From a24763ffc2e3f2c3885ddc968983243d0077752f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:01:05 -0700 Subject: [PATCH 001/120] Updated applies to about Azure RMS --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f0c94d6dba..fc6d4fbfea 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 54b10176b832d8dbcb5f8381935f1c22e22fb8e3 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:21:26 -0700 Subject: [PATCH 002/120] Added content --- windows/keep-secure/create-wip-policy-using-intune.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index fc6d4fbfea..6560a80e36 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -11,6 +11,7 @@ localizationpriority: high --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune + **Applies to:** - Windows 10, version 1607 @@ -18,12 +19,12 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. -## Important note about the June service update for Insider Preview + ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. From baafc02843c361a2071f9f3e1c00382735c2dafc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 14:25:04 -0700 Subject: [PATCH 003/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 6560a80e36..2ae0e7e014 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From b4437638e9ea92ad1b1e1e465717a4fe8b031af2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 08:36:19 -0700 Subject: [PATCH 004/120] check in --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 2ae0e7e014..cc0b417bfc 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 572a75904fe5db3838f9fc8d682a3f57ba1e8393 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 09:14:22 -0700 Subject: [PATCH 005/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index cc0b417bfc..f7db61c525 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 9f1fd09d560a606000580011f4090bae77b93714 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:43:32 -0700 Subject: [PATCH 006/120] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f7db61c525..5a748154ff 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -19,13 +19,6 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. - - ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. @@ -378,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 51a28ae8968c78887ae3af359af6970312b0b712 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:50:54 -0700 Subject: [PATCH 007/120] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 5a748154ff..d32508207a 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -371,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From dc06f2f49c8ac551826e5bbbdcbf616dbfea1d82 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:01:54 -0700 Subject: [PATCH 008/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index d32508207a..22b83114e4 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -425,6 +425,9 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +### Choose to set up Azure Rights Management with WIP + + ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From 3c749ca9491e215d42e2f87c2b0b8714b592de70 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:17:26 -0700 Subject: [PATCH 009/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 22b83114e4..90a69c59bf 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 1d58cd4012ec4fe42eed86648dc334877373051f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:48:52 -0700 Subject: [PATCH 010/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 90a69c59bf..62bba049af 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -426,7 +426,13 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. + +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. + +For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -475,4 +481,6 @@ After you've decided where your protected apps can access enterprise data on you - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) +- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) \ No newline at end of file From 037e6125ad0da2c8fc150859065a48379fdbf156 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:59:04 -0700 Subject: [PATCH 011/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 62bba049af..3b1d08495b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -432,7 +432,8 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. -For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>[!NOTE] +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From af97f15f3ea771af18102caa256da1cde16af630 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 13:16:12 -0700 Subject: [PATCH 012/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 3b1d08495b..ead8eddf33 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -428,7 +428,7 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. From 8a133bd824f2a7a317959eb39c99c4bff675a245 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:09:57 -0700 Subject: [PATCH 013/120] Adding content --- .../create-wip-policy-using-intune.md | 384 +++++++++--------- 1 file changed, 188 insertions(+), 196 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index ead8eddf33..b1ce416071 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) +![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) +![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. +The **Add App Rule** box appears. - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) +![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,40 +71,35 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - The API runs and opens a text editor with the app details. +The API runs and opens a text editor with the app details. - ```json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` +```json +{ +"packageIdentityName": "Microsoft.Office.OneNote", +"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" +} +``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +```json +{ +"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", +} +``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. +>**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -120,16 +115,13 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ``` json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +``` json +{ + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } +``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -137,70 +129,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) +The **Add App Rule** box appears. + +![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 - Get-AppLockerFileInformation -Path "" +Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +Path Publisher +---- --------- +%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -209,113 +201,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) +![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. - The **Create Packaged app Rules** wizard appears. +The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) +![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) +![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) +![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) +![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - The **Export policy** box opens, letting you export and save your new policy as XML. +The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) +![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. +The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. +**Example XML file**
+This is the XML file that AppLocker creates for Microsoft Photos. - ```xml - - - - - - - - - - - - - - +```xml + + + + + + + + + + + + + + - ``` +``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + +The **Add App Rule** box appears. + +![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - The box changes to let you import your AppLocker XML policy file. +The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - The file is imported and the apps are added to your **App Rules** list. +The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. + +The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. +Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. +- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. +- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. +- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -341,7 +333,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) +![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -356,74 +348,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. - The **Add or edit corporate network definition** box appears. +The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. - The **Add corporate network definition** box closes. +The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: - ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) +![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. +- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. +After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -443,35 +435,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. +- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + +- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. +- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: +- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **Yes (recommended).** Turns on the feature and provides the additional protection. +- **Yes (recommended).** Turns on the feature and provides the additional protection. - - **No, or not configured.** Doesn't enable this feature. +- **No, or not configured.**Doesn't enable this feature. - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: +- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. +- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: +- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. +- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. +- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. + +- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From 024cd88e44c7c649bd1e6a934872f75a5a634b68 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:24:31 -0700 Subject: [PATCH 014/120] Fixing formatting and adding content --- ...ange-history-for-keep-windows-10-secure.md | 1 + .../create-wip-policy-using-intune.md | 374 +++++++++--------- 2 files changed, 187 insertions(+), 188 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 858577af50..1ac38ed7d2 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b1ce416071..9af07a2e91 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. + The **Add App Rule** box appears. -![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,35 +71,34 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. ->**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. -The API runs and opens a text editor with the app details. + The API runs and opens a text editor with the app details. -```json -{ -"packageIdentityName": "Microsoft.Office.OneNote", -"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -} -``` + ```json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -```json -{ -"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", -} -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. ->**Note**
Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -115,13 +114,12 @@ The API runs and opens a text editor with the app details. 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -``` json -{ - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ``` json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -129,70 +127,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. - -![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 -Get-AppLockerFileInformation -Path "" + Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json -Path Publisher ----- --------- -%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -201,113 +199,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. -![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. -The **Create Packaged app Rules** wizard appears. + The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. -![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. -![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. -![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. -![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. -The **Export policy** box opens, letting you export and save your new policy as XML. + The **Export policy** box opens, letting you export and save your new policy as XML. -![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. -The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. -**Example XML file**
