL6zKqL+)Gk9d)KU>`QC?VH@YBD~wxs!S zNasO~M1=!vMJh6armEM>R`(x4Ml@z3%P1T<7IN8#DHiTAfBtu6Z;xxER7cgB6uazR zB-7H?$)JVd{j^WAy=M@~Jk3!+Vk-2IZQaaJ>j9PdRD;^`h-Jp&)k(&iaWWE&8FO_F zmOqP^pVtNsN#<61+2kJDE5P5Pximy|D{y;2v@=0MPi~h&cXa^zfbsZhT3boxlz!~i zqRsbD%h5WLfs6&dJX?L+HJ=$Kn}SHD542&pw=+E+v%9X#2WDbyXKAk204|_JGv^u=Z(CXQ|aRisE@4PffWVSm73p z*sSSBKI(Or3Ke$rR2)xMajRk9Bq=2~{xpn{y_FdN-N1zTc5=3dK05AZ&;F3Mp_h!^ zd1H3V7U9ekk!1#t5gO^tfLvMWVZI*PdO2-Q>m6wl6HLCS{v{}WDV;!(mR6yw?*xiw zY-|E$R`PyCJYvRr7qJF#9#IIo{I>GIX$BIaJi&=KmgQ=cNP9BW`VMne%6R*b4pOw#p(&Lmt_+-7HLd$NgzRkNfiJ@QW?giw<+$M| zw{^81^$mRI zDYRG|{Y`>_wD2k1FRq(9tVI5ejocAYr&WJzZzQ}d1q!No`@(6YXFd;0^f_uT-a7}g zI;A}WqcpY%PiK@QKGk%34KG-3q`sC`PZzTu9bGr-a$38!ZL6v$02H&4YV{%BqPbd$ zW2=K5#L&fz{_T2%$jvIG7Z#ZuJ5wZ8^6t+c1t$!7qIDF=@W-ID5gnTVAMD`mO}K_l?;c>NkrPz>x?5FXZS5ep`T*Tk%cr`BY)Y4U zxHB5$I1vZ(3t=$G)I>e!GKHpcYv6bjQFpNSj6-j?HYiE>^{%>^cgmce&8nLi^y5x= zHSCi=$$j^r8VY)ATdCwM9b^@2Aj(OJk6VKxuol?{5^2@O1U(W;_>Dx!Y$}eLaS|z& zC%A(*;yaw57v<%nmg6DMM44lxr$Y%*+en_95C4@j!+umQ{vB9Z|M?<&7oE*Hw|ho= ze(xKK=FkOPcf3RF4|(sRLPb+|KPmLx6ZrE=S2O31@>D7b+Z-XgK54+TDZvn-NKHa+{^ z7>gC@r*~pkmuiC`3Z5SE-koNUbVwfB9M0U}Q)CJv@68b4KZO0zX=BmpEe>Mny0N}^ zyf9ul^~nX~6H3bAKP^Q6arsjaH@EN-qbDIxf)jbdU`9~k-0stu%Qv5WL7$i<^OOJf zEB}R9`+qP*|Ic5;?+b^8m;Dzdh%y$1)<#jOhJDTjr#B&}eR8Ft>nH}_81{DIs|oIn zB);sF=WAehL&;>)y78dJhy!woF|nYF(e4j?Kunow0KB1W z^9L-1As`Dxa0INTp>cKk$e-y-HK>BREa2*_??V^WW$zjFHIV5__~4vJ8?BHN`fx{K zdiSmW;&AEnxWj#cOOwhxFqf4DRD&KMD?!e-4bCp9scXHlu}~>I=n<{bPqR!Zm9orX zvRE6T@>(O8nb9Bs8{7|I=** zNL|ho5bZaE<@JWqZ{*d@G~z)jkDJ_QR@W8*7)m#uR^?+cEI2DJ{$$i#`*>;#ACy90)L`Kg5eJEiN z>f#NJc%uM4hz;s_d}<_s4R^aR8A_-DCd3H{NM5HT#LWsNCDMQ4YV5-W0tZghZ*pUO z0WBgLm=%1vs6RUZ5v3I{dcc@74?5%@K0!@le1FJY$W#*SwfhGjh0h(F{2MXog?UMW z*P@Af0L_d7$Y1LR&f&k~*a1v0LcFtK2kN<$Vd%kwbVbuBC{UVm1(C=M`_*;LHxQ*} zKk^}pZ-5vvH{y7NiM9*`SL9SW4qAB`pgtzRp|^T=YjEg%}Hf z8$RgXbUF{FADMy-E&;u7Mr?$MIS4weNsLdYw5%D?GPp;;Je^^;g2E6kAmX)xMnL99 z%g0b{XnvRB*6Y0=Y?N%s8%&BtPt~4+=t$nc6BK}WnYODKtL zK(un|gKc&fZ&xwmzTz$0XamvOn%*RWIr2!fCCqONR}ma>7p$(_BFrGZFMaURl<>6h z6%rDql-Pt>@Tbx`4sy1LNN|`|vp?Y~l&!Sqh70(Cox5ByqM3(3Rckkxw*h8%kjToZ zbS3R)dW=Fw@^2)h#i@=tZ{3O4*a7qtEI!d8xjD2&^T8Udk;x@=N$IgX*_(20a9fY5 zIk1rar}IpyD0n>WiPV~!PlYZ;n77>U)RNeAAbRoJ9lBTpNLlhEl!6uPhSmmD3PJ-x zB|M!qakY7-_|m0&^r}H5(C?s+5uDfNV_CAxHf97*bBn{ttncw}i9oWrYlrT6J|4Ql z@Ieu*9ysoU0AVh3cv%vto|2kU7~1VK;+y+xI6TQHL_0bREmx7-v76J4(TVL-M?m3X zn!yv_*nDUdL5Y);yVXGf2tL`aRGC!PM~|{DdiGhD!iE{w=PNT5|W01Xq5pL zx~7Zz#p?PxCX#-TTh}$SdGU;N&2x}~Xv45|ua$@1v)H2t74z$oAQ1EOpUA3Xr`4HE zyO_`AvB&NA&-JB<0cx*IV?2Z8GxVVl()1M+7;3CpA zBW+2THf$xGG7Hf%kWoEXe*w%CSr%bK^Cs#$--?n3nGK5wegOB^!o+K8u#hvsK^jXQ zSkJUH9u3_BTui%lOk1It#VZkP{5U?wZ!XbV$C0#Uofh(MD0XY?_fB$lHc*UQ?=u6LEyeLZ)xdw-+ zi^b`JvsE4|qCYPF$THoO1W^e!kSj)JT%Y!H#?eei`C4OpwmI5T*csHJbp?t<=x*cj z>H9!KI{wf^3RnPr#u$2ayRzpuMbefhJkN+ug!w<2+EPwTZbKG|gm4Jv5tF0_iXR}@ zoSXfgg@^46Q+(P^A`x>@HaAr9RfSX#4V1_ebegyW_v{u1XhLz>0rE=`^|Zk|hpN?f z|JBu%v{r)^ok*B#<9mAs>g9yRfM)1ZkVHVodI0 z=93Z0v&@+3hBxhsO2hm{y4dpmqfBArxQI#xz1tDMRy`Ti>%e47?3L_yi%K zheG-PPN^WlFc@x^a!?gNxLWdb?*Og}Km5kU`$x5A$qgwMqDtLmnp9Z>GyDbQr?4-XSrZihOIbPXnuZgH0T6iYr2-s1=kcXTG#Yv+Mawc*5=dhyyGH&R2qjV| z>#^>MLM?mcP{9W7?h?*72ryJD4LPc{2)IFJ>*jn5dec;vp9fPYOap&-fvgvP5*+C> zXu>O`VeZ#AzYj00BG~NiZ%!N2pdVcV*6nl&3HjrV;lPuG6%G9r2RQS-1ahBW`lJ&D%(2riO;eU?gR%${K1A2U4hr-269-xeqFtWUE1J1GaGz zL$6Orb*${+W{Hmve+SzVIm>i&!#;iK>3KCyM3p!u5SCl%-Z?F%Aiqe3h92F2v6?t# z5&c=Ijp|Ws9da@;gw=bZDfKL~2g@@8QG`GtR;sDxYlAX1`-x>5^EAk9=JH!dR)Znf z5BInHi2Nnh#d3HLD@wt6#{OS&Z&B(i1~g3g|1M$spQAzL{|D(|+NdWisT>bNEhcX@ Q81Sc}pdnu`YZ>{!0X Date: Tue, 17 Oct 2023 08:14:39 -0700 Subject: [PATCH 22/80] edits --- windows/client-management/copilot-overview.md | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 62dbaa8c80..a6faa910aa 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -20,7 +20,7 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled 1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. |   | Setting | |---|---| @@ -34,22 +34,27 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without extra commercial protections. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. **Bing Chat Enterprise**: -[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios. The following privacy and security protections apply for Bing Chat Enterprise: +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- Bing chat enterprise is available, at no additional cost, for the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium + > [!Note] > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -68,6 +73,7 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c 1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty + - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - Business Standard - Business Premium 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. @@ -91,7 +97,7 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There is also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: :::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: @@ -120,23 +126,23 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - This selection places devices into an early CFR phase - Users can select which optional updates to receive -1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. +1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. ### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings impact Copilot in Windows. For more information, see: +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) -- [Other settings that might impact Copilot in Windows and its underlying chat provider](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) +- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** -## Other settings that might impact Copilot in Windows and its underlying chat provider +## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some setting which affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. -The following settings might impact Copilot in Windows and its underlying chat provider: \ No newline at end of file +The following settings might affect Copilot in Windows and its underlying chat provider: \ No newline at end of file From 016afbfd5359870fb03345b56b3195b9e27cceb4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 08:50:46 -0700 Subject: [PATCH 23/80] edits --- windows/client-management/copilot-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index a6faa910aa..5460203adf 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -8,7 +8,7 @@ appliesto: --- # What is Copilot in Windows? - + >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. @@ -18,7 +18,7 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) 1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows 1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled -1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider +1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. From 8cabf154e1f7c1996ae87918a26a809b50c3c683 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 09:09:59 -0700 Subject: [PATCH 24/80] edits --- windows/client-management/copilot-overview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 5460203adf..91b9e6b36a 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -145,4 +145,5 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. -The following settings might affect Copilot in Windows and its underlying chat provider: \ No newline at end of file +The following settings might affect Copilot in Windows and its underlying chat provider: + From 5a772de6a939cb0e2ff9a66cfd268d5b2e212fbe Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 10:56:46 -0700 Subject: [PATCH 25/80] edits --- windows/client-management/copilot-overview.md | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 91b9e6b36a..742a6e2f87 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -34,10 +34,11 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + **Bing Chat Enterprise**: [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: @@ -143,7 +144,27 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: -The following settings might affect Copilot in Windows and its underlying chat provider: +**Bing SafeSearch settings**: +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it will block chat providers for Copilot in Windows. The following network changes will block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +- mapping `www.bing.com` to `strict.bing.com` +- mapping `edgeservices.bing.com` to `strict.bing.com` +- mapping `www.bing.com` to `nochat.bing.com` +- blocking `bing.com` + +**Microsoft Edge policies**: + +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it will block Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it will block Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need to read the current webpage context to provide page summarizations and for sending a string the user selects from the webpage into the chat provider. + +**Search settings**: + +- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. + +**Account settings** + +- [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) +-[RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) \ No newline at end of file From 6fbe174913a5d5eb9fd122ac54cac7d3abcc7143 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:23:08 -0700 Subject: [PATCH 26/80] edits --- windows/client-management/copilot-overview.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 742a6e2f87..c488a12cbc 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -1,5 +1,5 @@ --- -title: Copilot in Windows Overview +title: Manage Copilot in Windows description: Learn about managing Copilot in Windows for commercial environments. ms.topic: overview ms.date: 10/26/2023 @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -137,14 +137,14 @@ While the user experience for Copilot in Windows is enabled by default, you stil - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) - [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings may affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: @@ -166,5 +166,6 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Account settings** -- [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) --[RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) \ No newline at end of file +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. + From e89a1a265ee269f4e1b46d240772d4082abb4ab2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:33:18 -0700 Subject: [PATCH 27/80] edits --- windows/client-management/copilot-overview.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index c488a12cbc..b83ceaae40 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -144,11 +144,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings may affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it will block chat providers for Copilot in Windows. The following network changes will block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - mapping `www.bing.com` to `nochat.bing.com` @@ -156,8 +156,8 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Microsoft Edge policies**: -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it will block Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. -- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it will block Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need to read the current webpage context to provide page summarizations and for sending a string the user selects from the webpage into the chat provider. +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. **Search settings**: From ea36036d32bc79750935c3124aa37e3b309c9dd1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:35:33 -0700 Subject: [PATCH 28/80] edits --- windows/client-management/copilot-overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index b83ceaae40..963e9bb45d 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -13,7 +13,9 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. -At a high level, configuring Copilot in Windows for your organization involves the following steps: +## Manage Copilot in Windows for commercial environments + +At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: 1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) 1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows From 435e75d1f16b1569fab9145acaf30b006629f6f1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:39:25 -0700 Subject: [PATCH 29/80] move content to manage copilot page --- .../manage-windows-copilot.md | 170 ++++++++++++++++-- 1 file changed, 156 insertions(+), 14 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index bc4adbca9d..9b30f58ce9 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -1,31 +1,173 @@ --- title: Manage Copilot in Windows -description: Learn how to manage Copilot in Windows using MDM and group policy. +description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article -ms.date: 10/16/2023 +ms.date: 10/18/2023 appliesto: -- ✅ Windows 11 +- ✅ Windows 11, version 22H2 or later --- -# Manage Copilot in Windows +# What is Copilot in Windows? + +>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. -This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). +## Manage Copilot in Windows for commercial environments -## Turn off Copilot in Windows +At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: -This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. +1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) +1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows +1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled +1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider -| | Setting | -|------------------|---------------------------------------------------------------------------------------------------------| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | +## Chat provider platforms for Copilot in Windows -## Related articles +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0) +**Bing Chat**: + +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: + - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) + - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + + +**Bing Chat Enterprise**: + +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: + +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- Bing chat enterprise is available, at no additional cost, for the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium + + > [!Note] + > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. + +## Configure the chat provider platform that Copilot in Windows uses + +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. + +### Bing Chat as the chat provider platform + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + +- Bing Chat Enterprise isn't configured for the user +- The user isn't assigned a license that includes Bing Chat Enterprise +- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) +- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise + +### Bing Chat Enterprise as the chat provider platform + +Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: + +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). + - Business Standard + - Business Premium +1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. +1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. +1. Verify that **Bing Chat Enterprise** is enabled for the user. + + > [!Note] + > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + +```http +*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* +*licensedetails does output BCE, so its a matter of just getting the query right* +**powershell or http preferably** +Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails +{ + "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", + "servicePlanName": "Bing_Chat_Enterprise", + "provisioningStatus": "Success", + "appliesTo": "User" +}, +https://learn.microsoft.com/graph/api/resources/licensedetails +``` + +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: + +:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: + +## Ensure the Copilot in Windows user experience is enabled + +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients + +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: + +1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** + + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. + + These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: + - Automatically receive optional updates (including CFRs) + - This selection places devices into an early CFR phase + - Users can select which optional updates to receive + +1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. + +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) + +One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. + +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: +- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) +- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) + +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** + +## Other settings that might affect Copilot in Windows and its underlying chat provider + +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: + +**Bing SafeSearch settings**: + +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +- mapping `www.bing.com` to `strict.bing.com` +- mapping `edgeservices.bing.com` to `strict.bing.com` +- mapping `www.bing.com` to `nochat.bing.com` +- blocking `bing.com` + +**Microsoft Edge policies**: + +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. + +**Search settings**: + +- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. + +**Account settings** + +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. -- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a) From 13427d3c5f64df40810b40479699fedd41e9ed2b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:40:31 -0700 Subject: [PATCH 30/80] delete unneeded md file --- windows/client-management/copilot-overview.md | 173 ------------------ 1 file changed, 173 deletions(-) delete mode 100644 windows/client-management/copilot-overview.md diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md deleted file mode 100644 index 963e9bb45d..0000000000 --- a/windows/client-management/copilot-overview.md +++ /dev/null @@ -1,173 +0,0 @@ ---- -title: Manage Copilot in Windows -description: Learn about managing Copilot in Windows for commercial environments. -ms.topic: overview -ms.date: 10/26/2023 -appliesto: -- ✅ Windows 11, version 22H2 or later ---- - -# What is Copilot in Windows? - ->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). - -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. - -## Manage Copilot in Windows for commercial environments - -At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: - -1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) -1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows -1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled -1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider - -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. - -|   | Setting | -|---|---| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | -| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | - - -## Chat provider platforms for Copilot in Windows - -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. - -**Bing Chat**: - -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. - - -**Bing Chat Enterprise**: - -[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for the following licenses: - - Microsoft 365 E3 or E5 - - Microsoft 365 A3 or A5 for faculty - - Business Standard - - Business Premium - - > [!Note] - > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. - -## Configure the chat provider platform that Copilot in Windows uses - -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. - -### Bing Chat as the chat provider platform - -Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - -- Bing Chat Enterprise isn't configured for the user -- The user isn't assigned a license that includes Bing Chat Enterprise -- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) -- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise - -### Bing Chat Enterprise as the chat provider platform - -Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: - -1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: - - Microsoft 365 E3 or E5 - - Microsoft 365 A3 or A5 for faculty - - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - - Business Standard - - Business Premium -1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. -1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. -1. Verify that **Bing Chat Enterprise** is enabled for the user. - - > [!Note] - > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. - -```http -*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* -*licensedetails does output BCE, so its a matter of just getting the query right* -**powershell or http preferably** -Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails -{ - "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", - "servicePlanName": "Bing_Chat_Enterprise", - "provisioningStatus": "Success", - "appliesTo": "User" -}, -https://learn.microsoft.com/graph/api/resources/licensedetails -``` - -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: - -:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: - -## Ensure the Copilot in Windows user experience is enabled - -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. -### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients - -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. - -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: - -1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - - - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - - These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - - Automatically receive optional updates (including