-This is the XML file that AppLocker creates for Microsoft Photos. + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. -```xml - - - - - - - - - - - - - - + ```xml + + + + + + + + + + + + + + -``` + ``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. - -![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + + The **Add App Rule** box appears. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. -The box changes to let you import your AppLocker XML policy file. + The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. -The file is imported and the apps are added to your **App Rules** list. + The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. + + The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. -Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: -- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. -- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. -- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -333,7 +331,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. -![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -348,74 +346,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. -The **Add or edit corporate network definition** box appears. + The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. -![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. -The **Add corporate network definition** box closes. + The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: -![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) + ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) -- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) -After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. -For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -435,35 +433,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: -- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - -- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. -- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. -- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: -- **Yes (recommended).** Turns on the feature and provides the additional protection. + - **Yes (recommended).** Turns on the feature and provides the additional protection. -- **No, or not configured.**Doesn't enable this feature. + - **No, or not configured.** Doesn't enable this feature. -- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: -- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. -- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: -- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: -- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - -- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From b28c22277bb40c535fed8320b0fb9c4ad1447cb2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:30:38 -0700 Subject: [PATCH 015/120] Updating content from tech review --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 9af07a2e91..b3ec476d6b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -418,9 +418,9 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. From 86532a8e914f88c5d274ebe87227e62ebee01922 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:35:30 -0700 Subject: [PATCH 016/120] Added content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1ac38ed7d2..a3fedca01f 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic |Description | |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From c9d828821706dc75d0c3e25546b9d86a71cf8df8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:38:08 -0700 Subject: [PATCH 017/120] Fixing formatting --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b3ec476d6b..44605fccd9 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -71,6 +71,9 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. + > [!NOTE] + > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 86a65acca2bfdcf80ba1eda8cad6c4b8aeb75800 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:00:13 -0700 Subject: [PATCH 018/120] Adding content --- ...reate-and-verify-an-efs-dra-certificate.md | 28 +++++++++++++++++++ .../create-wip-policy-using-intune.md | 9 ++---- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..b05c43ed2b 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -94,6 +94,34 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. +**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. + +>[!IMPORTANT] +>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. + +1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW` + + -or- + + `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW` + + Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Have your employee sign in to the unenrolled device, open the Run command, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 44605fccd9..0067c51efa 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -38,11 +38,9 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->[!IMPORTANT] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->[!NOTE] ->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -71,9 +69,6 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - > [!NOTE] - > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. - >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 4a4c6efe5b9961fe1a6a6078d7468427a1ad9579 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:25:37 -0700 Subject: [PATCH 019/120] Adding content --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index b05c43ed2b..5bfc60d3cc 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -41,8 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - >[!NOTE] - >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + **Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -122,8 +121,7 @@ If you use a cloud environment in your organization, you may still want to resto The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) From 3727fd8bef3d24a2e7bd0bf981b2544fdcc4ecd5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:41:06 -0700 Subject: [PATCH 020/120] Fixing formatting --- ...add-apps-to-protected-list-using-custom-uri.md | 14 +++++--------- .../keep-secure/create-wip-policy-using-sccm.md | 15 ++++----------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 9176b41ff8..b0396cdfd0 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -39,15 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!NOTE] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -87,18 +86,15 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!IMPORTANT] - >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. + >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. - >[!NOTE] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 49801ae337..5a51f50d60 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. - >For example:

- + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. >For example:

- ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", From 5ceb091f25f0a22b11bfbcd023eb9f80a1fb374f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:42:45 -0700 Subject: [PATCH 021/120] Fixing formatting --- windows/keep-secure/protect-enterprise-data-using-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index a37553eb2c..7f5e04babd 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -93,8 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + + >**Note**
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: From 99106b6a79c9f9a212726400a5e95d94c908bbd8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:47:04 -0700 Subject: [PATCH 022/120] Fixing formatting --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 3 +-- windows/keep-secure/wip-app-enterprise-context.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 5bfc60d3cc..58a3228aef 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -36,8 +36,7 @@ The recovery process included in this topic only works for desktop devices. WIP The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >[!IMPORTANT] - >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >**Important**
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..c6fa730a12 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -45,8 +45,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - >[!IMPORTANT] - >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. + >**Important**
Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. From 3399404dd892b2008e434e56644ebc383b2dcd4b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:13:55 -0700 Subject: [PATCH 023/120] Adding content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index a3fedca01f..1cdc7573bd 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 661616568cb3250e73e1358c7c9e95ea221d1a05 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:24:24 -0700 Subject: [PATCH 024/120] Fixing link --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1cdc7573bd..1cf0bcdc14 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,7 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 3662fd52c24d4f140632924e4d27b1fc6fb10d45 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:31:49 -0700 Subject: [PATCH 025/120] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 0067c51efa..4a5f3873fb 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -40,7 +40,7 @@ The steps to add your app rules are based on the type of rule template being app >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -113,7 +113,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- ``` json + ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } From 63c502615dccdfb498758980f417b6d5289da9ba Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 13:07:15 -0700 Subject: [PATCH 026/120] Updated content --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..70b4062521 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -26,7 +26,7 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. From c6d1289421374540d9be2bd6cc53b3c5c3a2b679 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 14:34:39 -0700 Subject: [PATCH 027/120] Updated content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 4a5f3873fb..f36171596d 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From fece0918b736f9be56f19dc01dfa044d7852ad0c Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 22 Mar 2017 15:08:09 -0700 Subject: [PATCH 028/120] review feedback --- windows/plan/windows-10-enterprise-faq-itpro.md | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md index 192d0910c6..60a48fef2f 100644 --- a/windows/plan/windows-10-enterprise-faq-itpro.md +++ b/windows/plan/windows-10-enterprise-faq-itpro.md @@ -49,7 +49,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi ### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? -[Windows Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. +[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics). ## Administration and deployment @@ -64,15 +64,9 @@ Updated versions of Microsoft deployment tools, including MDT, Configuration Man Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). -### Are there any deployment tools available to support Windows 10? - -Updated versions of Microsoft deployment tools, including Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released adding support for Windows 10. For most organizations currently using MDT or Configuration Manager to deploy Windows, deployment of Windows 10 will change very little. - -For more information on deployment methods for Windows 10, see [Windows 10 deployment tools](https://technet.microsoft.com/library/mt297512.aspx) and [Windows 10 deployment scenarios](https://technet.microsoft.com/library/mt282208.aspx). - ### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? -If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Software Assurance, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. @@ -104,12 +98,7 @@ For more information on pros and cons for these tools, see [Servicing Tools](htt ### Where can I find information about new features and changes in Windows 10 Enterprise? -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. You can find information You'll find info on features like these: -- Modern deployment - Zero-touch deployment, bulk AD enrollment with provisioning, UEFI conversion tooland -- Windows Analytics - Upgrade Readiness, and Update Compliance -- Windows as a service enhancements - Differential feature update support, express update support for System Center Configuration Manager and third-party management software -- Mobile application management (MAM) and enhanced MDM -- Advanced security with Windows Defender - App Guard, Credential Guard, App Control, ATP) and Windows Hello +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. From bd90fb73437b361fa2b1de2be3da2a38837b7615 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:01:25 -0700 Subject: [PATCH 029/120] bug# 11035796 --- ...ting-system-components-to-microsoft-services.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e0cfbed2c9..15e5b8118c 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -382,16 +382,14 @@ Use either Group Policy or MDM policies to manage settings for Microsoft Edge. F Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. -> [!NOTE] -> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled | +| Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled | | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled | -| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | +| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | | Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled | -| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | | Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | @@ -627,9 +625,11 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. +- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. + In Windows 10, version 1703,apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. -or- From 746c86805743639090ba7b16ea5eb61a26f12fce Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:26:04 -0700 Subject: [PATCH 030/120] adding SmartScreen filter GPO --- ...g-system-components-to-microsoft-services.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 15e5b8118c..666e671997 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,21 +29,15 @@ To help make it easier to deploy settings to restrict connections from Windows 1 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. -## What's new in Windows 10, version 1607 and Windows Server 2016 +## What's new in Windows 10, version 1703 -Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: +Here's a list of changes that were made to this article for Windows 10, version 1703: -- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). -- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. -- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). -- Added a new setting in [25. Windows Update](#bkmk-wu). -- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). -- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). +- - Added the following Group Policies: - - Turn off unsolicited network traffic on the Offline Maps settings page - - Turn off all Windows spotlight features + - Prevent managing SmartScreen Filter ## Settings @@ -52,7 +46,7 @@ The following sections list the components that make network connections to Micr If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. -### Settings for Windows 10 Enterprise, version 1607 +### Settings for Windows 10 Enterprise, version 1703 See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. @@ -329,6 +323,7 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| +| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | There are two more Group Policy objects that are used by Internet Explorer: From 09503b610afbe4b86fb9a84596317d3438bfde66 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:35:20 -0700 Subject: [PATCH 031/120] bug# 11031857 --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 666e671997..cc53236858 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -38,6 +38,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added the following Group Policies: - Prevent managing SmartScreen Filter + - Turn off Compatibility View ## Settings @@ -329,7 +330,9 @@ There are two more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | | - | - | - | -| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether +an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | ### 7.1 ActiveX control blocking From a75ebac9ea6cc4d3655a040f943598111e2fc1b4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:40:09 -0700 Subject: [PATCH 032/120] bug# 10765050 --- ...rating-system-components-to-microsoft-services.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index cc53236858..bc9040bd73 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -33,7 +33,7 @@ We are always striving to improve our documentation and welcome your feedback. Y Here's a list of changes that were made to this article for Windows 10, version 1703: -- +- Added an MDM policy for Font streaming. - Added the following Group Policies: @@ -263,7 +263,15 @@ To prevent Windows from retrieving device metadata from the Internet, apply the Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. -If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. +If you're running Windows 10, version 1607, Windows Server 2016, or later: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. + +- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **false**. Font streaming is disabled. + + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. From 4c524b4eea46aaad3101c11389cf96d82735289d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:45:18 -0700 Subject: [PATCH 033/120] bug# 10757353 --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc9040bd73..03954a19f8 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -34,6 +34,7 @@ We are always striving to improve our documentation and welcome your feedback. Y Here's a list of changes that were made to this article for Windows 10, version 1703: - Added an MDM policy for Font streaming. +- Added an MDM policy for Network Connection Status Indicator. - Added the following Group Policies: @@ -433,10 +434,12 @@ Network Connection Status Indicator (NCSI) detects Internet connectivity and cor In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. -You can turn off NCSI through Group Policy: +You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. + > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. From f8d8bf23304e2e7be09740fdf132a711d964dd63 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:49:43 -0700 Subject: [PATCH 034/120] bug# 10756556 --- ...ws-operating-system-components-to-microsoft-services.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 03954a19f8..16ed4bfac9 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -35,6 +35,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Font streaming. - Added an MDM policy for Network Connection Status Indicator. +- Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added the following Group Policies: @@ -50,7 +51,7 @@ If you're running Windows 10, they will be included in the next update for the L ### Settings for Windows 10 Enterprise, version 1703 -See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. +See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | @@ -380,6 +381,10 @@ To prevent communication to the Microsoft Account cloud authentication service. - Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. +To disable the Microsoft Account Sign-In Assistant: + +- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 11. Microsoft Edge From 9db3448347b79594b7089f3b8eeee63a5bc59050 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 17:51:41 -0700 Subject: [PATCH 035/120] bug# 10756556 --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 16ed4bfac9..5635ee830d 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -64,7 +64,7 @@ See the following table for a summary of the management settings for Windows 10 | [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | | [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | | [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | | [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | From a2bb7cebbfb0e53395ea56473fab44917fd1a10a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 22 Mar 2017 18:32:23 -0700 Subject: [PATCH 036/120] bug# 10214974 --- ...system-components-to-microsoft-services.md | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5635ee830d..4638350b80 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -41,6 +41,12 @@ Here's a list of changes that were made to this article for Windows 10, version - Prevent managing SmartScreen Filter - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList ## Settings @@ -57,7 +63,7 @@ See the following table for a summary of the management settings for Windows 10 | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | @@ -107,7 +113,7 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | @@ -132,7 +138,7 @@ See the following table for a summary of the management settings for Windows Ser | Setting | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | | [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | @@ -255,6 +261,10 @@ You can prevent Windows from setting the time automatically. -or- +- Disable the Group Policy: **System\\Windows Time Service\\Time Providers!!Enable Windows NTP Client** + + -or- + - Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. ### 4. Device metadata retrieval @@ -347,7 +357,15 @@ an employee can swipe across a screen or click forward to go to the next pre-loa ### 7.1 ActiveX control blocking -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. + +You can turn this off by: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** + + - or - + +- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). @@ -1281,6 +1299,8 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. + ### 25. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1352,6 +1372,12 @@ You can turn off Windows Update by setting the following registry entries: - Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to **,**. + You can turn off automatic updates by doing one of the following. This is not recommended. From 3f0929ac5c2ccd3e92c988f036005b0b6def9bd3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:07:57 -0700 Subject: [PATCH 037/120] instructions for removing the sticky notes app --- ...-operating-system-components-to-microsoft-services.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4638350b80..2c1ec4f7f4 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,6 +36,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Font streaming. - Added an MDM policy for Network Connection Status Indicator. - Added an MDM policy for the Micosoft Account Sign-In Assistant. +- Added instructions for removing the Sticky Notes app. - Added the following Group Policies: @@ -594,6 +595,14 @@ To remove the Get Skype app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** +To remove the Sticky notes app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** + ### 16. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. From cba4504cc7825c8e1d52f6fcf52a2c1bcd950537 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:12:51 -0700 Subject: [PATCH 038/120] bug# 10866362 --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2c1ec4f7f4..a97f65a67b 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1199,7 +1199,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** -or- @@ -1215,7 +1215,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. -or- @@ -1235,11 +1235,11 @@ You can stop sending file samples back to Microsoft. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. For Windows 10 only, you can stop Enhanced Notifications: From 05ee300ff5a0fcc4e29086f8dc3cf60e87f43bf8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:15:53 -0700 Subject: [PATCH 039/120] bug# 10215399 --- ...s-operating-system-components-to-microsoft-services.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a97f65a67b..45d81242ad 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -841,7 +841,7 @@ To turn off **Let apps access my notifications**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - Set the **Select a setting** box to **Force Deny**. @@ -1118,7 +1118,7 @@ Enterprise customers can manage their Windows activation status with volume lice For Windows 10: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- @@ -1126,7 +1126,7 @@ For Windows 10: For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. @@ -1296,7 +1296,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. From b5160a9312019882eea05df0dc62686dd3f49869 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:19:59 -0700 Subject: [PATCH 040/120] bug# 10980994 --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 45d81242ad..8b1a5ec6d4 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -48,6 +48,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Specify Intranet Microsoft update service location - Enable Windows NTP client - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data ## Settings @@ -868,6 +869,9 @@ To turn off the functionality: - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). +If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data** If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models: From 0db2f63916184463183aa93f8cdaf83b6425e823 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 13:28:29 -0700 Subject: [PATCH 041/120] bug# 10980531 --- ...system-components-to-microsoft-services.md | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8b1a5ec6d4..bcb8b27a83 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -646,6 +646,37 @@ Use Settings > Privacy to configure some settings that may be important to yo **General** includes options that don't fall into other areas. +#### Windows 10, version 1703 options + +To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**: + +> [!NOTE] +> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Let websites provide locally relevant content by access my language list**: + +- Turn off the feature in the UI. + +To turn off **Let Windows track app launches to improve Start and search results**: + +- Turn off the feature in the UI. + + -or- + +- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** + +#### Windows Server 2016 and Windows 10, version 1607 and earlier options + To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: > [!NOTE] @@ -668,7 +699,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window -or- - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703,apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. + In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. From d2f5bb171b78b9c7f3b35f18808e8c8a6815f1dd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 15:58:42 -0700 Subject: [PATCH 042/120] bug# 10215117 --- ...system-components-to-microsoft-services.md | 288 +++++++++++++++--- 1 file changed, 251 insertions(+), 37 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bcb8b27a83..495075dd53 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -37,6 +37,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for Network Connection Status Indicator. - Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added instructions for removing the Sticky Notes app. +- Added registry paths for some Group Policies - Added the following Group Policies: @@ -64,47 +65,47 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [16. Settings > Privacy](#bkmk-settingssection) | | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | +|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ### Settings for Windows Server 2016 with Desktop Experience @@ -114,23 +115,23 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | | [16. Settings > Privacy](#bkmk-settingssection) | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -214,6 +215,16 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad | Don't search the web or display web results in Search| Choose whether to search the web from Cortana.