CFRs) - - This selection places devices into an early CFR phase - - Users can select which optional updates to receive - -1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. - -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) - -One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. - -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: -- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) -- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) - -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: - -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** - -## Other settings that might affect Copilot in Windows and its underlying chat provider - -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: - -**Bing SafeSearch settings**: - -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): -- mapping `www.bing.com` to `strict.bing.com` -- mapping `edgeservices.bing.com` to `strict.bing.com` -- mapping `www.bing.com` to `nochat.bing.com` -- blocking `bing.com` - -**Microsoft Edge policies**: - -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. -- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. - -**Search settings**: - -- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. -- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. - -**Account settings** - -- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. -- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. - From 66fc11dfd9060dfe038ec02761d5ae3f2acc51de Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 12:06:35 -0700 Subject: [PATCH 31/80] tweaks --- .../manage-windows-copilot.md | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 9b30f58ce9..e089d23ff7 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -46,18 +46,18 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for the following licenses: +- Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium > [!Note] - > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. + > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -68,9 +68,9 @@ Bing Chat is used as the default chat provider platform for Copilot in Windows w - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -### Bing Chat Enterprise as the chat provider platform +### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) -Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: +To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions: 1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). 1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: @@ -100,13 +100,14 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: :::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: ## Ensure the Copilot in Windows user experience is enabled -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. + ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. @@ -114,22 +115,25 @@ Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: 1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +1. Apply a policy to disable temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. + > [!Important] + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: + The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - Automatically receive optional updates (including CFRs) - This selection places devices into an early CFR phase - Users can select which optional updates to receive -1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. +1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. ### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) From 703b20c37fd55d2357a06f2a44f2e20c8ce79ccb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:58:39 -0700 Subject: [PATCH 32/80] tweaks --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e089d23ff7..344b751a17 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -135,9 +135,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) +### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) -One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. +One a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) From a61806ae3b98e3cef4a0976a17b7a575975e99dc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:39:25 -0700 Subject: [PATCH 33/80] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 344b751a17..0f9fabc6e9 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -106,7 +106,7 @@ When Bing Chat Enterprise is the chat provider platform, the user experience cle ## Ensure the Copilot in Windows user experience is enabled -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version. ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients From bdc0bb7b57830ded1b3c0285e4b3db9a03bf9a3a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:40:36 -0700 Subject: [PATCH 34/80] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 0f9fabc6e9..be8fbd06e0 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -110,7 +110,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: From 2666c53991b5e2cdf576ea475f5670766b26b262 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:32:33 -0700 Subject: [PATCH 35/80] tweaks --- .../manage-windows-copilot.md | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index be8fbd06e0..c449d9582c 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -86,18 +86,25 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. -```http -*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* -*licensedetails does output BCE, so its a matter of just getting the query right* -**powershell or http preferably** -Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails -{ - "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", - "servicePlanName": "Bing_Chat_Enterprise", - "provisioningStatus": "Success", - "appliesTo": "User" -}, -https://learn.microsoft.com/graph/api/resources/licensedetails +The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: + +```powershell +# Install graph module +if (-not (Get-Module Microsoft.Graph.Users)) { + Install-Module Microsoft.Graph.Users +} + +# Connect to MS graph +Connect-MgGraph -Scopes 'User.Read.All' + +# Get all users +$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans + +# Users with BCE enabled +$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table + +# Users without BCE enabled +$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table ``` When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: From dfa48ff0ccdaa034e012ae6193904c517b8979bc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:38:55 -0700 Subject: [PATCH 36/80] tweaks --- windows/client-management/manage-windows-copilot.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index c449d9582c..8346d968d7 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -89,21 +89,21 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: ```powershell -# Install graph module +# Install Microsoft Graph module if (-not (Get-Module Microsoft.Graph.Users)) { Install-Module Microsoft.Graph.Users } -# Connect to MS graph +# Connect to Microsoft Graph Connect-MgGraph -Scopes 'User.Read.All' # Get all users $users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans -# Users with BCE enabled +# Users with Bing Chat Enterprise enabled $users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table -# Users without BCE enabled +# Users without Bing Chat Enterprise enabled $users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table ``` From 2c3987cb971ed8bc48503e07d2dfe5d56e4da80e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 09:19:19 -0700 Subject: [PATCH 37/80] tweaks --- windows/client-management/manage-windows-copilot.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 8346d968d7..af2457bb3f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -82,6 +82,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. +1. If you prefer to view a user's licenses from the Azure portal, you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. From 56a8b0eb2feacef2fd43d7c7004f6c33abfe618a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 09:19:55 -0700 Subject: [PATCH 38/80] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index af2457bb3f..e2abb0472f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -82,7 +82,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. -1. If you prefer to view a user's licenses from the Azure portal, you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. +1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. From a93d21064431978d882147b963a1acf31fe7f855 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 09:41:26 -0700 Subject: [PATCH 39/80] Copilot in Edge rebrand for sidebar --- windows/client-management/manage-windows-copilot.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e2abb0472f..f0e8fa08b8 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows is a bit different from [Copilot in Edge](/bing-chat-enterprise/edge), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -158,11 +158,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - mapping `www.bing.com` to `nochat.bing.com` @@ -170,16 +170,16 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Microsoft Edge policies**: -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed. - If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. **Search settings**: - Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. -- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences. **Account settings** -- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. From 39f41a385c25652014c8688db77745f1df5d92f2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 10:55:57 -0700 Subject: [PATCH 40/80] edits --- .../manage-windows-copilot.md | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index f0e8fa08b8..daf8b34bc2 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows is a bit different from [Copilot in Edge](/bing-chat-enterprise/edge), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -45,7 +45,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). - Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty @@ -160,25 +160,38 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: -**Bing SafeSearch settings**: +### Bing settings -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: -- mapping `www.bing.com` to `strict.bing.com` -- mapping `edgeservices.bing.com` to `strict.bing.com` -- mapping `www.bing.com` to `nochat.bing.com` -- blocking `bing.com` +1. Block access to only the public version of Bing Chat for all users on your network: -**Microsoft Edge policies**: + - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server + - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat + + This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) + + +2. If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: + - mapping `www.bing.com` to `strict.bing.com` + - mapping `edgeservices.bing.com` to `strict.bing.com` + - blocking `bing.com` + +3. If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: + + |Key |Value | + |:---------|:------------| + |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface
**false** hides the interface | + +### Microsoft Edge policies - If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed. - If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. -**Search settings**: +### Search settings - Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. - Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences. -**Account settings** +### Account settings - The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. From 360141f39397dfcfc9bebdbe4fa47361514ced3d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 12:35:06 -0700 Subject: [PATCH 41/80] edits --- .../manage-windows-copilot.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index daf8b34bc2..ef615fb09d 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -32,11 +32,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Chat provider platforms for Copilot in Windows -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. @@ -45,19 +45,19 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). - Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - - Business Standard - - Business Premium + - Microsoft 365 Business Standard + - Microsoft 365 Business Premium > [!Note] > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -77,8 +77,8 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - - Business Standard - - Business Premium + - Microsoft 365 Business Standard + - Microsoft 365 Business Premium 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. @@ -87,7 +87,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. -The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: +The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: ```powershell # Install Microsoft Graph module @@ -118,7 +118,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't technically enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: @@ -145,7 +145,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n ### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) -One a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. +Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) From 2e6ee722b7297264d4bc6616e2570e3d997842d4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:47:52 -0700 Subject: [PATCH 42/80] edits --- windows/client-management/manage-windows-copilot.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index ef615fb09d..3360fd2b5f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -120,10 +120,10 @@ Once you've configured the chat provider platform that Copilot in Windows uses, Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: 1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) @@ -162,7 +162,7 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share ### Bing settings -1. Block access to only the public version of Bing Chat for all users on your network: +- Block access to only the public version of Bing Chat for all users on your network: - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat @@ -170,12 +170,12 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) -2. If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: +- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - blocking `bing.com` -3. If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: +- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: |Key |Value | |:---------|:------------| From e8d2dc72e8abc9cbb83a0dd8e230aec68edaa671 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:53:08 -0700 Subject: [PATCH 43/80] add preview note --- windows/client-management/manage-windows-copilot.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 3360fd2b5f..ba89f9d930 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -13,6 +13,9 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. +> [!Note] +> Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. + ## Manage Copilot in Windows for commercial environments At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: From f2a6e983dbf020ad269a389f8767c2d19e53d47a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:53:47 -0700 Subject: [PATCH 44/80] edits --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index ba89f9d930..6be25291bd 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -2,7 +2,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article -ms.date: 10/18/2023 +ms.date: 10/31/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- From 5c15e73ead859dce74412b30c3ce9c13976b3e91 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:59:45 -0700 Subject: [PATCH 45/80] edits --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 6be25291bd..8f4fc3beea 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -7,7 +7,7 @@ appliesto: - ✅ Windows 11, version 22H2 or later --- -# What is Copilot in Windows? +# Manage Copilot in Windows >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). @@ -16,7 +16,7 @@ Copilot in Windows provides centralized generative AI assistance to your users r > [!Note] > Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. -## Manage Copilot in Windows for commercial environments +## Configure Copilot in Windows for commercial environments At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: From 7a1d78d007f2939c09ae3b3f02bd0754d302d93e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:07:25 -0700 Subject: [PATCH 46/80] edits --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 8f4fc3beea..5fe29b596f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -131,8 +131,8 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. - > [!Important] - > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + > [!Important] + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** From 32afc847d10efbb6547982ecc912350c6a0965b6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:15:54 -0700 Subject: [PATCH 47/80] edits --- windows/client-management/manage-windows-copilot.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 5fe29b596f..327eb32165 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -14,7 +14,8 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. > [!Note] -> Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. +> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. +> - Copilot in Windows will be available in all global markets, including the UK, except mainland China, Belarus, Russia, and the European Economic Area. ## Configure Copilot in Windows for commercial environments From 0983a4b399891b44331c1ff328abad9af768f51e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:56:13 -0700 Subject: [PATCH 48/80] AI edits --- windows/client-management/manage-windows-copilot.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 327eb32165..e457ec80f3 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -200,3 +200,6 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share - The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. +## Microsoft's commitment to responsible AI + +Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai). From dabc86ba0d97b600d9faedfb285ff7283fefbc39 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 16:04:31 -0700 Subject: [PATCH 49/80] metadata update --- windows/client-management/manage-windows-copilot.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e457ec80f3..5afe7ecfe8 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -2,6 +2,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article +ms.technology: itpro-windows-copilot ms.date: 10/31/2023 appliesto: - ✅ Windows 11, version 22H2 or later From 1bec149c57563e1947c57d5a94dd975ff2f1c407 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 30 Oct 2023 12:12:27 -0700 Subject: [PATCH 50/80] edits --- windows/client-management/manage-windows-copilot.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 5afe7ecfe8..6a6104f2c5 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -16,7 +16,7 @@ Copilot in Windows provides centralized generative AI assistance to your users r > [!Note] > - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. -> - Copilot in Windows will be available in all global markets, including the UK, except mainland China, Belarus, Russia, and the European Economic Area. +> - Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time. ## Configure Copilot in Windows for commercial environments @@ -58,7 +58,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat - Microsoft 365 Business Premium > [!Note] - > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. + > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses @@ -123,7 +123,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: @@ -134,7 +134,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. > [!Important] - > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** @@ -148,11 +148,11 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) +### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) - [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) From a40ef7ffc7aa0c898a58d98cbde451a560be3f22 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:16:08 -0700 Subject: [PATCH 51/80] edits --- .../client-management/manage-windows-copilot.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 6a6104f2c5..86382c61a1 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article ms.technology: itpro-windows-copilot -ms.date: 10/31/2023 +ms.date: 11/02/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- @@ -12,7 +12,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider. > [!Note] > - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. @@ -37,7 +37,7 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Chat provider platforms for Copilot in Windows -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. **Bing Chat**: @@ -62,7 +62,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -167,14 +167,6 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share ### Bing settings -- Block access to only the public version of Bing Chat for all users on your network: - - - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server - - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat - - This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) - - - If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` From e9c010e8e9777cdfb5cdbae81d8678c1dfe36674 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 2 Nov 2023 12:10:42 -0400 Subject: [PATCH 52/80] Add new seting and reformatting --- .../enhanced-phishing-protection.md | 100 ++++++++++-------- 1 file changed, 57 insertions(+), 43 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 38961897cb..0ec622546b 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -37,43 +37,49 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP. + +| Setting | Description | +|--|--| +| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.

  • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection will not collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy is not set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
    • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | +| Notify Malicious | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above. | +| Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. | +| Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. | #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**: -|Setting|Description| -|---------|---------| -|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | -|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| -|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +- Automatic Data Collection +- Service Enabled +- Notify Malicious +- Notify Password Reuse +- Notify Unsafe App Assign the policy to a security group that contains as members the devices or users that you want to configure. #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings: +Enhanced Phishing Protection can be configured using the following group policy settings found under **Administrative Templates > Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection**: -|Setting|Description| -|---------|---------| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +- Automatic Data Collection +- Service Enabled +- Notify Malicious +- Notify Password Reuse +- Notify Unsafe App #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1]. -| Setting | OMA-URI | Data type | -|-------------------------|---------------------------------------------------------------------------|-----------| -| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer | -| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer | -| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer | -| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer | -| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer | +| Setting | OMA-URI | Data type | +|-----------------------------|-------------------------------------------------------------------------------|-----------| +| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer | +| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer | +| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer | +| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer | +| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer | --- @@ -82,33 +88,44 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][ By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. + +| Setting | Recommendation | +|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Automatic Data Collection | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | +| Service Enabled | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | +| Notify Malicious | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | +| Notify Password Reuse | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | +| Notify Unsafe App | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | + #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -|Settings catalog element|Recommendation| -|---------|---------| -|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| -|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.| -|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.| -|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.| +| Settings catalog element | Recommended value | +|---------------------------|-------------------| +| Automatic Data Collection | **Enabled** | +| Service Enabled | **Enabled** | +| Notify Malicious | **Enabled** | +| Notify Password Reuse | **Enabled** | +| Notify Unsafe App | **Enabled** | #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -|Group Policy setting|Recommendation| -|---------|---------| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.| +| Group Policy setting | Recommended value | +|---------------------------|-------------------| +| Automatic Data Collection | **Enabled** | +| Service Enabled | **Enabled** | +| Notify Malicious | **Enabled** | +| Notify Password Reuse | **Enabled** | +| Notify Unsafe App | **Enabled** | #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) -|MDM setting|Recommendation| -|---------|---------| -|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| -|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.| -|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.| -|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.| - +| MDM setting | Recommended value | +|-------------------------|-------------------| +| AutomaticDataCollection | **1** | +| ServiceEnabled | **1** | +| NotifyMalicious | **1** | +| NotifyPasswordReuse | **1** | +| NotifyUnsafeApp | **1** | --- @@ -121,7 +138,4 @@ To better help you protect your organization, we recommend turning on and using [WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense - [MEM-2]: /mem/intune/configuration/settings-catalog - - From 6452e7263480b13028d65fd2eead6c812aeb4a00 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 2 Nov 2023 12:44:21 -0400 Subject: [PATCH 53/80] Minor updates --- .../enhanced-phishing-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 0ec622546b..313b641bca 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -1,7 +1,7 @@ --- title: Enhanced Phishing Protection in Microsoft Defender SmartScreen description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -ms.date: 09/25/2023 +ms.date: 11/02/2023 ms.topic: conceptual appliesto: - ✅ Windows 11, version 22H2 @@ -41,12 +41,14 @@ Enhanced Phishing Protection can be configured via Microsoft Intune, Group Polic | Setting | Description | |--|--| -| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
  • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection will not collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy is not set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
    • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy isn't set, Enhanced Phishing Protection automatic data collection honors the end user's settings.
    • | | Service Enabled | This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | | Notify Malicious | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above. | | Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. | | Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. | +Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. + #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**: From c008b5b446e67a80ed4c300a7b024ec899396875 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 3 Nov 2023 08:09:26 -0700 Subject: [PATCH 54/80] edit csp location --- windows/client-management/manage-windows-copilot.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 86382c61a1..e8c129e081 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article ms.technology: itpro-windows-copilot -ms.date: 11/02/2023 +ms.date: 11/06/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- @@ -31,7 +31,7 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t |   | Setting | |---|---| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | @@ -158,7 +158,7 @@ While the user experience for Copilot in Windows is enabled by default, you stil Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might affect Copilot in Windows and its underlying chat provider From 395f417cc19dcaf7c77e18ba494dcd6ae3834cca Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 16:45:17 -0500 Subject: [PATCH 55/80] includes --- includes/configure/gpo-settings-1.md | 2 +- includes/configure/gpo-settings-2.md | 2 +- includes/configure/registry.md | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 includes/configure/registry.md diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md index d30e2cc685..1b1055fb52 100644 --- a/includes/configure/gpo-settings-1.md +++ b/includes/configure/gpo-settings-1.md @@ -6,4 +6,4 @@ ms.topic: include ms.prod: windows-client --- -To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings: \ No newline at end of file +To configure a device using group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) or [edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730903(v=ws.10)) a group policy object (GPO) and use the following settings: diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md index bf8ee52309..88fd46ec27 100644 --- a/includes/configure/gpo-settings-2.md +++ b/includes/configure/gpo-settings-2.md @@ -6,4 +6,4 @@ ms.topic: include ms.prod: windows-client --- -The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file +Group policies can be [linked](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732979(v=ws.10)) to domains or organizational units, [filtered using security groups](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc752992(v=ws.10)), or [filtered using WMI filters](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)). diff --git a/includes/configure/registry.md b/includes/configure/registry.md new file mode 100644 index 0000000000..9f01c1e254 --- /dev/null +++ b/includes/configure/registry.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/15/2023 +ms.topic: include +ms.prod: windows-client +--- + +To configure devices using the [Registry Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755256(v=ws.11)), use the following settings: \ No newline at end of file From 9233c19bf30e7555a1c9ab97ea0585caa53bce93 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 14 Nov 2023 09:12:40 -0800 Subject: [PATCH 56/80] remove old broken links --- browsers/edge/microsoft-edge.yml | 8 ------- windows/deployment/windows-10-poc.md | 21 +------------------ .../whats-new-windows-10-version-1909.md | 2 +- 3 files changed, 2 insertions(+), 29 deletions(-) diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index e95c203c60..addd4468b1 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -40,14 +40,6 @@ landingContent: - text: Evaluate the impact url: ./microsoft-edge-forrester.md - # Card (optional) - - title: Test your site on Microsoft Edge - linkLists: - - linkListType: overview - links: - - text: Test your site on Microsoft Edge for free on BrowserStack - url: https://developer.microsoft.com/microsoft-edge/tools/remote/ - # Card (optional) - title: Improve compatibility with Enterprise Mode linkLists: diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 40769fc671..11b304e822 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf > [!IMPORTANT] > Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network. -If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: - -1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page. - - > [!NOTE] - > The above link may not be available in all locales. - -2. Under **Virtual machine**, choose **IE11 on Win7**. - -3. Under **Select platform**, choose **HyperV (Windows)**. - -4. Select **Download .zip**. The download is 3.31 GB. - -5. Extract the zip file. Three directories are created. - -6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. - -7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). - -8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. + If you have a PC available to convert to VM (computer 2): diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index d40de13c9d..5ab89168fd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a ### Transport Layer Security (TLS) -An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/) +An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. >[!NOTE] >The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-). From 0cbbc1a73108e256bd5a7a0a587f238e375de191 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 14 Nov 2023 09:44:27 -0800 Subject: [PATCH 57/80] fix MicrosoftDocs/windows-itpro-docs#11815 --- windows/whats-new/temporary-enterprise-feature-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index 122c8a1f8f..ba0ca795c1 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -73,5 +73,5 @@ The following features introduced through the monthly cumulative updates allow p | The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start)