Enable this policy to stop web queries and results from showing in Search. | | Set what information is shared in Search | Control what information is shared with Bing in Search.

If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | +You can also apply the Group Policies using the following registry keys: + +| Policy | Registry Path | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
REG_DWORD: 0| +| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 | +| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 | +| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 | +| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 | + In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. >[!IMPORTANT] @@ -265,6 +276,10 @@ You can prevent Windows from setting the time automatically. - Disable the Group Policy: **System\\Windows Time Service\\Time Providers!!Enable Windows NTP Client** + - or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero). + -or- - Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. @@ -273,6 +288,8 @@ You can prevent Windows from setting the time automatically. To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + ### 5. Font streaming Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. @@ -315,6 +332,10 @@ To turn off Insider Preview builds for Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + - or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero) + -or- - Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: @@ -348,6 +369,17 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| | Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | +Alternatively, you could use the registry to set the Group Policies. + +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0| +| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** | +| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 | +| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 | +| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | + There are two more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | @@ -357,6 +389,15 @@ There are two more Group Policy objects that are used by Internet Explorer: an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | +You can also use registry entries to set these Group Policies. + +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
REG_DWORD: 0| +| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0| + +AllowServicePoweredQSA + ### 7.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. @@ -377,6 +418,10 @@ To turn off Live Tiles: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). + ### 9. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -395,6 +440,10 @@ To turn off the Windows Mail app: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). + ### 10. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. @@ -438,6 +487,19 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are: | Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | | Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | +Alternatively, you can configure the Microsoft Group Policies using the following registry entries: + +| Policy | Registry path | +| - | - | +| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **about:blank** | +| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 | +| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** | +| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **no**| +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 | +| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 | +| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| + + ### 11.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -468,22 +530,38 @@ You can turn off NCSI by doing one of the following: > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). + ### 13. Offline maps You can turn off the ability to download and update offline maps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero). + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). + ### 14. OneDrive To turn off OneDrive in your organization: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). + ### 15. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -663,10 +741,18 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba - Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). -To turn off **Let websites provide locally relevant content by access my language list**: + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + +To turn off **Let websites provide locally relevant content by accessing my language list**: - Turn off the feature in the UI. + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + To turn off **Let Windows track app launches to improve Start and search results**: - Turn off the feature in the UI. @@ -692,6 +778,10 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - Turn off the feature in the UI. @@ -720,6 +810,10 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window - Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero). + To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: > [!NOTE] @@ -753,6 +847,10 @@ To turn off **Let apps on my other devices open apps and continue experiences on - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero). + To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. @@ -769,6 +867,10 @@ To turn off **Location for this device**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two). + -or- - Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -798,6 +900,10 @@ To turn off **Location**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one). + -or- To turn off **Location history**: @@ -822,6 +928,10 @@ To turn off **Let apps use my camera**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two). + -or- - Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -859,6 +969,10 @@ To turn off **Let apps use my microphone**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two) + To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. @@ -877,6 +991,10 @@ To turn off **Let apps access my notifications**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) + ### 16.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -892,6 +1010,10 @@ To turn off the functionality: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one). + -or- - Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). @@ -928,6 +1050,10 @@ To turn off **Let apps access my name, picture, and other account info**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). To turn off **Choose the apps that can access your account info**: @@ -961,6 +1087,10 @@ To turn off **Let apps access my calendar**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two). + To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. @@ -979,6 +1109,10 @@ To turn off **Let apps access my call history**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). + ### 16.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -993,6 +1127,10 @@ To turn off **Let apps access and send email**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). + ### 16.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1007,6 +1145,10 @@ To turn off **Let apps read or send messages (text or MMS)**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). + To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. @@ -1024,6 +1166,11 @@ To turn off **Let apps control radios**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two). + To turn off **Choose apps that can control radios**: @@ -1041,6 +1188,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two). + To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - Turn off the feature in the UI. @@ -1070,6 +1221,10 @@ To change how frequently **Windows should ask for my feedback**: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one). + + -or- + - Create the registry keys (REG\_DWORD type): - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds @@ -1103,6 +1258,10 @@ To change the level of diagnostic and usage data sent when you **Send your devic -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero). + + -or- + - Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Maps to the **Security** level. @@ -1147,6 +1306,10 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). + ### 17. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: @@ -1157,12 +1320,20 @@ For Windows 10: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). + + -or- + - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one). + The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. ### 18. Sync your settings @@ -1177,6 +1348,10 @@ You can control if your settings are synchronized: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one). + + -or- + - Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. -or- @@ -1202,6 +1377,10 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. -or- +- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**. + + -or- + - From an elevated command prompt, run **netsh interface teredo set state disabled** ### 20. Wi-Fi Sense @@ -1238,6 +1417,10 @@ You can disconnect from the Microsoft Antimalware Protection Service. -or- +- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**. + + -or- + - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -or- @@ -1248,6 +1431,8 @@ You can disconnect from the Microsoft Antimalware Protection Service. From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + + You can stop sending file samples back to Microsoft. - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. @@ -1276,6 +1461,10 @@ You can stop downloading definition updates: - Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + -or- + +- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**. + For Windows 10 only, you can stop Enhanced Notifications: - Turn off the feature in the UI. @@ -1304,6 +1493,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). + If you're not running Windows 10, version 1607 or later, you can use the other options in this section. - Configure the following in **Settings**: @@ -1329,12 +1522,23 @@ If you're not running Windows 10, version 1607 or later, you can use the other o > [!NOTE] > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + -or- + + - Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one). + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). + For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### 24. Windows Store @@ -1343,8 +1547,16 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one). + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). + ### 25. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1373,6 +1585,8 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| +You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). + ### 25.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). From 5f8522d31e9cdb5545305bc376dcbb0525780318 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:09:04 -0700 Subject: [PATCH 043/120] bug# 9978051 --- ...indows-operating-system-components-to-microsoft-services.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 495075dd53..20b3405473 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -50,6 +50,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Enable Windows NTP client - Turn off Automatic download of the ActiveX VersionList - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts ## Settings @@ -448,7 +449,7 @@ To turn off the Windows Mail app: To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. -- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. To disable the Microsoft Account Sign-In Assistant: From d6c43a9a80f8d865966bf4d3eb4ea9c7e209c6d6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:20:14 -0700 Subject: [PATCH 044/120] bug# 10070280 --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 20b3405473..5237867f1d 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -171,6 +171,10 @@ A certificate trust list is a predefined list of items, such as a list of certif To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +> [!CAUTION] +> By not automatically downloading the root certificates, the device might have not be able to connect to some websites. + + For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** From f4689acc4810ff963c5f47f9899f471221dec36f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:23:14 -0700 Subject: [PATCH 045/120] bug# 10980772 --- ...ows-operating-system-components-to-microsoft-services.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5237867f1d..30855a3b17 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1296,8 +1296,12 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: - Turn off the feature in the UI for each app. + + -or- - - Set the **Select a setting** box to **Force Deny**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in background** + + - Set the **Select a setting** box to **Force Deny**. ### 16.17 Motion From be5a51b0bda3886fd3bdb1a45507446b45a12955 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:28:43 -0700 Subject: [PATCH 046/120] bug# 10980748 --- ...ng-system-components-to-microsoft-services.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 30855a3b17..a6b4fc36ec 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -51,6 +51,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Turn off Automatic download of the ActiveX VersionList - Allow Automatic Update of Speech Data - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Settings @@ -1250,12 +1251,7 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > [!NOTE] - > You can't use the UI to change the telemetry level to **Security**. - - +- Click either the **Basic** or **Full** options. -or- @@ -1289,6 +1285,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic - **3**. Maps to the **Full** level. +To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** + ### 16.16 Background apps In the **Background Apps** area, you can choose which apps can run in the background. From 219065908da383f64a3c8cd2fc7f32ef22d3d9c5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:39:28 -0700 Subject: [PATCH 047/120] bug# 10980800 --- ...system-components-to-microsoft-services.md | 262 +++++++++--------- 1 file changed, 138 insertions(+), 124 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a6b4fc36ec..21b9f91a90 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -38,6 +38,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added an MDM policy for the Micosoft Account Sign-In Assistant. - Added instructions for removing the Sticky Notes app. - Added registry paths for some Group Policies +- Added the Find My Device section - Added the following Group Policies: @@ -70,45 +71,46 @@ See the following table for a summary of the management settings for Windows 10 | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | +|     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [24. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [26. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ### Settings for Windows Server 2016 with Desktop Experience @@ -120,21 +122,21 @@ See the following table for a summary of the management settings for Windows Ser | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -144,12 +146,12 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | -| [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | +| [18. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | +| [20. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Nano Server @@ -159,8 +161,8 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | ## Settings @@ -296,7 +298,19 @@ To prevent Windows from retrieving device metadata from the Internet, apply the You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). -### 5. Font streaming +### 5. Find My Device + +To turn off Find My Device: + +- Turn off the feature in the UI + + -or + +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** + +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + +### 6. Font streaming Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. @@ -316,7 +330,7 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a > After you apply this policy, you must restart the device for it to take effect. -### 6. Insider Preview builds +### 7. Insider Preview builds The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. @@ -362,7 +376,7 @@ To turn off Insider Preview builds for Windows 10: - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. -### 7. Internet Explorer +### 8. Internet Explorer Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. @@ -404,7 +418,7 @@ You can also use registry entries to set these Group Policies. AllowServicePoweredQSA -### 7.1 ActiveX control blocking +### 8.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. @@ -418,7 +432,7 @@ You can turn this off by: For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). -### 8. Live Tiles +### 9. Live Tiles To turn off Live Tiles: @@ -428,7 +442,7 @@ To turn off Live Tiles: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). -### 9. Mail synchronization +### 10. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -450,7 +464,7 @@ To turn off the Windows Mail app: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). -### 10. Microsoft Account +### 11. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. @@ -461,11 +475,11 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. -### 11. Microsoft Edge +### 12. Microsoft Edge Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). -### 11.1 Microsoft Edge Group Policies +### 12.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. @@ -506,7 +520,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| -### 11.2 Microsoft Edge MDM policies +### 12.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -521,7 +535,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). -### 12. Network Connection Status Indicator +### 13. Network Connection Status Indicator Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). @@ -540,7 +554,7 @@ You can turn off NCSI by doing one of the following: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). -### 13. Offline maps +### 14. Offline maps You can turn off the ability to download and update offline maps. @@ -558,7 +572,7 @@ You can turn off the ability to download and update offline maps. - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). -### 14. OneDrive +### 15. OneDrive To turn off OneDrive in your organization: @@ -568,7 +582,7 @@ To turn off OneDrive in your organization: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). -### 15. Preinstalled apps +### 16. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -688,45 +702,45 @@ To remove the Sticky notes app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** -### 16. Settings > Privacy +### 17. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [16.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [16.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [16.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [16.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [16.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [16.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [16.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [16.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [16.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [16.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [16.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [16.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [16.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [16.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [16.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [16.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [16.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -### 16.1 General +### 17.1 General **General** includes options that don't fall into other areas. @@ -861,7 +875,7 @@ To turn off **Let apps on my other devices use Bluetooth to open apps and contin - Turn off the feature in the UI. -### 16.2 Location +### 17.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -920,7 +934,7 @@ To turn off **Choose apps that can use your location**: - Turn off each app using the UI. -### 16.3 Camera +### 17.3 Camera In the **Camera** area, you can choose which apps can access a device's camera. @@ -961,7 +975,7 @@ To turn off **Choose apps that can use your camera**: - Turn off the feature in the UI for each app. -### 16.4 Microphone +### 17.4 Microphone In the **Microphone** area, you can choose which apps can access a device's microphone. @@ -983,7 +997,7 @@ To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. -### 16.5 Notifications +### 17.5 Notifications In the **Notifications** area, you can choose which apps have access to notifications. @@ -1001,7 +1015,7 @@ To turn off **Let apps access my notifications**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) -### 16.6 Speech, inking, & typing +### 17.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -1043,7 +1057,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/ - Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero). -### 16.7 Account info +### 17.7 Account info In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. @@ -1065,7 +1079,7 @@ To turn off **Choose the apps that can access your account info**: - Turn off the feature in the UI for each app. -### 16.8 Contacts +### 17.8 Contacts In the **Contacts** area, you can choose which apps can access an employee's contacts list. @@ -1079,7 +1093,7 @@ To turn off **Choose apps that can access contacts**: - Set the **Select a setting** box to **Force Deny**. -### 16.9 Calendar +### 17.9 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -1101,7 +1115,7 @@ To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. -### 16.10 Call history +### 17.10 Call history In the **Call history** area, you can choose which apps have access to an employee's call history. @@ -1119,7 +1133,7 @@ To turn off **Let apps access my call history**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). -### 16.11 Email +### 17.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -1137,7 +1151,7 @@ To turn off **Let apps access and send email**: - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). -### 16.12 Messaging +### 17.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1159,7 +1173,7 @@ To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. -### 16.13 Radios +### 17.13 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -1182,7 +1196,7 @@ To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 16.14 Other devices +### 17.14 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -1208,7 +1222,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - Set the **Select a setting** box to **Force Deny**. -### 16.15 Feedback & diagnostics +### 17.15 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1293,7 +1307,7 @@ To turn off tailored experiences with relevant tips and recommendations by using - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** -### 16.16 Background apps +### 17.16 Background apps In the **Background Apps** area, you can choose which apps can run in the background. @@ -1307,7 +1321,7 @@ To turn off **Let apps run in the background**: - Set the **Select a setting** box to **Force Deny**. -### 16.17 Motion +### 17.17 Motion In the **Motion** area, you can choose which apps have access to your motion data. @@ -1323,7 +1337,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). -### 17. Software Protection Platform +### 18. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: @@ -1349,7 +1363,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. -### 18. Sync your settings +### 19. Sync your settings You can control if your settings are synchronized: @@ -1379,7 +1393,7 @@ To turn off Messaging cloud sync: - Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). -### 19. Teredo +### 20. Teredo You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). @@ -1396,7 +1410,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. - From an elevated command prompt, run **netsh interface teredo set state disabled** -### 20. Wi-Fi Sense +### 21. Wi-Fi Sense Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. @@ -1422,7 +1436,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 21. Windows Defender +### 22. Windows Defender You can disconnect from the Microsoft Antimalware Protection Service. @@ -1484,7 +1498,7 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. -### 22. Windows Media Player +### 23. Windows Media Player To remove Windows Media Player on Windows 10: @@ -1498,7 +1512,7 @@ To remove Windows Media Player on Windows Server 2016: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 23. Windows spotlight +### 24. Windows spotlight Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. @@ -1554,7 +1568,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). -### 24. Windows Store +### 25. Windows Store You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. @@ -1570,7 +1584,7 @@ You can turn off the ability to launch apps from the Windows Store that were pre - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). -### 25. Windows Update Delivery Optimization +### 26. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1580,13 +1594,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below. -### 25.1 Settings > Update & security +### 26.1 Settings > Update & security You can set up Delivery Optimization from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. -### 25.2 Delivery Optimization Group Policies +### 26.2 Delivery Optimization Group Policies You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. @@ -1600,7 +1614,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). -### 25.3 Delivery Optimization MDM policies +### 26.