    **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**| | **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems)

    **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View**

    **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. | | Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)| -| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot)

    **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**| +| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot)

    **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**| |Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**:
    - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive)
    - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy)

    **Group Policies**:
    - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive**
    - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**| From 6abb05a5a5df108a3bfe11fdc44daca33dfadee8 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 14:21:46 -0500 Subject: [PATCH 58/80] Remove bad links to PDF --- .../deployment/deploy-enterprise-licenses.md | 4 +- windows/deployment/mbr-to-gpt.md | 163 ++++++++++++------ .../deployment/vda-subscription-activation.md | 4 +- .../windows-10-subscription-activation.md | 4 +- 4 files changed, 116 insertions(+), 59 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 8ad4658ea1..f94f31723e 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -14,7 +14,7 @@ ms.collection: appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.date: 11/23/2022 +ms.date: 11/14/2023 --- # Deploy Windows Enterprise licenses @@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat ## Virtual Desktop Access (VDA) -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster. Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 2ab8313425..9b709effc7 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 11/23/2022 +ms.date: 10/17/2023 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -12,19 +12,18 @@ ms.collection: - highpri - tier2 ms.technology: itpro-deploy +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # MBR2GPT.EXE -*Applies to:* - -- Windows 10 - **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. -MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later. +**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. -The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. +The tool is available in both the full OS environment and Windows PE. See the following video for a detailed description and demonstration of MBR2GPT. @@ -34,12 +33,12 @@ You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. -- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. -- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later. +- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT). -Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. +Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion. > [!IMPORTANT] +> > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. > > Make sure that your device supports UEFI before attempting to convert the disk. @@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry - The disk doesn't have any extended/logical partition - The BCD store on the system partition contains a default OS entry pointing to an OS partition - The volume IDs can be retrieved for each volume that has a drive letter assigned -- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option -If any of these checks fails, the conversion won't proceed, and an error will be returned. +If any of these checks fails, the conversion doesn't proceed, and an error is returned. ## Syntax @@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be |**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. | |**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. | |**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.| |**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| +|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| ## Examples @@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**. ```cmd -X:\>mbr2gpt.exe /validate /disk:0 +X:\> mbr2gpt.exe /validate /disk:0 MBR2GPT: Attempting to validate disk 0 MBR2GPT: Retrieving layout of disk MBR2GPT: Validating layout, disk sector size is: 512 @@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully In the following example: -1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0): -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. + - A system reserved partition. + - A Windows partition. + - A recovery partition. + - A DVD-ROM is also present as volume 0. -3. The MBR2GPT tool is used to convert disk 0. +1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. -4. The DiskPart tool displays that disk 0 is now using the GPT format. +1. The MBR2GPT tool is used to convert disk 0. -5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +1. The DiskPart tool displays that disk 0 is now using the GPT format. -6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. +1. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
    @@ -240,42 +244,44 @@ Offset in Bytes: 524288000 The following steps illustrate high-level phases of the MBR-to-GPT conversion process: 1. Disk validation is performed. -2. The disk is repartitioned to create an EFI system partition (ESP) if one doesn't already exist. -3. UEFI boot files are installed to the ESP. +2. The disk is repartitioned to create an EFI system partition if one doesn't already exist. +3. UEFI boot files are installed to the EFI system partition. 4. GPT metadata and layout information are applied. 5. The boot configuration data (BCD) store is updated. 6. Drive letter assignments are restored. ### Creating an EFI system partition -For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: +For Windows to remain bootable after the conversion, an EFI system partition must be in place. MBR2GPT creates the EFI system partition using the following rules: 1. The existing MBR system partition is reused if it meets these requirements: - 1. It isn't also the OS or Windows Recovery Environment partition. - 1. It is at least 100 MB (or 260 MB for 4K sector size disks) in size. - 1. It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition. - 1. The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed. -2. If the existing MBR system partition can't be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32. + - It isn't also the OS or Windows Recovery Environment partition. + - It is at least 100 MB (or 260 MB for 4K sector size disks) in size. + - It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition. + - The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed. -If the existing MBR system partition isn't reused for the ESP, it's no longer used by the boot process after the conversion. Other partitions aren't modified. +2. If the existing MBR system partition can't be reused, a new EFI system partition is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32. ->[!IMPORTANT] ->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. +If the existing MBR system partition isn't reused for the EFI system partition, it's no longer used by the boot process after the conversion. Other partitions aren't modified. + +> [!IMPORTANT] +> +> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. ### Partition type mapping and partition attributes Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: -1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). -2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. -3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). -4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). +1. The EFI system partition is always set to partition type **PARTITION_SYSTEM_GUID** (**c12a7328-f81f-11d2-ba4b-00a0c93ec93b**). +2. If an MBR partition is of a type that matches one of the entries specified in the `/map` switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type **0x27**, the partition is converted to a GPT partition of type **PARTITION_MSFT_RECOVERY_GUID** (**de94bba4-06d1-4d40-a16a-bfd50179d6ac**). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type **PARTITION_BASIC_DATA_GUID** (**ebd0a0a2-b9e5-4433-87c0-68b6b72699c7**). In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: -- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) -- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) +- **GPT_ATTRIBUTE_PLATFORM_REQUIRED** (**0x0000000000000001**) +- **GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER** (**0x8000000000000000**) For more information about partition types, see: @@ -284,20 +290,21 @@ For more information about partition types, see: ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. > [!IMPORTANT] +> > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. -The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following: 1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. 2. If found, set the value to be the new unique ID, obtained after the layout conversion. -3. If the new unique ID can't be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. +3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. ## Troubleshooting -The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). +The tool displays status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this information is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). ### Logs @@ -308,16 +315,21 @@ Four log files are created by the MBR2GPT tool: - setupact.log - setuperr.log -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The `setupact.log` and `setuperr.log` files have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. > [!NOTE] -> The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. +> +> The **setupact*.log** files are different than the Windows Setup files that are found in the `%Windir%\Panther` directory. The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`** +To view a list of options available when using the tool, enter the following command in an elevated command prompt: + +```cmd +mbr2gpt.exe /? +``` The following text is displayed: @@ -378,7 +390,21 @@ MBR2GPT has the following associated return codes: ### Determining the partition type -You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: +The partition type can be determined in one of three ways: + +- Using Windows PowerShell +- Using the Disk Management tool +- Using the DiskPart tool + +#### Windows PowerShell + +You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type: + +```powershell +Get-Disk | ft -Auto +`````` + +Example output: ```powershell PS C:\> Get-Disk | ft -Auto @@ -389,11 +415,43 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To 1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT ``` -You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: +#### Disk Management tool -:::image type="content" alt-text="Volumes." source="images/mbr2gpt-volume.png"::: +You can view the partition type of a disk by using the Disk Management tool: -If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: +1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**. + +1. In the **Disk Management** window that appears: + + 1. On the bottom pane, select the disk number of interest. + + 1. Select the **Action** menu and then select **All Tasks > Properties**. Alternatively, right-click on the disk number of interest and select **Properties**. + + 1. In the **Properties** dialog box that appears for the disk, select the **Volumes** tab. + + 1. Under the **Volumes** tab, the partition type is displayed next to **Partition style:**. + +#### DiskPart tool + +The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE when the PowerShell optional component in WinPE isn't loaded. To use the DiskPart tool to determine the partition type: + +1. Open an elevated command prompt. + +1. In the elevated command prompt that opens enter the following command: + + ```cmd + DiskPart.exe + ``` + +1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command: + + ```cmd + list disk + ``` + +1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. + +The following shows an example output of the DiskPart tool showing the partition type for two disks: ```cmd X:\>DiskPart.exe @@ -472,6 +530,5 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from ## Related articles -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index df89fc602d..aefcd10aa4 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -9,7 +9,7 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to -ms.date: 11/23/2022 +ms.date: 11/14/2023 --- # Configure VDA for Windows subscription activation @@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios: - VMs must be running a supported version of Windows Pro edition. - VMs must be joined to Active Directory or Microsoft Entra ID. -- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). ## Activation diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6b8718bf68..a5900a5a13 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 11/23/2022 +ms.date: 11/14/2023 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -239,7 +239,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise ## Virtual Desktop Access (VDA) -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). From 031c9b23dbe1011429c4fc8f5a3479f68a618033 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:44:04 -0500 Subject: [PATCH 59/80] Add optional cloud app name It appears that the cloud app that needs to be excluded can have one of two names. Adding in the name of the second cloud app for clarify. --- .../deployment/windows-10-subscription-activation.