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -1613,7 +1627,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| -### 25.4 Delivery Optimization Windows Provisioning +### 26.4 Delivery Optimization Windows Provisioning If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies @@ -1629,7 +1643,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). -### 26. Windows Update +### 27. Windows Update You can turn off Windows Update by setting the following registry entries: From e6c0a2417b63297e498d2e5f08ff8ab80ce695a7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:42:52 -0700 Subject: [PATCH 048/120] bug# 10980704 --- ...g-system-components-to-microsoft-services.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 21b9f91a90..c1203cbadd 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -39,6 +39,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added instructions for removing the Sticky Notes app. - Added registry paths for some Group Policies - Added the Find My Device section +- Added the Tasks section - Added the following Group Policies: @@ -101,6 +102,7 @@ See the following table for a summary of the management settings for Windows 10 |     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | |     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -740,6 +742,8 @@ Use Settings > Privacy to configure some settings that may be important to yo - [17.17 Motion](#bkmk-priv-motion) +- [17.18 Tasks](#bkmk-priv-tasks) + ### 17.1 General **General** includes options that don't fall into other areas. @@ -1337,6 +1341,19 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). +### 17.18 Tasks + +In the **Tasks** area, you can choose which apps have access to your tasks. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** + + ### 18. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: From fe8b0304d1c2577b272a6a456a5abdb067a676bb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 23 Mar 2017 16:46:30 -0700 Subject: [PATCH 049/120] bug# 10980781 --- ...g-system-components-to-microsoft-services.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c1203cbadd..ac398c6a26 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -40,6 +40,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Added registry paths for some Group Policies - Added the Find My Device section - Added the Tasks section +- Added the App Diagnostics section - Added the following Group Policies: @@ -103,6 +104,7 @@ See the following table for a summary of the management settings for Windows 10 |     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | |     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | |     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.19 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -132,7 +134,7 @@ See the following table for a summary of the management settings for Windows Ser | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | | [17. Settings > Privacy](#bkmk-settingssection) | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -744,6 +746,8 @@ Use Settings > Privacy to configure some settings that may be important to yo - [17.18 Tasks](#bkmk-priv-tasks) +- [17.19 App Diagnostics](#bkmk-priv-diag) + ### 17.1 General **General** includes options that don't fall into other areas. @@ -1353,6 +1357,17 @@ To turn this off: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** +### 17.19 App Diagnostics + +In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** ### 18. Software Protection Platform From b16b2e0eec0e32dcbc89fff550f1d24842c1d205 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 27 Mar 2017 12:06:49 -0700 Subject: [PATCH 050/120] Update user access steps --- ...ows-defender-advanced-threat-protection.md | 35 ++++++++++++++---- .../images/atp-azure-ui-user-access.png | Bin 0 -> 692766 bytes 2 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 windows/keep-secure/images/atp-azure-ui-user-access.png diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md index 95c54414fa..593b66f678 100644 --- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -22,10 +22,23 @@ localizationpriority: high - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions: +Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. + +## Assign user access using Azure PowerShell +You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read only access +### Before you begin +- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
+ + > [!NOTE] + > You need to run the PowerShell cmdlets in an elevated command-line. + +- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). + + + **Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles. @@ -36,13 +49,7 @@ They will not be able to change alert states, submit files for deep analysis or Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role. Use the following steps to assign security roles: -- Preparations: - - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
- > [!NOTE] - > You need to run the PowerShell cmdlets in an elevated command-line. - -- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). - For **read and write** access, assign users to the security administrator role by using the following command: ```text Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" @@ -53,3 +60,17 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader ``` For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). + +## Assign user access using the Azure portal + +1. Go to the [Azure portal](www.portal.azure.com). + +2. Select **Azure Active Directory**. + +3. Select the user you want to assign user access to. + +4. Select **Manage** > **Directory role**. + +5. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. + +![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) diff --git a/windows/keep-secure/images/atp-azure-ui-user-access.png b/windows/keep-secure/images/atp-azure-ui-user-access.png new file mode 100644 index 0000000000000000000000000000000000000000..dd7fe7dc4d6a4327f027cb6681e6404f903a277e GIT binary patch literal 692766 zcmZU(Wmp_R(=NRD;)`2wcXwOdU4jG+?(WWF!CezPxCD0y5L|)>cXxOAc;0i~@7RyI zrswXvtGjDvx~r-yN>y0~6^RfD005xM$x5mN0C0-{0K6X%`UCO)Mg;qDLv)hWbp-%$ zssD39$*EIae1HgUa!OJNn=nLJ(EJ6oqBj2pN$I$Wxw~08x&X?m$7DYs6t@pZ(%ki{ zi?x%RwW9+73z3}i14sG~F5&3p?P6_dU_ zbJD3>Pd)5RbJyxC`D1rYe{SwM!~uXBg4|-)^f} z`u~9bt4>rhqb1}2r2Yp#C#GSs_@7Pxe;I6>z7bK;ng8qge+qwC+hpH2{V7=+kN5MQ z`@ehqAGCmjM6%1*>OSg~9FnJ5;a+r{|A#`e0*Lqif*kiO|$3$rh1JuI!mk*w;|CjbQ+k4IMRlNAVOt!8>M*ctA5_zXYkQ2BE9KSjm>{g zd{crfh>#}Lx~Kooe_k~7#i|p#PlhPf&Xo#B&ffqs08+S64W@HKkJeNGu9kE=1=U?N z=8@sVf|Zn79+?~zz9}psxoo+-V1BBEbvi(i+_yQcb6a)%((59_<>E9|<}JZOEza_) z4HjYl*u2`j^KBv!>(AZU)O0N+hbIqq zO%3$lQ=&Q%@wgO+W9C8U&z{DoC2tgQh+m5w_O2XzL!sF+%eXKUPJkFkafScC`|2M}^`X-I7jk1V=;}lw zNDGAAq==hVh)v?sFitP-jISitB3W#kmwn@{_!uC0B$Mr;X;@e-V8JZVLWw|*&YQ>c ze(f1p0y{pO2eE+$QQ*ts2Gaorv|x{Df;6FGY-XA0eY~83`EH2El6BhfvdG-Boj#{cdhv_Ej$|HZ}TDY8C#Jc1eikZ8fXGM-pgrGoNrReKm?xm;3P&tj6kx?QY4^^ zvkP6Eex|(RX-Nc;cs{#oXg&!gUZIwoerD&gJ@p}&H|ENpcH1qlA>5~_S(-r0m>{Nc zhe1&5h@8KScfhI1G-dao@o_@#I{DN5UE#ulQ2J$K+-@UvJG=90pRZ?X~>Hl zj};Mji!FKlb&W3d*DIHC0`_bWg*X{SN@*km%TMUkp!`rB)bP(mD2Q~yU|ZMl5!LB9 zR9KeDalV|PGNojqAu_{&!xglM`KH*cf(Fir^a6~61ZP}ypb1rw;b2uyH zrB$T3o9el=tNvgxz1>`__HZ^46&49r%$IPAEJMDlnB}=J-zJvkSNMAjPP6ea^dMYHzB_tuzYT&83Dx$wQIDm|;&GkFg*zAUVzNt?I z!fIcxC3#Ko#i21ni9<}@R#QE|Qud^q9C$oHl|}nQI&nD3yaaIDuoF;bP;M2f{iAHsW_JHCv&B_XqV zI-3ba`~WNigTHK4+6U{X)0I-RBKBErD}u|QOW<|HLOj?w1B(2XJ(!Ib&UccG*Y^jv z!G}UrHmQA$b4tW>&%DmP0xg}6F7#*BFJfuS0>Xi?0uC{z&e7?+Hu z52E&rYW+`+mD(3XED}*6^)E4imFycRxGycge!{~w!h>;@2vGCPx zDFhoQ_8Kz|n5@ybQ$dI_Dpyxuo;PGOf7UlGwZ&X79vo_klhc3*Ddkf}oGu&2ru{mw zYvm)qWmv3>d}U-1*BRW8?fgFV>z@DaXBB=9(bq7T+Ri0IAFLGI{)Xps9!A5h(MMwj{^D!hDd(k5WOJ5}O=(T$+l?+V%lVd2CZ zJzP%@OtHs4S6w1}BG72S!qWs9*hB&(;2c1jGw!yo?)j3`9mTLcs`cUGpJV2xNe!9? zzf;9o(UbPF2w!-Ni?OXY5;-=3B)S-BQF>gA48TMTN!$@LsJ7}IRnL80+ZsPI<23Mo zZ$;)5BCeW+!(1qY2YZjaGCqUOP^>Fvw;*EUug6w_WX@#iSiN2o6(f;%_!&Y5E{B{u z*l*ALk}6k+1;L0z@Jkks$CtBR!}R^sw~wVI$CP~bnzmr6u?gEpn+K}~O@$mR4NvCm zAGiUkH^ywr4_#jq+)vH9c^U7%*doD8P7M(@JW7O7iBmPEBO&#}7Qts#uH@>XIb0@Q z|A8ruv9+8tG3H?}PWhFfkd7IV7QA9+=FiuKoEh|;CjbVeyar}Dm=?yB>LPN=5Q+M? z1*cNRMQFUtmg&H6c9#0ce{ph1v(R+EF)=_aduBmfgg*&OBY~b6_GcC3Y{se_AO<9i zUh%0du?z-o^$@etD3Dtb6-m)7s>XDd1_tAI95pW~*gej?a*mRqXc-Jy@sb|^b_$qA zIX;{bV`N84Vz!CV>Qd$m=#DtoRejD`Q(lpx&LwdZf^F5Nbvx>ZyoI=|GC*OXXuwK( zExT9WfPzPYLN4OjjjAZHqooK#8te|-SWVQB=T?K0WXjWO0JuR*q8FiIYg$f0)3;_9 ze<5Zl5Kqi&t3^OA5Vy;rui=^uNJd?mCt>H}d&viJ#q|u|@3>X*M zg|AoMf3@J1k4Csq%liHzQ34_K=#Sy_+NE}ziJg)+dK6) zN%RnE#}ju{4EtYEeU!)5bPmxgPo-5_A^?npZzkN$Xm&|xGpTm|q6OFq*o)iO*{|Nk zEC?!|FfU+r^o6)%2?ejoiK3IhdOZ6ZL>AQSi`tfxvEXcd4`5RjYB41fbW zr==xHhL!-Ee~PYmavR%I#SqAsNbCn7+h9?QT~26R9U|`kN*UVRKaLu4@k2;7At+s& zP527GhPQ0;j-?RY_!wqhc!8CUVmmrR+<@jqbz|?#n2A}RLo1{_euilHC>XQ@F-L&^ zg3(xlJf-L(6(qpoP7;mP!xeJGfZ`6LDz)k&D=rUEMFN2mQ^um8$!;m6qFARHVG*--aWqan?W>BVe3B-mpGUKAO#egfyRZm zszu?n3cu-xtKiJwvetnWWAG|lKf?dQDJkzL9D%@Gx7!Mhf^yavx`!%m&U%CBt32TW zL&EhIHF>2`5@2r{8yF?p0@7}25oXh)DTf2>jDNiGI7w!pfU8Cmk}hs zNj`^&DX1Ep5gb;8X* zk$zo+LOWMu_`HAnW|N3Zv+B*sk*?ssTbw*8#4E_JSEXID{>amH%bfEggxq3YFo+GA zfbaabp@a3MDGKZ-(g=Y5Q2d(Yf)L1_G+;B0LzJqwX4A8&-vfN4oMTWo=_#}NEaH*d zY7Xm>PIB;b_OCNF8lVSA&D4X*g>1f_)t0@PS#mKu<0*14Rpe*dlFH7QJ>$9NvwdzP z=)WzP@Ui{7vrc3+X3SHyRmaAKHr8gx=jBSf8+B;G^#0WMj9wgxDyW4lV(iJ(!eY0W z;-En5CdoScfcpUZ4;fZdDobZlCuLO&%FNH2qp9aGzBaGbx~vAi-&L-B)XynfS{1}t zU^p8|?*o)-{@PZ5zX*+r*q}jc=&lm_D}3w|eZDl7CY;F=$7f9B+rnrBzwk~LiN+*n zs?gWp@Zcfr(YkG9H9usJ71=Pl1>%@)7=` zef9(FUCm4e>Z4Ka@a@R7;JNNzR8Bk0%k)Ozk%)B+R^gaQJ_LWlu*>%Ma9=x z>)c9Gk)c2LIMLvVp{(cS?h9U~(Bkp2L zzyu){mji)oV>ch368k`GEB@*Xq#5fqK_3FGp%X%|H!8^5@vviQ6wsZ_z;HbGr~Q1E zw=491-O>oDFI=;;u$L{y#-31;52L^#F@{G*-s=iY%+j)6Xu0z8x9@%TW$fJ1 zxUyyW_i2Nu-K#s~$?k`3BcXt&;oCodc=uL2uaWJL{AR@EdOOcmxj~xLA-GDIp}qD# z>3}a{*0$;_GITa0?Ri?ow(&=zv~~Y$15GeP z$OVboZ>2;MJqgWUd{)3St!qL|q^fMYVS(760Bd5pOvti|2dm%NL7Any2h}hB_q+AV zb&NH^8ggm4oFb_V5K5DjPT?{qtUDek@KnIb@J{@qZ8H5oHd{91`$pJ6YPyTp%rRn? zeQ0yRA$jYf^zC5+IJzeuDrY3&mNAOAl4)BJyis z;I_abHOm6OBq1(+%Bf>5+yb8o542F}SI=zJEOhJ|cM(7vRQFdkIDjyq5aUZv!zyTk zF7uitI)^W%zsyMlQ4%z$M4yNVjXBGxH&6Ebjp2A{=vMTK_IH&6oH76Cov>)hta2%P z&v zIPz>m@~Tur#sG>UL=@RPxBR5zvEP=4Ol6R==p z%kFQX{}m$qb%#8Dn{cg3q~fq|oU@ONk*q+%v>mtqkxoU(q<1^qt^W2Rf+!lg#jh3L zO100=`RWCE^8Fy5SkxKYU^;qk)zSZ2aP!tQ_AT^C^S6h>+LZ1Bga$(#Ndk;9R?4|U zAoBdEFZ%RoY2?3a#eY6=R%7(8T{*#fzII=)3Ta@fkxL(a9G<$YN>0u!PA=T-^hUsu zY!L)l9M?A&M{PptG2s)Z&X*$d{|Q6|AK#I!(EFWUvqV6l!+fdP)HW3g%wUJMPG59) zdnH+k)|dWiT{_n?KF%+2T#eeY(G;2AV-VLSVMmY&g4io@(3wEO7_`QHCxtYg)LE5TC(gT@br&BOUp?3K{GCXta=<+(G{!xhUNw?+p$I8`x)JFW z=Kq$`Hh5AwxNY3QY`LS+tX((7xqf@8tVbuZBafaIyZ%u#x5r=b5TxJ*mHGbVGBEpt zPYgG1R~Aia6-F5qBRI?cH&)sdr-hOl$~+;#;$FBF#HH2TyU^*ETbOD-Nt5Iv8DPyY~!i zDiLcgh&!M9)W^H5AHO2(9vMfVE_G&pvHCtXbzBM^f?>#@ z%57zVgxjw=@!)oOFz!`|?5!I>a$+{y^~l0emkjl0h{JDTX{^8VVb~RGd3lv}1%zv+R|>DEt@e zT(jZ7d2eY?CW-q!zTayOwxI_-KkNc!>F&}WhXQc!_qA8GV4V9NZ5;!H;)T%eBRlV= z(&`X4BT@0Gpns}LLtqZWX^tR>@w6n=o;9F+%tDF0SOyLIV{cGj7MKNhRYRply=Ys? zaIF2>wcWpjWxdyj=J&tKh}RMPuWK5sdmQ9)42j|zjWG^CaszlouPa5aW8C1SJ`w-Q zjucxL7}`~s5KhkX%|Dz>S>WrrH~N$Q}ru9G`O?)tDay4lArz^Nm*^x z9B8uceVm*1l92U?2VACQ-3(Kv%I!WSSen6%ry}b4T%4|K=y!P#wY>gP(cR^Be0tw~ zOSm3@jJJOQ!0`?TQc0wnRI62fkjF64h~U}uBK@GmMxknwb1V=749w8ozG@cXHD-Tq(v zJ^A+OqP_w*)6Yx)Dsd@{BL@z~7MvFsJmR(R$hffc^iaCK^U%5JU)?dgeqPwIT8>NJ z#_j&q%sYR_ZA5KO^8yyvGdw~l5~OCcDT8Lnetea4M0V+<;I`u*431P&4cFpKRUC1e z>f3}xA)1hm(X9fA-#AIs#}g^?dg81BpI=5v*o7`Inlucl0a_!qv$jTv1I3@%|DAC% zgpeI*6`*U^H|42?6)4e}(2|nmv~EBp*xD_j_c?IhBCJ>q775wpru-9m<3SAQOS>Wc z1ZcOtvxNHO2k(LPNZJ4A#3qbg6E$K|nb;zz&75j@r%y2T7xAY}Bu6Bf(qIUkm~;(h z5K7yZZ4;{n-;`bXjD496N}btr7zfSwQGH9|Jh(qY!7su2r&d_Mioc@Gh9c&&IXHMl z{KZd@?$-=v7!J0w01V`5_Q<80{pO;&LPp>o2Ya^v zC)lEflDFhB%w~Buv>0!Xvu&iCof*Jx=jlE zcIB*Bb*2x=6+bLKpKpiy9`H`#agY8a2hxU_N^`n#R(>vZX%NCtC^;s%hWp|BmYMsk z8@M$eHY~N8a{K3L4dFcC`PS>z-C@39w$cI6N6`i}sCqr?Z0@>ital7R&WiIg>no9bx^E#KEKrWk{MWXe+Z&fX_z|rb?iTN&vGB1%a^%{~qmWS|XV# z4JYw-H5Fc%ohA*Ma)c-j%H=U%f9kVz zYR?MnJlDXXjAw>kKdN`Hl47GH>>hYH^!|gF{+YJuvUz{b`K{oovpt9w5$i5H_9u&E z`yXbjErfeK+Ck3knP%l5-dA@%?j)P5eri#cKLR*L_ZCYW?_VwI7gyT+E6x>izUK