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6b8718bf68..ffa1ab5454 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 11/23/2022 +ms.date: 11/14/2023 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -39,7 +39,15 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps rom their Conditional Access policies using **Select Excluded Cloud Apps**. +> +> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> +> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant. +> +> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From a5788d4d3c67f852bcea08705092b426fc72c415 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:50:16 -0500 Subject: [PATCH 60/80] Fix typo Fix typo --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index ffa1ab5454..8c5131b40e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ For more information on how to deploy Enterprise licenses, see [Deploy Windows E > [!NOTE] > -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps rom their Conditional Access policies using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**. > > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). From 42ccbc771847eb9271afc0e816a6cabb27391c0b Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 14 Nov 2023 13:14:30 -0800 Subject: [PATCH 61/80] fix indents/numbering --- windows/deployment/mbr-to-gpt.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 9b709effc7..1b24406aee 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -439,15 +439,15 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i 1. In the elevated command prompt that opens enter the following command: - ```cmd - DiskPart.exe - ``` + ```cmd + DiskPart.exe + ``` 1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command: - ```cmd - list disk - ``` + ```cmd + list disk + ``` 1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. From 6e196830b1b82638575f0d0b9089ae0144a33879 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 20:01:42 -0500 Subject: [PATCH 62/80] Add semicolon Add semicolon --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6c4ec1ff6a..b5fc8eb923 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ For more information on how to deploy Enterprise licenses, see [Deploy Windows E > [!NOTE] > -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**: > > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). From fa2b73a6f35daee6b487c2e54494374149e8922b Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:52:37 +0100 Subject: [PATCH 63/80] Update event-4738.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4738.md | 35 ++----------------- 1 file changed, 3 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 61cd4e80e6..b35ea56a2e 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -192,39 +192,10 @@ Typical **Primary Group** values for user accounts: > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object. +- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here. - -To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. From 8a7f8af7275deded025ab20d7d5a64c9e6e0979f Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:52:57 +0100 Subject: [PATCH 64/80] Update event-4742.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4742.md | 39 ++----------------- 1 file changed, 3 insertions(+), 36 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 6d58542822..cffaebcf0d 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -197,43 +197,10 @@ Typical **Primary Group** values for computer accounts: > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of **userAccountControl** attribute of computer object. +- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. If the value of **userAccountControl** attribute of computer object was changed, you will see the new value here. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the **User Account Control** field in 4742 event. - - +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field. From 10f15ed997d30352cb1a3558f7ead341abad55b7 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:53:07 +0100 Subject: [PATCH 65/80] Update event-4720.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4720.md | 79 +------------------ 1 file changed, 3 insertions(+), 76 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 726f71bbbd..56548894f7 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -166,83 +166,10 @@ Typically, **Primary Group** field for new user accounts has the following value > **Note**  **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object. +- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event. - -| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text | -|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------| -| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. | -| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
    Account Enabled | -| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. | -| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
    'Home Directory Required' - Disabled | -| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. | -| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
    'Password Not Required' - Disabled | -| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. | -| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
    Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
    'Encrypted Text Password Allowed' - Enabled | -| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | -| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
    'Normal Account' - Enabled | -| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | -| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
    'Workstation Trust Account' - Enabled | -| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
    'Server Trust Account' - Disabled | -| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
    Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
    'Don't Expire Password' - Enabled | -| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
    'MNS Logon Account' - Enabled | -| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
    'Smartcard Required' - Enabled | -| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
    If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
    'Trusted For Delegation' - Disabled | -| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
    Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
    'Not Delegated' - Enabled | -| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
    Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
    'Use DES Key Only' - Enabled | -| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
    Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
    'Don't Require Preauth' - Enabled | -| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. | -| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
    If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
    'Trusted To Authenticate For Delegation' - Enabled | -| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | - -For new, manually created, domain or local user accounts typical flags are: - -- Account Disabled - -- 'Password Not Required' - Enabled - -- 'Normal Account' – Enabled - - After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags: - -- 'Password Not Required' – Disabled - -- Account Enabled - - +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. From bcb06b366e0974864272f5e86b26190abba03ad6 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:53:15 +0100 Subject: [PATCH 66/80] Update event-4741.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4741.md | 65 +------------------ 1 file changed, 3 insertions(+), 62 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index a245d7e5ce..e188466a86 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -170,69 +170,10 @@ Typically, **Primary Group** field for new computer accounts has the following v > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object. +- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event. - -| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text | -|---|---|---|---|---| -| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. | -| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
    Account Enabled | -| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. | -| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
    'Home Directory Required' - Disabled | -| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. | -| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
    'Password Not Required' - Disabled | -| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. | -| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
    Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
    'Encrypted Text Password Allowed' - Enabled | -| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | -| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
    'Normal Account' - Enabled | -| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | -| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
    'Workstation Trust Account' - Enabled | -| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
    'Server Trust Account' - Disabled | -| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
    Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
    'Don't Expire Password' - Enabled | -| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
    'MNS Logon Account' - Enabled | -| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
    'Smartcard Required' - Enabled | -| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
    If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
    'Trusted For Delegation' - Disabled | -| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
    Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
    'Not Delegated' - Enabled | -| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
    Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
    'Use DES Key Only' - Enabled | -| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
    Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
    'Don't Require Preauth' - Enabled | -| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. | -| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
    If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
    'Trusted To Authenticate For Delegation' - Enabled | -| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | - -> Table 7. User’s or Computer’s account UAC flags. +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`. From c293044f362171d85a50fe9694c30fb25d91ab52 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Nov 2023 07:22:54 -0800 Subject: [PATCH 67/80] fix syntax error --- windows/whats-new/deprecated-features.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index cad07d84d8..1f4ad7580a 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -37,7 +37,6 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | | Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 | -| --- | --- | --- | | Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 | | Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 | | Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 | From 0b673fbd0166438ef95dd9f7b9d16c99a85b6af0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:36:54 -0500 Subject: [PATCH 68/80] Update event-4742.md --- windows/security/threat-protection/auditing/event-4742.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index cffaebcf0d..4a82933448 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -199,8 +199,7 @@ Typical **Primary Group** values for computer accounts: - **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field. From 354b374b65bb27681316eb29af6a1574767f6adf Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:48:03 -0500 Subject: [PATCH 69/80] Update event-4720.md --- windows/security/threat-protection/auditing/event-4720.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 56548894f7..5ca11d5d60 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -168,8 +168,7 @@ Typically, **Primary Group** field for new user accounts has the following value - **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. From 3c37dc9f80223d624434e123ef3fdb6f39cc4ae0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:56:39 -0500 Subject: [PATCH 70/80] Update event-4741.md --- windows/security/threat-protection/auditing/event-4741.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index e188466a86..e26b0c96b3 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -172,8 +172,7 @@ Typically, **Primary Group** field for new computer accounts has the following v - **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`. From 6f95ab612d7eb8663cea036701389f5416ef590b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:58:07 -0500 Subject: [PATCH 71/80] Update event-4738.md --- windows/security/threat-protection/auditing/event-4738.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index b35ea56a2e..be3bf1a1e5 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -194,8 +194,7 @@ Typical **Primary Group** values for user accounts: - **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. From 8f651c730b5fe2fa3b45a802b913abb5f4d6f558 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:12:23 -0800 Subject: [PATCH 72/80] meta update --- windows/client-management/manage-windows-copilot.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e8c129e081..9851b09748 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -4,6 +4,8 @@ description: Learn how to manage Copilot in Windows for commercial environments ms.topic: article ms.technology: itpro-windows-copilot ms.date: 11/06/2023 +ms.author: mstewart +author: mestew appliesto: - ✅ Windows 11, version 22H2 or later --- From 87ed1cbfb0c7be095db32783b1c80f44a58e32c2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 16 Nov 2023 11:40:20 -0500 Subject: [PATCH 73/80] Update update-csp.md --- windows/client-management/mdm/update-csp.md | 118 +++++++++++--------- 1 file changed, 67 insertions(+), 51 deletions(-) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 9a3988642d..e825289b3c 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -8,7 +8,7 @@ ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 02/23/2018 +ms.date: 11/16/2023 --- # Update CSP @@ -40,7 +40,7 @@ The following example shows the Update configuration service provider in tree fo ----FailedUpdates --------Failed Update Guid ------------HResult -------------Status +------------State ------------RevisionNumber ----InstalledUpdates --------Installed Update Guid @@ -63,136 +63,152 @@ The following example shows the Update configuration service provider in tree fo ``` **./Vendor/MSFT/Update** -