Y-aDn|Xvj}Z|7h5(KYgbt_@+c4ptasdY(WvC9`3qiU1h$a zZxJxsdMp4q@tsAQTX9!I($vROpf65YAwIrUeZU#pb4_wX$g`jj_e?=*FKZnVrm*+? z!nD78hM@Y1*#gh=e7;^|eBk2t&tjGSAkEgC#=@=tt_7!{h;#gu88HQ_q<9#4N0hAH zQUA`qBPh~}YmwJ%wljZ?oPL*2^s5~i$?@}=V_isPrC5C4jKX4N!CjiUw_684};WGpDRIOb(AqH7?j+oa7K~Uyyjuy3z zSQUuu3mnZ)hG}ROdWs}wC`s5u21U7Ka^0(FcS9CSgZ*MW7yevYCs${lV~gu*tf{&) zj6@69QTp;e`YbW2FsmPvX$*_JXmUV%&J>$;J6yCIxB_dQQ3Hx$y?jj#H50z2B>xP( zrW6X;>_(4orKLEAP#N+(3O~g|emhAj1b+g`I5i1feTK({{C6&ZJS>-cc@$LSu2A$6 zPofIFJH^0ecSxPIW{;#s9a;es+$#g~=_B5ctnp;(s4mOPtG7$|3|YmvAK`T8)qlTOE-=)1w$am8sX6M7!)t_|j zQFGSvzY{6hZzpg5Yoby{2}zNX4PY(|Ej3s~9Bc$hZoFRZ&BKz5E6X1bm!wsr=EF1$ zuF{nglWPH-YyL$3at!1cA3?ZyrK*zs{qwH-JKnCxw`Rlm`}2Z3d6|?8^-jwfS)q-5 zu~-m1ff<#St*;aZ#EkhLb{Hz7LV+AC92xU7EB4g9Jy9tHsdlK0$PFPV*m!wlFsUp{ z4^s^sqAqNMTCY5(X6lHwKY zet&xvedqPMc2BwGC??1Z0bY{DIj%m9jk5Y}&XpMXu#dOR`M7)dY#yU(AW5@zjN6Yd zSv7&!vO+1{+F!oO<4feT>@7WX>3iLU>9cln1YR9BCeLnfQ@7|TLHe`Yh%ss$eO%#Wr1wo8m99g+`yh?X0+8=Uk(NUj*IP z|4EXEr~LLg0oazn$&nR38*1dq*)g>PG1qf`%zJ@>US zAFF`gQ)wZFQ0HF9k*lO)uPqYd%bV?9uM7CKINRmv2`;E{lL6R-pcP0^Oc}T1MN7=> zaV7=$Sd?+9OG@FB(Aieb{}Sk%lDqEgWehQntoO+z9e3^B7rA~pf0k8DDxWdJukjlma7GG%na9l(s_J>9dm%t)`Q$~a&ojmD`(QhinrY*LCAwAJSf$5gFxX@Yxn8a^c93T$UbjX}Sv9bJUtW z*PVaCBy0Vt7+tV?1M0Gx6lv3BB^l7Odf%=;SYWbs4au=zT>SIe-W-Pu?Qvb)_bC&* zk~iy=(da4a{YCV3Jn&8>fRfhtw9)ZL=Y1DTeD}*P>udA-`1#ur>-&};d*Jmr??QH0 zroyb|XCm;dqN@#8Dw1X_+3F!V|Goo!VksKOKHAbAk~NVsqNL`cqj8dYlee-rO*mZ~ zopn=Cu-Gi>H;LXWI}fg!Kf1hKYivmB^SbKXmdj2(S}_+oRj)51bgRP{h|_AsjS&b3 zsv1%TRfom=(})=PdecQ6&O8Vowx>rk+maC(=zPnNSgXbNu;bmiZocB84 zbA9_?4(OQX=8)1NMvMO-H}?;J5|1Lq)Fg}5-n~(QN)@&!?<~(QB}r1h3qY0N)!_UF zi84!VJ4@D6PMe*TOeyX@IM4l^W-y`(FC^ccvv2g+X!K0_*8cuh(S0|!yY=wBdCmL% z)RPCVf=pd`)ld6L>*g3pqk$7W-6x^c!FsZwmZgpe<;rWsWYK6xA+*v*&tY>3Zfzke zI(Av0){;!od)BLP<6KYC^VNu|JDi-PIGQpIxct33jf+w$&ed}fRH)CCDo!f|-@Ae+ zn=TL>j`imdd&--4GTNNk|Hk$lSxYjw)U2_HY`Rimo<9`NKLxt6Bjfpr$*1h8xYl^C=$#1d7z7A=rAO)Px5gEcAq zzNYWEc_X4;?O!8Crw4D3m{s~Y0?C-jOO?%NtE|Ma^Je;G=Ps<);TyH*H)I=3vp-*y z8j5i)k8a;O(I;5X)G2y9gR14RZ0b}gY>u+KEuE$s_Q?=O4bC(hy<&l|vQ?&M(4|dY z#;UWLTFeWCu%;JBKsgL0XwF^*NdPPk^UptKt9ZZ6Y|<3D8kMBwe2CK+;67n&HV!XT zANPnwDHM?JLBW^FEh!Cy)JFe${5YL{o{CK%E0u_8OIR`ufFzV7X-u}2=u2Pya|r|TFU9hE zQ25zh-D08pP_`n$XQ3XB$}aM#6m`rfpXa+_R=-`#u7@K_mGj*9Iit7n_3pPP@9tm< z+90%=NbKzK=v@C@%fKgEBd@nZ-Zj71$@eXluE!_dqowp_!%9u+&Kpc|FCO>Nih7M> zyS3dBqzIVGVuz<$W(LL%Z4Np0;<2`+L#Afg%c z**er{6~?5gJ-;DV7#;Oc2lYXXX3;OGZ}F=VPPSVxt!X)|boN z@wXe5xADu~PgoX(eh>WlncWda>CUQHXPo<9T-;6{Z3HV6J|x7Xy^Ly9Vn{ z@Z*sZP}G>uMN_fw%$}}gQOXDU)qQc+=+NWAGOr@Bn^L19K!eEBno>Z|d8ZfN&DnOh zS#1w#YA9#d-PRoab@cpt3jZ3&#_CzdI5?WyQk)kac(;oec!<|^H4;79bv@twkth0o z?$~iD?LK}uM11p2NahH1HCv@`^qOk)*qSTQdjF;$c!3ZYH1iydXZX~M*LAVneH-sE z?(7`!BolZeQ&I0bx=q_U7PACxqJ5 zyR(a}2Jf1qaY8~6?YK|F$s}t6w|?BL6r%Ly_!6T7@j8oIfuwmVxC#!fCw(+IdQSI7 zYkzUCK8cJCOS@(`ufE#*84+DZ@;mEZ0W7yp=X5849jzyOBv-*Z9nrW^&t118Epw6e zn9E27`k4j)+tz;9#c}tOhD>-}b>MxoQTy|maLu&40qRY5y?(RG#H326CXY+b zk1M;@ob;_m8`v>eaFyX`_>`xvZLFTSB(~jD0)#0}MG_dL_oTj1q#v>?l+CJgz9vC7 z$q9~6BGcWC5>x?8YW&=DFRO4D)6Afjw_fW?k)jfkEw?#Upkyk_ZuRx5WYtdK6EMuF zfi`pviK=`CYlinfO6_=`#kp`Wxt2-RR`RZz8a_q41boA-`GF;OUv7^Rln`@4cm|M6 zCSmvPL8f3kZc8bf#-z_(_wAci7nq;r*O2r&guzo;5qOG!-~1f# zroj4oXteTpEczZ@<2`kevsbS_id5D(-zAL=pf6^j_Ds)_0i7;$P!~z}d(8z9yLVK9LNNYhYHhApUkK6rL$ zJ-K4~ci(ugZg0VFi7OYVeC`bu(Ps5C1;|$HBLASQGS<14*DAdu)r|}75 zKF|bBfT4Jq4tSw#IINI@C^V%KrnS>hDx|}4W5vZ(!~LqoU|_c}FmTv1$|ApsSF(i= zD)9pmikmuJ)sI%G#fPat8qUx$rLx4ZP^b`z-dQQ@Z-gKph2N&u8CV8PWzJ+>x&<}V zdf&!a(1(Na5-o?WyVg_Oe{bO%4F0H4ig%w)$ih^QXwaFA*S>Bo^5cD21NE$wpMDKz z3#NymUKv9(JHQu0zuYUDsm(8x3&+1gY0m9>9doTOEbOX0?|S#(KjoesNt?kg<*{PSuqXwv?l9FP_XGDSk>Ao$sb)U0}ST0 za(K?oC{qn}N0rh}SbHGnELFoXhv67l2_b|P9i}S55;;|k8o_NT_1V9}5`9i(eZPJ` zvBcNO%3bx}XMKNq*R9f~04WsPNn*hZ(3sdlqaJsXYA+Ia*xREK zG`}Ysy%n#&jT;$!zkR$wMPIR+-*3;~ zcNgAYyM19;R_*Eq7-fM3b)5|4aw$JKMlA}~d|}4{sf1ioUXt!T6;yJjNl77U&jF!p zhQTfBh#5Z zxhWWuEL#vWUC0Mft{hz=3-Z0}WvES|f@1QA@3`?_1+mmxe3t0Y_b}w8lH|6Lykt}G z;8M^Q>Wz*D3=Y&av}e0BEQZ4s>(rXyyA( z5b(xm^j7o!C-723)MNknee;yydHuO_{UgRRRHPju=c+_3PmgyTRt)=KQ>^yaoD)mB zyF4+uR`PU{I~!cpwvz%Ksa`nznq%)qGPZ~8gI!bXH6rKoxlgP-Q#>bl0~Eg{wa@8e za=G_iJjI56lG7_#7N5!XOdWgxe0XhM?=Q&qM9yDuN7v3~-XGn4L?8ttDn&MVqhfS* z@zG|l_cXT`aY8O`+afU8xJ!$;Xe0{)z0meXF%Oo^ROBJ)po)syDJ)u}r|I;!MbX!Y z#gCJAmAC(VuQ!(OcavZ11Fq^-sw!66J-?mNtqZV(!6<|U!BVDRKo8MoRvty5VvZ2) zAw=o0#2fkF&aFRHt-r{0KZH@MMur6iK|xhAPRx6qE}y^UzAuoz4wJqw*SvPGKh4`Z zR{3_i?t6^k9c&XBJ@36=*1VNxPrlv6zn@g`uAM!L6r*jCbf$MzQ*(#c-NXu;t>>n@ zD|7m=YHGk>Y#Q38%F5KIa8cVH;>yvY8dp)Rew7f=F@}YW8MlZn1)2QO@O1FsbQSfl z`_ggweZlC%Rg9h+Ag|xWsKf$&Y_jHym7VJuKPNOLdEK#~Y!%1~Gj`07l#1970%}F#aldcAW4QS1QlEc=5N-nd=(a`E~yI&P3qv>?n3D0cf$&@BiBbwq}Y& z)2x{--8Bu<`#Zk38be~By(W0=ln&Idj;1-$CEhh)cd zZ^M5sFfPYif$XIzD+v)?&6gKkL~P zy|9*I7&=8h%~q}}SXQazxs16-D)B>%nkRS2#s7Vl#P{x$Y z#y{L=j8s^x{49@F%v3sN!(Q05gdiQ5I5JH#L^-jr2tHjTEsb=8ROWE5Mf}2wAUiVQ zqDV0TCglVb)e$&O9de{hF+rxZlKQjIlqa+MwixdL({S&Iw@*uVhG>y34RTaV&~Lak z`Sy$zO@@llz|{FGX|r^c@eJbKk1ZqMYH`uD>v6;F^-b_$;{?WF-RClG9PgSoxBqlm zhiRj6m#3iik3?9Wb_5Kl+($kRf5%e+r5_2i^Xt@aOdDoHu`qnD1k^}!6-QW2x-ACP zuL&gcv!Xb*a#XH^W)gdwMR~zEELw9)WJ|uI28Ez7-wb&F16nArVDqAC>L16#07M*& zVe&s5xSSaU+Fs}akpn0N3ixTTq2yVmAPnaLY`E*t7!%RRJMa6(a*JbQLU(^3pC{sh zh3>c8_lxuQ!raHi$IpR}`+}F-nXl`CPx~LyOK<0nA?t07c0O4Yf;We(id#K92{?+O zrQGk|zcZ&tFCtHF_#Zovju+plX{Uu5ib+HdrwuWvtO@WRC4jQ$g!?Ui#LrhOU1{j> zzGJ(_z!)5v_M`c@U>_1tjkGoAM zVoWc@WHp?A*zTJ7J7)ZriQZLeBQ&NnHJ_)`n7@e87n_en0=2m7A5DL$B@ihjF=I$a z4F0?^Jo4c;S`ihDaNMK4&cQu?qu7Eb8D;UbmY(UN*2TCfu6c!rxUY6(Q>)2g_|K6^ zo!(uA)_b0<2HuvEeOzxP0!5f&Ear&R=_ zNm2l%!BkTE9=Z(PRaIBzO(R!l@yrqK-o@q2y6sIP48F}Rb@BxSDM0qfyht!06bc*^ z`WuijEBt-?wCfPUdKSM7q@vEugOzvLd~|MqUYofWy#I0Tx9OjI?~PBk*4l*@B)3G& z(o+T~nZN`&(Le_4H2Lu>a7us*QlcQ;a=laduPfKkL3Gpv+g<1M#rosY_`8*^DSQJh zAQEy_dE3m)F_*1gvJ0U}K8oVmrCvRGIvr2%$x4&9(IDC)RTdlOdMZ}|m}@#Z%M{RW zU^Cl94_~Lb@>pr%%D%iyR#kui+Inv0NYQ&`)1rGVBs<$1G}Z0ne`w2#>?#MfO17^o4^ zQ`G@rzWtSJfAPq9`7%Y`AI2O7+&CMuEzt+NdyO=L&7?t#%e&}f^SJU=7teii@E%2PraA#R6#z53 z^$;%Cha)w`t2Y{Hx3nbW=2NKlw~`|1S@ZrbQXE7NFEih)uo^Pf*a?0eoM z*kNeYK}EVs1vK*pfgp2*+mM?fI$ zW%7XO#r}n9WT-1Pw!TYvT<@=-XGxgY7L2cCc&X9FM?GNwGQ49(HYBH}(PFq@_gQ|2 z?_ZTef-tZtZx#xEAjOAB3(m))DdMJFLE%|1n1^b3h1e7j2iF;+b;-DT4}@|4wMJkM zrUib@!N5NSrl#r2;5Zw@l7tOzx&q;UgMkfU(*QUVRe0UKnD7Z>sz`+O{VsIz26r;- zr6Bwr7dl)3QgNR7h5*6v7Y6QneRZ>#-g`1=)%jxP4*NJD-#_eHHo~$H9w$A1B>5=g zezpC`#(o_b339;ZZ#CGrG&L?Jzph)~G%}^cepPwQzYfJ+l$q|+AK@M29z+NjpWJw8 zAAlUnY2?XM3{q1?nxs@ac=_}q#DLSMQ=S7QQ4J~mCLcpFuCd-Q zqbZ07xe(H{0lH?#*eGjG$TY?T8#;wj0Vq}B$9Xt*b556h{*f;A+9B@ngG1f6ft3}u zD7|8QNU45hybRcM#kwnEu2`{YDBguL6Y0n%WjnXG!*g0($9fEWgFqLyCG~Lu$FcKCES|a~{Nl z{`15%SzXF+&mm68rv$6U;5f>8kVQ;#Ef89B1PFtVn3+$V&n!eL1~mQcPvRqxXw^(k zUFmMDPNYC56ig<55RA#U+~|%_QVVa5AWtqw&T0Fd#u%c?&}I|)zFL@p+UnT!G^F)GtUe-u&@T)m(ga(z5OmB74dM|!9vd| zaB^;c9Qm_=m1$KK1zhJ=>=d4TfAroXEqV1E`3Zz;lgf!hW+7WzWO&vFw=nc5~~}Wej38^D6BA($Pr$DaRPb6$FJ}YHNuk9pXd? zjQ3tTYM61JC9uw!$YV0@5rU-v1#isaC&!EDKF4|#&RAtPz%YQBN)#0ki#MbEQojDM zOjS1fnap*36z4vJ-nH*4mf_^&pr8@c@d^Y}N8w3{M^ect*3*9v-4|0GN+bU<`9X-& zJ>H0El>HhuL8F;<)sc>luVLL@JT0&UbTwxk;opN?w9sa36PMWktWp!8ga8O>6znai z)R%37Bj5+v3Dmf5-E0<&eiAO>5mXsxy8!V|R9_k5VVU3DLBu zOJyEu`=U60 z2oTAM0nFEMMYoANOBk;%zfpM$q1&N|r<0Evr29IC|CJe$E?GO|uY*)0yR@x&60B~B z;-DBf#(kaxWLY&gAa5=B3k{~Xr9PbFOeTLa%$3HvS&TU)Ox^_Xp&F0 z2lkGP^_)FARt+C5`_Wgv{D+Ins{-6owzRTf+c5-3KFk$zUg#;6C20q-grlKX)H2Ny zX_Gd%@5%*_`%x4`o@Z1l(^Mxq0fW>kET4Q}J(+W&Dt%w&0PL*|5%VuMpQ>UfUX#%AoI2Z>( zp-^;2`kZ<`cSg43j?E+(2j^J|>9k4OFj<^&7z>%LY;1sV>g7D&cgkgH1_nQfGU?KK zJ?)BW=kp>6thGi;?s?r@DIr8kX{1D&B1=$?l*(Y3vc`2{7>y`bD3{Vsth6?%0Rg)5 z3Z8G7S6{pV$_Xobe$DrMLYdXl=uX^eSeu4~20j(U!f3)=z<8mjH&r@I(?+{vje)gW z8sWa5C>{8|=Xr$jOiE`px(e|hq#8fK-$DEpVlnT)0hYKepEzo%?FM2%iK8AU6wqkH z$yT*AQ0ggE%Eg|ZW~GA7I%Jj+8-h|woi*j#7`r2>}!EIr0H2 z1yqYcrATu@n9or{h_+N)Zo#C9H=D`EdVA&uw1jo={bFyeXJ8=A5Nf*70Z#oWwXS!OIKD1|Rj$VatOp;q+^5eowaf?) z-q6^1*f-?LJuN>_`C_UKI7gxE?K_qmnW#~(=y+$f-cC|iC?>^xqm*}jrNkE&AcZKm zZN%k#zdcY=GIA!~Xe><6$fZ>nV+cUNfFF|OBZN3&0S$lGSeNDY_1&M|b#ex2jk&!SAo12aL>e~9^65wD+w_J!4 zz&b;mH3qpT9IEz?_JoyOCvGfVpVmnVO(g-b&ibC;+gqL3&iZPOxaQ1_*3tqxF?y=~ z!^2TACkSVpt}m~x%+4ZNeaqL$TF!z}C8<_;tz0PNm?wl_LFjX8tyUW=OR~AyUR`tR z>rjc&He*cC4`!;rEqH&IygyoU@0`}!Im;;W`KSXuH#hg~#~TG2Lq2%&_`bVtJ)Oqw zQmOR9D;MYH7Q?FVVC~y>(cKuzPv8LZ1G}ep`W_*~IVXe{grVnozTh4QtZ_yY*udk2 zQmG_$f>UO-rXa)_PQZas&_Wo5oVS}XNjlmII8aWR@R*>!2q-67npR7}xk4`VxZh}P z$}|H*K36o3TkR|ianv}SrLi*-U`;4ag@q}V3fyCHJ4x18O(=4?C<=-eE{&5`W0N>A z!ONAL)JjX`2smYgQCO{wqBQs+1D-DYFrtKNshm`xY>Nk{C76SalUO=Sp&9YQTu|`C zV12b-=qpoV8|}5`+8WRMIsc;PJ!fdfuCnhrTW1~FQZTlE(QWnPbbs=;WQ--CT^5gEwASBqaR1)Xk-k&y1Fz6#1tyZhuY%#$p<5`>#had=}a+L`#)2z{KSg8!>lsT(3aW0n&iKDHK zgC$`ua0Y3+k)^TlxhI4pL`x$W;l(`Vg-$C5b<`Jx0nWf$!G-5XSsJHl2VnV1iBl1$ z9cx@v$O|g8mRiazQ^ZlqNfh`@gpIWg9(sWnc6$*a*7rOSMvX+i*Gur{!&+lNVHu;F z_4TKpewx5WAwP9;=bg9RY8}yze(%*cl~O8>Aw<`R5paaUSwo10bKSD4_X)*Z_{CrQ zpGF62vrFq||H1z@w_Jbwr5~lq{53ZE%b$Dj?LWWtt#j{RTV1?+e)w}4h5rpGWejJO z77B$B=rmj3d-42@i?4;1J~$c%#Zt9$?!|MHyC-kH?dDS_PafJ+b`RXUy14wmZu)sNDw2V8M=ZPrrL6|lfz`2OH=NTii^-XZn(^ClpZ+&$& z@Abv)rdFB9xnoRbi8NODQ7#CbsG5JWeb4te8H_WnX{=M zi9)fY!8SLWP>ENFqOhE)RI7{>g1`$qaYh~W80R7Yq|Qv*>G*+fc+uwa02pIiO8ZUh)gA!|1NWXo{qt@t*D15%0l zCUh(ZYI?9oM>$h0qg+EfMzig-VSeZ+Q=o~q9L6~c$H5~Ms(!iGFXV*Bu(5*8CZZfu z#yMk*fy$sXGHWz-aBv)9t}rm%v+v;G*l4HSY%{%7UqqG~tDr3$BYqxEgN29!)Jkl$ zw>COd8R#n%3Q-U+3#u)(jyRjd@$&K_pBL?gc~}An1i9SsXy4wwrT%{52P;oM)Aj;5 zTN@u8p4gEu7OXbD%3fWYbsGVYz%YmaQGlMZs#UAI_T>GjFJCI>O1|$KLOaf8P;u7G z(spBYoz2Z{vH)ZSNdjjOcZ^2~qaX~NAqZTl%Bnqm+jkafwOTo!j{?pq7}eHjm2#V{ z&fV~sT~?h$XWCdoJrEDv0~PQnO1WHrwP)Kv-_T&WTn_!9EBXaaHAo}rtTY;CV?#-r zNnm5e5h&sS$KV8|6Wd06CwB3H;aO>>tcqbQNEn8P4j(DTan%z%l`A*qI-Ml!8Ds-} zYk^qfXfmgfg?`vOINaOUSJ7Enr(C8>b4$9>nyWVu$FP7kj(LEEqmEchD2N3ZKw!J( zL;_AYCro!6LupXW`+46nE!)kszKXRqv{FPlNbQ`XVUAa;q*QQ%z2(yY0^*1RB&%dGSR7I4~FU2aVK^OrBfIq;~|w{7I$ zv0|;Xv^;C4uC1>x!q}~nasmrSoU;zdG-^?K+t~QAeTBZl>eBq?X0tst0|IA>A&z){ zuD`c`&#uDu3GRt09wpAxje0aP)PHDKt-p^E$CMRsOm#Nn&Pof!fl?4=qX^Y<`M{p2 zw{Ngi&UrlGjB~1>lPoC>4>wm=*QTa6EQel&%p7Hub8Gbn+Gc;_cpsL$Ke#6#KNvJ| z5TR$amRZUejfyz{t&R1$xrML($zy`*VyUuoa`54Y?-60t=)`jiO9Td>WNT%^L3CH! z^{>!*>{gW%(Dk}hvDL~NW2{!rC{7@#^?;Cjk~<@WP8HLR5G!Ts1ymG-pW^^p>l^eD%uW!m`bj(v}%h%!k!V>FCiTr9!S) zF8hAiY&Nf7zy8|mmlo#c^2K7B#?rar;o)P)j*SkFEG#Tsym+CI3nzDM?;jXiSzmkU z#h0h2r~Od$_xGQ<>7)=M7lmHn%S_ELEnmHQb#8vS6&p&3?Ur-_UDbkag@};}oEsSI zKX~xq?#Z2D7-nhH3+(2`^33$~wJX=>=9jZLX&bFj+;ecx@uP=}A$#$KXRcj&V{oYV z;NhbKy+e7HPnz-6)U``*yuP@;Zm6&b8!FTl&yOokACQW7B>}Zu#%lXM26FYWn@9pjNydVssi-D~Y!J|ixH#?pAxy5VO zuFcNQYMF&zP_0A<_wN}P>?;V*rh%wD?;>j=p)Vk))1{Ra<>jP^2$ zXTS4oyex_Exxc?Z3`1qG*=Wto z&Ce|@Uz@%GN)6C0LfNX;bJV_@ECx$|GxJH7W)2`f zQTmYBx2o{Epu!8S&Xjh=C?9aPy0Y}dlixK)ar(%a(|aF$;FcuSnfmf8&z}eJdv@*F zXtbOoAX^zD>l`8PYbXZ$cZ}?t7;d!VpZS&Fcy}NM!28PLoLgQWz5m~JTYTh0r{C{b z%#X0le!Ou1TRcscD}bO8C(SsafXBQ@_@@)_U(s{9E4WaZ(P6l=GAzkldn}KcTa5JG06%TEjIDBaT=(c`O&`fr;R)o;2S7xWKhXVrx$B!P|yK~3R$-codP8{0x&;RFN zk_NNO8y8-`a_z=Uk~WcU!kJ^o4ovPG9~$Zhu?&t2+NihZ=NDf%_p+2)ce1pTYOBk| zXzzi&2M!!qo?p9mZOU4`_rRW!(V--1!|HOm7{~F;FTZ->)i=}jYLKf2VbCE|sf1~L z^G(MOA3ofQJLjH%;nKy6Fv#`vCUHh7g@aX=GCnxaw`cFpiSeP?nb)VLi8b`l;iKDk zOs=i2fB*Zh-ncOpH#Y#+UoA~ePE1ZtmMTT(oXKQP@VTkEORrv?nO<$T62g7%f#nOO zQXltn03pgTZK1VMT3ga?wWCsDV%PZO) zgbI%(@`G5+2lzXQ_dKx~W&lu2iKd1Ego0X4Y$_OKgd59XEwO;M)@o~*vt^&Hc2cY? zrnU0sP+v33vGJX#cd*gI>RMzZrPMjDS>yyKwyt4d1^hm5U~gq`QiIiJu43*w;KpW?j&;4Y1abDSYVPz#3tq;{$5K&`k++LZv)@-b; zdqg=x#p<%~$?%Y_}R^Qh`z8h%;I{ z`j()t1wq$89NGz*Q?Z2e{IIMbq*5sQ*wz>I=e#myB2HRMdiEODR$+ZKlWcyi(9_fA zCdmcSj%}TdWi-~kAj;}1ek2h1fQ2QU*2dcOj7zlFUrRg}GnqO~VL26^2@LU51f9T7 zi=kJ^6}T5CoAssD=FBXbZNNuIq`I_1D(fU@mZEts5g2r0DlK=uq0Bi)oneHUs0tUf zd0`_eZGf&S)20j}KquzTCIDdS1bN}>peT4CbECWr);l(OU_wmP7Hw>#9LNW*f&z@87}mW=ku2rF1%_M=d80- z1U7Bbt#Yt;C87TO9mNNDAMw|{I(YEl!GV77 z%^S(Tm;Z5Q`ueVk?Z5c*KY!xbq0xSi0WAsPVR6;`f4}p4zx_L3fYpQ%L4~8j8e&Y> z`_o3bprzY8#)d!g;rl*x$6b3SdvXEN435BREKFVfldpdD%YXFMnboHAd1iE>R{h0) z^0R@meztaaw08R)cb&fVHtvHd6au{Y+UtM($AA1s-~6+yOUokI9^^{xl{LSZzxlw9 zPd#wQEhkU(R%^RZ^|{P~w(d*!)&Bmz)tCk5LkH7pir!ucl$#`IiE0s!r z@6m^EIW+d<6W{su|2#c48+(Q7#N^~>KXKo&1KazG^z@7c zgM)L-Ir7e3WhFviaBi*cihvoTtdv9u0IsXmMLD=f8KZ<-1*0-Q^n?&`+;*^naibDZ z@OST-IC|oMa(MFD7asq{*Hc3doIG9}8SCFZF5Z|<;|-dn)GtT*YKNc=)`rytrIO#- zT!}b151pcn_=2)DYck=O=VuwAUYR)M&~el`WujamZAufXdu~1T3!l5?wHN08&zU!u zW+Z5+DJ*BKklV3$=k52LzU%bpw;zA`-~5|%ac7YVKP>g0zWeq^9=P?`z8#a>MgeRl zFu>A^{(pbx3yTYD8;zzPhJMc9Hdy`0{de7U>zM=l#zX)CqzR_3>!+W2{0|=c%Byc& zaLO@JsuU}qdgSAKb`QOL{<-b_x!X?PbK>~HTm{!=lK=f*|EuXYU%B(vvp@6br*1iO zrdp<{gtnjp*QV3|{M)}fePdoHI?6{{>Gv@B5DQ}8E~VcJ$2iiBkvZZCk7wE$i>TDw zQR*AtdMXeW`r|j>diW#v-yt~tFEB5>e4)8`BM2j90Lr=WQb}y89AlzT+S28DA28Bi zE9IlvrS;k6_4lcXA4Rj1Jo?XmI1|hHpS%!T6 z2mWnqec~DEjPJ2Rg+&DeAhiWv3R#tgy^;meFz&I4SK{`@Qx{&}v}XU_eYfr(-MMRQ ze60V*>PqV3Bd7QO;xBxrKVZN2+rPVfW4cWOqYGm@j{M_a{KRP0D<++Q`=@Td@A&EQ zwnL@2Z)$paesOkqsOLkspM3D1yN?|`I?(T@4y_oR;oR}v-~7|Bf9t7pH)a-DmK=w;h`} zv3JZ1+3WM>SO48_UYofN(;g^`n~oj5??Vrtz4dIV;`u&+#AwM(aOssR&u!oPjjuiV z!i%q#YCT#g=E&(Y$A9i~pIN-R@YS#U;lR+q$jjw|M^e9|DP_spgbtM$B!I8>;)oDlVT7C zz{=d_`R_jar(b{k`Ij!Pb&`}69rJmvFU@=o?inw~yn-KQnYN4-OLXtvkvng{^RC