    The root node. +The root node. -

    Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -

    Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

    The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -

    The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -

    Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -

    Specifies the update GUID. +Specifies the update GUID. -

    To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -

    Supported operations are Get and Add. +Supported operations are Get and Add. -

    Sample syncml: +Sample syncml: ``` ./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d ``` **ApprovedUpdates/*Approved Update Guid*/ApprovedTime** -

    Specifies the time the update gets approved. +Specifies the time the update gets approved. -

    Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -

    Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -

    Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -

    Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -

    Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -

    The update failure error code. +The update failure error code. -

    Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -

    Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -

    Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -

    The updates that are installed on the device. +The updates that are installed on the device. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -

    UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -

    The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -

    Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -

    The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -

    The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -

    The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -

    Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -

    The time the update is installed. +The time the update is installed. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -

    The last successful scan time. +The last successful scan time. -

    Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -

    Upgrades deferred until the next period. +Upgrades deferred until the next period. -

    Supported operation is Get. +Supported operation is Get. **Rollback** Added in Windows 10, version 1803. Node for the rollback operations. From e0b56e18533b49455b72e3e1c84d03a33f0c4419 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 16 Nov 2023 09:17:24 -0800 Subject: [PATCH 74/80] Date refresh --- .../windows-autopatch-post-reg-readiness-checks.md | 2 +- ...ch-groups-windows-quality-update-trending-report.md | 2 +- .../operate/windows-autopatch-maintain-environment.md | 2 +- .../operate/windows-autopatch-support-request.md | 2 +- .../overview/windows-autopatch-privacy.md | 2 +- .../windows-autopatch-enrollment-support-request.md | 2 +- .../prepare/windows-autopatch-fix-issues.md | 2 +- .../prepare/windows-autopatch-prerequisites.md | 2 +- ...ws-autopatch-windows-update-unsupported-policies.md | 2 +- .../whats-new/windows-autopatch-whats-new-2023.md | 10 +++++++++- 10 files changed, 18 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index eb2f5d26d5..e41d8e60f4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -1,7 +1,7 @@ --- title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch -ms.date: 09/16/2022 +ms.date: 09/16/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md index e68ee4d6bd..71b96ec441 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. -ms.date: 05/01/2023 +ms.date: 09/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 3b72dc6d90..fe9d6b3321 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 05/15/2023 +ms.date: 09/15/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 690e61a507..20c341551a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 01/06/2023 +ms.date: 09/06/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 043db6fb77..0e481d7a66 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 03/13/2023 +ms.date: 09/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index 6588ea5a13..bc26753af7 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a tenant enrollment support request description: This article details how to submit a tenant enrollment support request -ms.date: 01/13/2023 +ms.date: 09/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 8acdf328e5..f7a2045294 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -1,7 +1,7 @@ --- title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool. -ms.date: 01/12/2023 +ms.date: 09/12/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index b0df16842e..7cb1b4a4d5 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 04/24/2023 +ms.date: 09/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index 9ece385c03..e72d9e8042 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -1,7 +1,7 @@ --- title: Windows update policies description: This article explains Windows update policies in Windows Autopatch -ms.date: 12/02/2022 +ms.date: 09/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 24650e3a33..1e7b26a9c9 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 10/27/2023 +ms.date: 11/16/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## November 2023 + +## November service release + +| Message center post number | Description | +| ----- | ----- | +| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance | + ## October 2023 ### October feature releases or updates From 0952ffe054e202e96f17fefd4b56390e2baefc8b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 16 Nov 2023 12:24:03 -0500 Subject: [PATCH 75/80] Update enhanced-phishing-protection.md --- .../enhanced-phishing-protection.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 313b641bca..33e3420817 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -19,7 +19,7 @@ If a user signs into Windows using a password, Enhanced Phishing Protection work - If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory. > [!NOTE] -> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint. +> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/). ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen @@ -91,13 +91,13 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. -| Setting | Recommendation | -|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Automatic Data Collection | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | -| Service Enabled | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | -| Notify Malicious | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | -| Notify Password Reuse | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | -| Notify Unsafe App | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | +| Setting | Default Value | Recommendation | +|---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.
    **Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | +| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | +| Notify Malicious | **Disabled** for devices onboarded to MDE.
    **Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | +| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | +| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) From cbcd5c0f7eb16df83f17e3a969b0d958a91bce38 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 16 Nov 2023 14:26:38 -0800 Subject: [PATCH 76/80] branch chache not supported on 11 8530422 --- windows/deployment/update/waas-branchcache.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 840ea3d5a7..829dc4d1f5 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -9,9 +9,8 @@ ms.author: mstewart manager: aaroncz ms.localizationpriority: medium appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -ms.date: 12/31/2017 +✅ Windows 10 +ms.date: 11/16/2023 --- # Configure BranchCache for Windows client updates @@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)). -In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. +In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. + +> [!Note] +> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11. ## Configure servers for BranchCache From c0775ea59a68657f8f3e1f7c895285019fcef49d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 16 Nov 2023 14:32:20 -0800 Subject: [PATCH 77/80] branch chache not supported on 11 8530422 --- windows/deployment/update/waas-branchcache.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 829dc4d1f5..05c5f63d80 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -9,7 +9,7 @@ ms.author: mstewart manager: aaroncz ms.localizationpriority: medium appliesto: -✅ Windows 10 +- ✅ Windows 10 ms.date: 11/16/2023 --- From 0d087d5cd7155c228cb6cb88d30207855d2879a7 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 16 Nov 2023 17:40:52 -0500 Subject: [PATCH 78/80] MBR2GPT Refresh --- windows/deployment/mbr-to-gpt.md | 78 ++++---------------------------- 1 file changed, 8 insertions(+), 70 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 1b24406aee..a0eb436b76 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 10/17/2023 +ms.date: 11/16/2023 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -19,7 +19,7 @@ appliesto: # MBR2GPT.EXE -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option. **MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. @@ -32,7 +32,7 @@ See the following video for a detailed description and demonstration of MBR2GPT. You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT. -- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. - Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT). Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion. @@ -73,7 +73,7 @@ If any of these checks fails, the conversion doesn't proceed, and an error is re |**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| |**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.| |**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| +|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| ## Examples @@ -108,7 +108,7 @@ In the following example: 1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -1. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly. @@ -298,7 +298,7 @@ The conversion tool attempts to remap all drive letter assignment information co The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following: -1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +1. Checks if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. 2. If found, set the value to be the new unique ID, obtained after the layout conversion. 3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. @@ -433,7 +433,7 @@ You can view the partition type of a disk by using the Disk Management tool: #### DiskPart tool -The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE when the PowerShell optional component in WinPE isn't loaded. To use the DiskPart tool to determine the partition type: +The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE. PowerShell isn't available in WinPE when the PowerShell optional component isn't loaded. To use the DiskPart tool to determine the partition type: 1. Open an elevated command prompt. @@ -449,7 +449,7 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i list disk ``` -1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. +1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank. The following shows an example output of the DiskPart tool showing the partition type for two disks: @@ -470,65 +470,3 @@ DISKPART> list disk ``` In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. - -## Known issue - -### MBR2GPT.exe can't run in Windows PE - -When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: - -**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive. - -**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool. - -**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. - -#### Cause - -This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. - -#### Workaround - -To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. Use follow these steps: - -1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). - -2. Copy the ReAgent files and the ReAgent localization files from the Windows 10, version 1903 ADK source folder to the mounted WIM. - - For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - - > [!NOTE] - > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit. - - **Command 1:** - - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" - ``` - - This command copies three files: - - - ReAgent.admx - - ReAgent.dll - - ReAgent.xml - - **Command 2:** - - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` - - This command copies two files: - - - ReAgent.adml - - ReAgent.dll.mui - - > [!NOTE] - > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - -## Related articles - -- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) From 10c39e69efe796efe1305af1b1cc6e7f93e0484b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 17 Nov 2023 10:22:07 -0500 Subject: [PATCH 79/80] update to /remoteguard tip --- .../security/identity-protection/remote-credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 7fee850283..2b0d64ce57 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,7 +2,7 @@ title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.topic: how-to -ms.date: 09/06/2023 +ms.date: 11/17/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -130,7 +130,7 @@ reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts. > [!TIP] -> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session: +> If you don't want to configure your clients to enforce Remote Credential Guard, and if you are an administrator of the remote host, you can use the following command to use Remote Credential Guard for a specific RDP session: > ```cmd > mstsc.exe /remoteGuard > ``` From 3874ba33e450eda2bb1c445f8b0deeff315eb232 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 17 Nov 2023 12:22:01 -0500 Subject: [PATCH 80/80] Update enhanced-phishing-protection.md --- .../enhanced-phishing-protection.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 33e3420817..c944556f3a 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -91,13 +91,13 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. -| Setting | Default Value | Recommendation | -|---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.
    **Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | -| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | -| Notify Malicious | **Disabled** for devices onboarded to MDE.
    **Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | -| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | -| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | +| Setting | Default Value | Recommendation | +|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.
    **Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. | +| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | +| Notify Malicious | **Disabled** for devices onboarded to MDE.
    **Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | +| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | +| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)