2vZrc)w zp|HeI2SPz1y9K>n0or#o>MVh#IwLZ6t)|+jr_Hv?_lim{DOO#s1mO#n3PLqwAf9o= zSPSC7Bjjpfp+^J-rJJhVLT3Z1p(^dV0-LU$h<0$4I!C)~Vn;P$F&9P%El9>KkO`M@ zW0V!}2v~rj!Dw`BVBctIyowxcbv8HV7L%p*czQL+tW7dUY}jAO4Oi39pk60RapORJ zFfZZ$CikrGr%Ixyw<^4HIWSf&E-$n@t(;>b$XP-`1+0MO$XCVagtv2dI95xu&f?O_ z<{LNMwfSs)BY|m`d=!0*j~9FT`fJ05d~I+d3|zFNh?3fv7>-#BcnpOyAD_sLjiaY0 zwr+iWxjA(?SzXc_ZD@yl8P($OP%R*>&ib;F9SUn4ff3*VMBeWosqP*t?Hpu1;im31 zmY0&nmH65$ZAy|^?uVqO%m@1Xv7u_U+BdpW)Otmz71x-b$NDB!V9s2=_?pcv#Knpk z8bHBg13kh~WZBg7&tYvIRDlsRJIFLd2_lb?3C>xR3%SR$c6;;sw0!k7wz)cEl8{3w zwYj;8EF(c61k=Q~TRJB82Ob@WqttNojHk*2G zDH|Qh6?3^t#U`yzxs1TmDyvk>gqoN^TLY`oxH&&JySdtEUC;@)noGD0&Vcwp2%0AY z+r-F7SQr-~OtLgyUSGXFjcZq7HAn;qgD_?}D_BeMlp7FBpt&Us))8XdR^c8Thw~&6 zDHE2{gm-JKC_&dAi&)A)SR2eaFh^o9jD|)E5erJ?%`{nVu288sPkh4*JlF6`@HA>U z3{=Y#+bg5PZ*JB%>dlqw^KN#@tZ!K2&{sr%rO)gxS1Nryy+gaKOWF%Mw)LfUtMTL3 zD3SMGjqP6z*J$K!G--qtL|GpDx%WZ7PxYe}I^$qp*R@vytaH(8qEv$kv;=00~f-qQO z8MSfRDHOxAH{bNxPk(Z}hjkLn&!*H_E@-6`9Nja?Jy}~#UtjL4MZF`{6Nh$&;(n>KKm7J{(~YK14KEgNK6&V8AH4bAv&ROC zqMew9^*A=5`P@y%kM5rwVJ@zBR@?1%wNlCDRubK1?lAj~29O0omd3?O<@Bk;pLqDg zx8HoY=%E>_E7zu@sMg#fcm4BSwPhX2G-2DPs&)8QmEhtp)d-U0bUU57m~| zlFgR7di_ehzLx8+-F?sPpZ%GSA3n6N9P!m=yj*X#Hri3pUl?Ww_lyq@ellN3o2}LB z3{%j>001BWNkl)DE?q@!AW=9zk zmtVhOm95kUhDO63;{*M@y;^HcVJPcTDjWy_C4>;4SwKk%oq|x`<3SYCe6G`Mao^)y zIKWt{tTCCgS;q5uLSZeGQqDO>!HBWYW7~!&cZ@|5R@cq^!qW8I;?&I2@_IVlU)s5E z&vQ>an`}0FidE}Ht8rr59ZQHI)DZxhIYXVJU9DT&HG48!3c-XjC$Qz2XW`(Cg(b{^ zIW2&|rM}6C&8$^j(I)Ghg~{au3xuBOsRYX_nupQR69<3xbD#dm$(>3zuU>sU%}f|o zcWfUDM)|IZ9gH!w6T|&OhxR`5@V$?G^wwGqosLc$%&Dkk;;V0Ff*H7xq6vX+<)KQpMCUG#}6Oys9BoZpiHFF7Hj2N zIT#xqE|-f-o2|Ihq27BB2XB#L>^p&A0t)H~b&e1?c9FH?odlnea46!fl)Dlvw91cTNyO zJchsb=*Ltn!=8b91M};4b$!heYv>5Oh0E9ZkF`**$e>V;G$m#@!b z$M9edycldYR-28~u>8VOsvJOAPjBUp)B8U0&_id=+!jVyuD9Clwo(me?2h3br%xU% zu$pgkI;JyAi_KOR`ILb99!7dApM2m$BipwVhUK}9dVO_n_L`1&9NfKYVsvnzw|L1j zoI6V-Kv_;4JFxq}?(KnxmF2lkYXcmVF+!*Tqg(SeC9uqC1|=NEhI$^p_pVz1I0=gj zEBe}v`K9@#d{mei8h+^Bd+)pF_R(!MK~T@q&Gog!3v(*aO486)*I@{^a@1 zxXFW_By-v_IB>^^u}Vq_8|A%SyN5sdu?OzI_x`>b;wI)+TMTYsuy}CqU|;{;AlZNY z${)-xZh!{4eB_vyxu2Z4`vE?{-yr^4^kM*@E4lIRCkP>gIO~*ya!w*?W-Cjr9-3nS3N$N)X~vnt~XsK?Ep8lo!1{#onst(Ri)dTAV|p0Y|k}5>_$V-NAOP zOfAu_t1UucskOv{SnHf|4xrW%^rAklCP?G8E{^UK#+XlZ9rCyIl^c#r~= zqbFb5J~*~#BJ9bnXZ4NQx%%ZdFu#oDy2$_y4T5eJIkwRHeeNX zu$?xR*5%5E80gLA3M^M{6sjg)unj{AaY|clKp7~5Bh9Sch!aqNS`ZDBK?6j)kb09vjZ*qud*Bs2g*g zH>dQ%5;`$Ff_4GT;!0~(?wYJl?ko)Edg9(zTxysV)SDpD`$??+?*t?LwP!#7uSff9 z02=N1f&cN}K6l~rj~@2LU;X8G*1o^>rGNQbUw-$i#a#G}|M0(_IkfB1U-|WJ719@f z^_TyWcl+tXf~1PDpxCI_zw$?qNn=0rna}LqQ9W^VUzUAROZD`*7o}1jqmFRxdG0+g zbl&c1Z$;;Spzn3-5CLLs*E$WB5Ey9Zw)}UU1+k1VrnMuM2_bwBfX!sg1nC{?Gw8u_a2=UV8D3XP$lP zmG565T%5e=^hZAW@bEx>-|jspjvl*q`AXbs3n2jKF^rE@^10}_=bpRt`WvskdHwqA zJP&gB-+%v!6E_)y#~yp^;)RzNW@jqZo+Bqt?m2KM%QDaRyG~{fTf*&*fKuw1GulMO zQofX5USGR*wf@AnzWwIKH)NJfjE~%O;@~G9xckJ>L({Xf=PtatKD8bNzEyg0u|Ars z?$|NjSX)1L?)-Bvzxn31>nBg{zwPYNyH6e8xA)+gGb`s_y?S-&1~?fQ9l7I{Gk4v7 zD&lzY<=38j{`^aqt}SkMCim^T2$}#FEv4-&A1e^!Q(e+j%jyS?O zJ+Ob*!w)@p#~p_S!TAesJpJ@{Uw-*gCv~^ncK7k)Cnv}I8IWdK+-Mo40pfX{F(yfp zko1lZY+GO7c;ST?zVPL*IT}shSXf+MIk|r;JYup{=y3{T)ld=zS`{X zoj7&s^wDGc_U!EW*he2-UTLo{J+rWs5GPQko<51c)-Z*k$Fx%v5}OP3BGIDGeA zckSI#zIbKf{F8t7+;^W<(v6OcpT6bxYX5L%GDD2%j`O6ewNDxAntvNuOB}#Ctdmlz zG(}f-R2ylXHpYQd!I|e7N&!&Lt+86muA_=`8gP4e?>ce(XvN3t(^Cucv&s7E?2W1G zS1ynAA3AdA;P>|Ld20E2trBUtjKK@}caz*K!Mn(BAPxkUI7?l(bld_KloDzjEU^y8 z!fuIXcfT}etkK$V1FPXI>2?AI;-Hnvl5}|6u-GP zTQ5F;ZhCsAP^z81_4b|nk5FRsIiG}F1Wa4|p7Y*6;4=U2!Ds8s?B?|x0bz7`ZSCq=BKf3MIj!%C4F6Z1Azx!e1dgOn14!4LnUcmJznZh5`Yjz1JWm9Hv9?v;fRwaQ_zQ9rUHeh{PPrv4V71mXqyTdUoO1*LoZ8&noSK?yH1t4k zZftDS^SJFu&Ip_#=ldzk^PAs%{^I3@jd*5prPJvgK79D> z=`#oS@1hRhdi?RP|LK!!jn1|md-w0(_wa{qnVg(FapJ^N&%ZLiaycxN4j(`K=}&(A zwv%H5c>Rsp^Dmrx@x>SC7nb%MIC$*HvGKv-D>s(EKlQ?6Pd<0+nG>J>#DhJaxqRW$ z@BEkly0np|qIP9wsohDB96kQwhd*}Dou`z+cb~of&2N8oWqmG|t;i4VyX*d&Z@Od8 zvHzdF_YAV^JkP|QFPwOD=-iWfavltF5J(VUCYVG}vbB^Wt+SPoG|`uP~VR zzVF>Twr|_8dF$3KJCB{csyS1}LZ?|bxa+|FvCV_a_2lHK<5N=;u!dljN*R~EGOvuS zP0e7881k7CCwYB*>bX~roV$2^xz?GVnUm7}(1$+s7c;qNXs)VUFZvEFgV2 zKFa-t!Qp(lL{@c|7WMQL>NU8&A)Rnij2rF%5{3Xvtfz{xV750a_FVGpnm|WtA_Wfa zAd|_i>-Prp#--ZQ{KS=uo$FVzu!2Sx2H-9{2L^}}EG|Q&NRw1^2mwdH72q&rI2plM zF$~dcEYHu(PF=T4Gf1N@_a>Yf)r}A*$mh$$1H&6fOZ}BvH=4aUm7YF{iJO>PhOwR} z6RlwgN@KB!&fId$eI%s}-a9?J$;uV8#)SMf?wtDpfCa17k1M|U{V9aPj zs|BTva2p!)VZj|Nx~057&>zpv!ktHyYO=oLbu}SXNUaN&1=rd}Q3Ru56m$ydg6x{b zoz)uqr0HA7mlzqLI9aAWMX4pg^HIu$eHD0K z5+|*N<<{&X+7S~XBb_dhiH%-tCCe>O7NzimLb07Mquohj#WitQ=?W_Zgd}hnKrmQ9 zTV@1l3(g@O zVIeFGLEMsJSZgg~5d8K_8Dlh4UOAw&+nisVAHS?`UPNsf+->+}p~ASS$QtBJg$?V< zV;fB9E!S4-m#(DKGiGK^bUQ9!3`-jgByFToJ>xBu^Q^BbE7@?Q+Gxxp>LU5M-SPil z#hnZbfI>F>!k_;)5B+EVbovghc#l}Q^Qb@j%u|2zTOa;uSesuR5cqPVQLPO6`O@6- z@;AQuEdc+?r=QxorT?*q?;@ie$9?gY*E;iaPNm<;W|dO7?dJPazXj+=Qr?)wZKuZG zb{n==dmfyKOm7xp;6x0Taqhs&a4tEM9AJ`LDCU?<&M%aTVHQ`fEWdK-wbx$$9uXDG zr-nw3uHUj_VtQ_FcENX@J-c^4{@9~A56?b(^lM-H{PCklC#I*2rBkO)DWyL8$zLBF z96WgN;CH|K-Pze$&vlq3OJIcY@vEQv+~-c8yD&R72QGKr_u!_@W96!xoNS&var$q+ z@%8%68(x3k>GK!1?%W+|Ha9m1&cK-!J-w9y6L!rno8mM%eC+7?b0=merb zJFg!~mgXMWHd1=eWAECyX~VkF;j`0qqf*zAo^%QUl7@Nx(CdHo*PlOmakAd&T)2Av z`i(1`*%O`;C-b4Cyt!?%9sD<<=2j!yFQ1=ymI8^$rGo3 z>o=Z!>JuL*XR4l?(~6~ubsYhcJvT6r0V5CtbRiS$-@W6$dk;v4XP-Ot`Okm;&EuyR z7Hd%Q%8mKcXD)v5iFg0{NAAsKynLAPgycf>>YExv02Z68FTD8O7ryt}@mG!^-v=J_ z4-CBPU5`Eb=>0Lqy_cvdA^Vq4WiAmE*i{)!qFHcWTKalxPKRP-z^w5LvK6z|m zZu&AQ0V4!lt27x)M7<3FCo*e$Ex;OUduBsgYpt|37DUM9f)@|H`Sou+{hb$H>MYg3 zMBmULDHXTg|L#Y2-F?^o{=Pnki7gv9Y~8rA72(Xe^Upl@+zZdX0PtM4c;wWX&Aawq zo|qDjV}&$a0vt?&7)Wq}BW0Q~Iz>Vt@hYuh5=F`tawRTwSJ96~&rmg$h3Ds*WEb#6RvAyR3O%{Y!j3?0zfvuD5i z^lM-H`g83l1{VVx*N<%28AL?&>X zo%CnnV(`P92~kh#WC1b&m?cgO(#;kdap&;S6LG3)wNHHP1NZ#SZ#-Vi20BeHT^(=D zO!0DmkS}*)18YSlXX4J=JDHyvhtFL7%fEi+&;H<3fA$BT+P!)7C!`MDCSq>OTW*&K z{KB9A@twZEw~3e^@&o?+Dx3s>bPC^P0@~_kI}Tl^SHjHkJt<|Xlob*ghtb+q|B>uz z0y7Ny*414jWvsP=F(SZ{E1i&sT@hKOJFP~uwpw-iT}KK=oI?l}MIFj;Mw+Z2+gyyxC~@87!l#q*c1RtmX??z!vN9ykbtH;!HS`d7dF=9@=uOwG2JmX4jf zeD>1Kv5^gjPoA5&F$pl?dGG(g6Xi^1Vs`P!i8I%)&Y-XkLAE?R^6al9$W*(Xp`$ins5bF08A^-@!Zh)yL0|i+QU$I1I#~z!V$l1c4xnaxu4YKn#Sjj#d_DI+GJvT1A?`5dz$U1d-Op*u-`;A%Qh;TnGo8 zg9D5Vdb)Wk1!4WhjoC|=)%*lVffJ&x>M95c61I!rc zc#gC>Ng{M1nCmE>wp%)xUlxA0T<#wk@T=wg@L+rXCSnOq5K_7x_x(ihHYsogN?;>E zg-i&bWuYy>DkPdgJB)J@P#ipiY}sGeFNSi;v8(e7OE+&|Vj8s?;sm6mWghpzokR$& zv|L>6SUy##77C6x80H82oxy?D>>N_Xq)6i!sf2W4$ko;})@4wfwUZdefC1J(B`{oY z&u|IBrO_0($q6JG&k>2sm|$cXELk$J#2DjXmT?mDtz%2ff+=DaOj(mcc*upKT=A=Y z){)&>y|%D|l?LL}=Z+&R*JL!*Vxzm%4D&hRg<-j`Qz+Bq6baY0Z%9o_G-!83eSGO&)>mC-sWOB zq33fg2%=}20dRsPkT&RvXYH+^F6WRC8PS=qw`a%o&1;xnK&k+X`bv^^6U$L5dPDui zjq9EMzJ=AL+O_d`W=1Y8k&2`z1IIN$Y7AnH6lg??wT4s3huOSS>1Wvzv6UYvRQwKp z1U>7PJJl=sOz^M&*&qB+n;sE!TMKhr0`sG+4S=Vfc<`zBKG18N&jk4&j7k1I!f+l` z2AA6n$;k=wvx`fg|NQ4wyYYwr_%mZ0Dj$5}Ue9&4*57^gsA{&{Vj1>lhyXJ{+))hs zhq@p2$Vuvj`k4hc1VzLI2aJFfFkDC%!sk|MZ3zG;NMn$6(~dTl1DR~GSgIDw)lRF` zXf&eq+Qj@~YA6iy8`rPfwq3U;E16Ski@3r5nXpPn~-D>8E$>-2K4A zcWv9cb=~Ob^3tMJz4R2cTjt2&H!fbf+-i3Ge3AQsbUdxBlqi+*g+d{d$<%{DN_p+t zwd<49LB5hCin|`TAjZh{1amTXwaHCijDPR(dCS<-3t%P$`~efn&KFjK6|ue45GxOVmW)Sg|tO2uNeR16$Z z2)%6^M~14R-movc_}rmGugxshoiNYK`6N;2&R%(C@bEqR_w3s;>PX*_K{iuL*NB)~ z9>YX{VN4HHi(?xGt3}MrwO@MW<->0tt2GlpR}oHOX|?;t8>g#<(!1`vYtyjwn9$wG z5mG5dmIXmzfg3k&y!qzw<44}~`-crYtyrm8-n3~`F~HUFxo>{+TZa#yTwJRAe$mTk z1?4VXnrL^sLB{*9{@}wqx9;1r>FkN4Q%nhA9Z85{MP$G<2UyRY#ad>G6BuIx%n$>5 z)dYIwqcJft_l3`W;q{}(0p=D;y$YXmwN5?fyc&DgLMb>npoAkM^dd`k{S4DsllZI#B+LKmA7lKKMbj*YMw)LLRXM(@@Z-2Xx4ZrmK8$ZPC{E|Il?gaOJ#<@u&s03uXi!BHV$4%lm zQ3_;{$%KVMnj~vi5J0aW8Lg4BU>4}nF}Li}7)i;Aj8=dmE2Ll?mUFU66dRp#Kr#Si zjUuB!mIDlyK{IF$63j4Y2Iu0%i${+ho0ymqe%81lgfloeynpY3oR1d|9r{22kAHRQ z#4$I>=d+omg~gSXmG%9_2OfB!R1GVY3Nxyd_4jSxGFrj-_|mt&_T{gC<;(3Tt_+QM z`D(2lpTB(b)afh4JmmY~NH5>#J2Fby zt%a@yBgP1v7$eSMfh!kpo;-dwX?BCYA=mROrSks$d&kDcIvu?B+Tj;peEIsd89&Hp z`*H}q`K6gx&zvt7GMmOWY+2vG@4(*5q1Wrzm!#CL?A6aumRoS-DwRD44-|{J>B+fg zzw@o{zW5xa#^Jov?cBV6?L;wi-~IPj``*22)26|}!MVk&UDM%Sws&3M!8`Z|hhLa3 z1^~bqab^f9L;{&2A}p`QGfSpFc?*Y=sYVlvHPqWk4H%f!Mk_&@3z0XLx1xmcCfc3VMyt~<@_t?j z!@d$S8MInRH4LoQNs@rb^}TF=Uwf&D85eQ4t)qbXuIKrV--)e+aSaoU8E}vbFW}X( z(_gejH(_bqZlc~q6v0?V@W?ProO6c@my0ANU27mtqQN0->?;q2ZZ5fFaEcrW7zrbpbveP2E~msO9Z)y~001BWNklEE`woE@VWGaw7yJo1sWc5w~S>5t8jQy zueGPA_3Rv0R$0^rCpZC!Zs#ZcK>xo(7t?zH0w)-|wovY=V;I&*nYH`n)`6UJAy_9~ zZ7)q=_B!gzfbgYYifoja6h`_8T(?|c#axGBuF=5k0=ltIQ!pd~2{Y&|OPGg*qh&gE zRgamQ&$+pN$E&261I0g;rurXx9#b#38MmAo|Bf~Q7eVO0{C1nCo_G+zU;gzohfiPY zE&Q783QKJbVC>)P6P@Afavzj5d5KlR=RZZ~eWlV&^lVM=1{ z-PxUI@=E}LTj|5LH5mwz$rj?M@%(e&p)~r~$DTZR&wcNHWWVcW96$g3E3c(d3??Dp zW{yD5h~c(b!>!qY_q1eeEkVg}7`}F`EVKo886z-e!K~mQW(6!vsuKfiHJ2>a(Mn_G z)VcGc>(`BJsDAvDpB@<=x_0I2wd>={EA><*fbe~HWVnBHct8+1?3S^OANt_?U00SW z)i~8FtBp;Yw|cIdbWtvstJNwDb-Uf39a)k_H*eltUS1YnwwNs>nr3EZUp;(y%hs`d z+j1ZK#3u{6@ZyDYOG`^v zo6%d>Y3;&n-LhfB=m2M!n7DEM#zZGkPLO3z#_@8kW;DOJGC4WBG`BRA8$zmWqJp4E z00j5EAOWUlW)~NiL99~gYj$+ZY(8Ji=Zh(D<;s;quf4vw)H2o$vl+>Kn~GY!rcH9~ z>W%sNxKhsbmj_)D2qrmk4p>c=bgvMVU_ehB0x+_YbI!RC0zz;hn3P;Nf?@pHjl+iz zuP)X`w`^~95+dScr>3UnXBSpiI{lT*&h0z;t9_Twojvx(k-?8Vx?}ssPyG5*r9ydi zxi)eA=GpU?=V#|w5O8CNI5D$Es98oN$WTPqk#b=3=3U#jR4Ww~N2y9&*L8$UR5~*~ zdu9Aut=`tDlEM?xGXx?=)(RmU&JvXr3b|d|x9#1%lL6N*U%GbnN@r!o%Vg$eXWFg$ zgjBOsILuWG8NZYZeSt3Naxs7Z-FNvJ*ZM&#Vm8f`OZ~ZGj(|))TPWn>?p&+W zj?=^fwOZ};*)x-qlZDD)9OM$q=9lXy&Rp2HYv-nQh5!8bet%?W@XaHKXJ@Bp7ZzLf zx*KMz)kwNZX{<>AvyC8@k(= z|M*8AedM8!eDM8)gM-z_4M+*nx=MZu+Slk^T_;GY7Fzzx2Cz5Z@|`k(yeQ!hO5 z#XtX(LNFEVC#Cvy;A<+2v_}NpZYqeT=V7-!=*qU;&R4QefZGiZe zEn9{M`}+phDacyKNY}{~^U8p8l#362b!sFa6=cX^XavV=O?d^JB||+%BmB0<79k#>B{w)ro!mD z;T_v{oH}tTsV@z0-u%$Pz5Uhl&6}%d&z^0xn!<4aXluw26K*fs%^1KeW5gIShU?dB z=gwYUm|u}$wvf#G3l}a-PtB6yQUpnC+esHrxY|vwO-@hD&23rV z@B5yFg^68ZTuBTHq#zhL3v&6fZQGdu<97YJktg2sXf9Lqq_euRKxB69*_F@drNqe4 z=2u?0q8w=;f1dJ!ckm8=X^=n95%$il=~_ymmD~^#AOTk}7R{Dfs-;VHIX1*{ z#b9K(J>8GxhK}`GhD)Y^Qh#<}&@1FRNv$?Nl`PE3Zd+Rm1}24)EMG(p_6$XfMs7Q4?|GDsAJGg;{M$aUusjt5^p_ zM4Sst49Y?qSaKK_AQ!YUH&>sZL#G8!AY3-(TdSl z4CDw{odVW(rORbth($^|wq*<@(Mq?KQIX?vWHUj&5UsAD-9emoYt823N?0AtxFIsd zsMu%v2Ox!wR42AjDGUU0p_G%7<8Z|VI723M`^qQ7#2B;IQZK>h$Ivl?K$ekVmUDPnStvWDs>qik z9oO0kS_!NJ*N?3st|2`rjZU-M>9&$s!lPW?A0AFe*U{z6spXEb4!Fm8!i4Rm|0i9f z%A}qaj`loT$ay3ErLpx0MAT`;)05qao2adDojN^N3)1M>OMkzc_cG4u&i=nf$J`FT z^+=gpj}0KD6yO5T_7;gl;0#fxj+Hqq&7s}MSP>egQmeHf$>2$3eaZ*Qk;)p7M4^mo zA2L3m(W}XwSQrO9K(T^C3Bds46=GR|G+=|NoCnS0r^-|M2hPR(!tnbae{9`g8&gYw*=-Jm#udRK5F!BCJ8~h^~`sCFZZ#JJp7Rl-uK?e?;F21{pzc)9)0uJ z$qSdJXBL(gXZh|O!$Sk59ICnUAN}J$u#`k`CshP4h4j22lgT=+i&{+vu4jy4jJd9> zQnVZOMzbbekC@Pwm~`S)pE!PMu&@!e_nA zCd&gCg)mzTvr~1$03iec-A+=gHR33hUN-8cM)N|xv~K;zp^*^@bmFMpZgc6lP6*=d zcE=NLn8{_c()WFxD$nz+wE%qICn6X)k`o!r4Fd-=oO)!lT{Ar)T5~TDoO(PBV6_dr zkh?JvDWxRiTyocSo6V+DiU_$dQ^@D8jNf?nnP*IzzVC@go_Oqmd-fe%n4Ld$;`HDC z?bDaWueY^HjAq0bBZBA|NHb!LGnJ&de0J;D=J!7F#Lk`D1z@!HJn0B5EH&OZaBljE~)X|~{U=;D=$ ziJ66ZZFz90Kkz))!R8Iw-~FB6dg{ZEl`6#!=Zy{tTVhP+3jpAG-ujIjE?iym1D7!- z03k#i$4aScvDi%{7@Do**vYefrTqIId-%Zi!Qp}5`}jvca{Bbi?;U#O)z=PRyD`~` zqkO3x7Bb0C@M3?9@dq3L@!nV0`?7jcDg$tE#+kJsO8{9;OmN|a9x>HzMsX{uFTK%i ztRLz-uy^N{O@ntIylZM<^}^K~jWd@`qk)2i=fT8pX9@kY1ns}{{2T1~-{@tzKDcjN z8)vRg{}Kx`{hcs6g-%$I z85|zkwR`t(e)PR@3+;9!J-4qyxB&@&p# z3k$7!ZLr$s7ppU?od_B{kX|MnE^yadtw)e9=h9lZ47qGRlgYs0+H>MaWix^AqFGZ@ zH*VN8af!kp*GNgl%=H54WlJSDHE}zRilJAk_&}^<_z)fg#c`*xnsy>bxSacr?*=~F zF)m-9K7VC(|Bmv#_ul*F;ln4E76(h&2M_LdB~G6?bL!NYBvwwwk5$U71UbakzIn?4 zPQ-~g0qAt1W}|Jb^*kp@qbP0#;mE*XnSjNWx%v5NA}SOLewZ~~<4UfGj1l#EcX_F1 z0YR2q1D(1c4^~18A_pAC3L#3RQs|?!e&kc1`t=XK@BKY4Myo^!mg+QHC_853*y zA-!mjbfgys*_?I}t0->OQC~r)?Q0VlidCW#D8Y^63f~3kB-Tl{tCe+%eTf0Ag|@J8 zh)H7HqE%a^B!TP7K!7DWZZl$q!oW)E84)7LQ7#|5Uboq9HzPD7B;-p5*0cVz4BRBT z-Ktek6^t=56vyp$b0u!)0?)d_&1WJhVJxDARvOX5QZU>KtCjxs+bhy*l?tl9++AL2 z%`9W7jZR`1<0(N|2^bF$9HHcS-v%OK+P2%xS`CdRPa@YS7_DQKkTF6?4#9~@<^?kG zLu*KC#w`gUh41-65c?j3jXSAIQ*c<5S_bZLxDp$XMg_l)buoJHP;&E3gQf!ZtG%h^|V`D%&kA!kNG%vLI}Z$t!32RlGq5c z0hx9hBaRS7LX*`DObQvYz+-_&g;3x1WFEyW`_G7)RiG-5Aos_k9LYEaiK9R>slpqT2=I z(8_Wy856!A1VIo*>FVlgyWKA2OUuo;+wA7c?-2-+3jo?dtJ%D8?!4gk z)bSIYPRpce7>1m4W%SI>XTgNsJm6?S+c<|uJ z@L=c%X{wb{{ry!x^nxJcdu-Rv?d#SLUz=J`I%(FIZxIRT`NdcU#(KRNKg^r==om7+ z>?O|mn%BdvH5%&)mN{pfOZ3vd49Ju+aHLG*#B*FCasK>yYxVi#FaPGJp4_`**Oo0~ zTgS%kx%AGlk&`i;8H>=gE z<2csZX1m=bXtEZhQ=P<0I017*-DzFDc4Kv6_Qth~pL+5G>xTQbZ5^mqAK$rW_x=M1 zzx?%YoH~C#iMvjwl-Reu(PBSt#Omd9tvSCEI5CdS>S|ah@*tC{D9jhC)j~F#bzKL* zlG)M{*vx9tV6!t}ZQilrAt&r8X>8B6w-LD+15NDLRo;8t$u9 z!@vU&cbeU1qtP*`G;o8yQgNUR-4r&B8mr4`#B-G)BV51P?lgii5fgp%x0v+ zG_;mvk)qpbcUr9|ij2$tVI2 z>MblUuf}m|txeN3iW6kqUuN%p2k+qLg`c0G>#g>mM6_0bKyo+?f*cjA)s_0hbbEcJ zx_e{LKisbNt85;PF0?@@i-G>~=(-@Et=Cqjua9G44r%OzKtx`B8i@iUuC+~#=L+QszZ>S#)9-vq%jjs0# zm8hF)gOLwbp8_$x0!Flv4G)dx_cJ>X-{xN&!YjQ=^4i6WV4S*C*vT zj&Zz(rbxFz4g|DhM2s8sg@tUGlQK1kjLW1WTmz?Ta*6A+jA7wY5-&5$EdtJ@6kSJj zqW362?C+ZbdQ3)JLI`%wIB@t5n_+yX%*Pr<>9(izIvx7q~AN%YVzj5^F zaV|u!$AZ7j(C(T(?Dn6%1Oetaj_P)_b-`JxZKK&%gucO{V!7l7t|ZDAvdu-K;-r+x zx09N1MKPZXf&jqu^z4;u*NL$(mv7h2_3M)}H^xuA`NqyI>-O*4{rKaL?btE;3HM_J zK0W>KJDrv>DpgosT6y)*OINO*&lj@B@@}kLFT;czCq`-8P2%$xuL|z8+g;A3AGk}a zD~{{ON;4q~`MewCTHQ!#J2O2ub>qh5_~n<^58btY--8c5uy^Ok`VAjR6mCw=%+Aic zp2vl>B)}vXCu2;~T|Y8-aPOYG_iiz5JpJ6W7tfuazA<(F{MiV}K!2h9+n?IMcWTA04)uFb_#u9b8+x0Ooa+QbZjb77^!jMadJAdpH`a+YwbJM_oby2@VPKa+O9X2Eh#@hz1DSH&bUcZ zrJ_y{_Hjp=Gz~o8^E}V<1b4tWmr^(`xKIX}F!Wp*bvoeE3v<0SdNv4pRgjcYtBraP zg#G=4b93`kQ`57PH_jeExo7M4eY^L(=hxo#{>S!gShw+C{o8+2Z@qG3VbKZmrBbom zQA!yhM5oj7GCo|lR;#`A(o0rpG7845jsH?Ojw>A}2m%6>QUHvxLI@cIWRhmPRVtV7 zzU$z&t(yT5Vb{))eLF`0=$?}-kN|$~hV|s0Jv*+?%wL*nLh>|Ci$%xt(1{Y^dY%?t zV>su=7^RrDz50O67-ONVwZfIgq@EMRX{t4XAh5(3LmbCoEDXbiW-aGuGMTW`YLp9w ztnYEalY((Fh6<%ZEuxDTE;W`WuV1@-_ntim_Z_(VuDkZ`9xhcrr45^!S(uubXf>Ld z3~pXsI{NAh6W7jW@|j35E{ka==yszZE4-YTn4LIv@k$)Wfu9M2jKeTLzbLrlWpb_` z#GTY}Guc8uX|K-A&A#yb;>4AU8%Fwf>==9BCH?e^649BK3O(ra?T ztkz&gx`LQvbV^nm!{B+{W|KjaG39FcH-6(&zxC-)_Ep1^r^lat{)LxcetCLsl?O#v zI*EM?mESKEhtFKu^VEOWEAaOhfBM@W_@jURGrUMoEc2^_H4|lP7pA8dCZ~}QG(l?^ z0{}umN+v|Fe%=p(0q914p(GtnL;}d=GmMeesq4zF=3$sCgxO@JmUP;MN_pex$mY#k zCBxj@!nt!7R#$8Jp}sg(i88`-Q>~0K0JPQsgzG4yTkQ@Q&lU5Y9|oE$ZI>38GdW0s zZ+`Qo%V$mou9FxRE0CKtgwS>4xXXk*d-nAF;=-<-TbrHsD9aJC!I9BRSFbY0ipAnW ztA#)ms(n1_w7VU6f~k0Ae%i!s2Zgv87b>J;n-9mGSE@eCNB(TBDe+=p-epwqbRGT6?7Q#a9sK<8Ho2HysPb(cv1aN|U<|@=otUVj>NQ?#+g9vngM9z+>d+`P zBcujyAj_q&nDrbUH`}VVj8+|S$0n)ZJ;O`B=0el+jUwBlT5fAld(17P9swlRDi9lJ zW2h%*7J?HaZJ<+VL$Hh!6VTAA7rf;h+=4UB83UIJlA!sTj+HT?s_KdXfy+_m2sLGm-|jP4Qw`pVm|3cU7`%Q zBe-T3hQPVt(z=qQhk<^%Zb%GOk@bnx>ePf@oJXteB(V^r0k|$W01uqQt|{c#3Stdy@G=T4PsMquGh1vjqJAVzz2_qUnVdVCzq4 zlg|dD{pBA$@S)%RXaD18e!WMveDPoWaijfTzNKm6uOxn~dqL9aKuXtfgb-`_9R$vJ z3MM_SJ1VIyWwQQ5k39N`Pk!{^efwH54!w5dOJDis;UmY|t=P#F9O)a*BbEL~oZVX4 zQ4StQ9dOP$H(V%fX66$@bKY~l?QXU2RosiDNRgDtmMCgpT57eVcDH-6ow&P$Ajk|543M#d zcxHYD&W{QkS8 zX6Ic)v-|IR>#es|R#ui*i-A8nSt`H!)7Rd5^Pq)s{aldAgWOaLV@X@~JdfGt+dDir zSS^*)bbTh5B_-oTlMIAZVU&bnY(YvnI;>y3cyap1^@|^#zkK=fKm6vm?%lg__wL<$ z_UtJa%R<2Dl&vKtl~l$Uo$B^%erRB@J%j60v+un5)}goGMrt$J>{6{XJlx;YGtgG( zXeO3fL~-i1J8_ysQDiuy9M1@9q=_de)7};dZbVVBT#geM7R@lKH{v#JO4XXLFfcIC z-rklPe^t2Dwp`&P>lO z%rEZSURb|w?%C7Z z9jsPx>Eear(z4??)*{iCNTpiW!rIpL!w>D-x%IAXckj9V=8+Rgyx^+97}KaD&Voo< zi)IuXFP085Ng+wV(b{TjAO%SYSW?oYWWdD2Sev9qYYQOX*5>(c97m3$k|e4Ymon|S zbt6N)-CY2*)4uaWIC)7si`JtYO)~D%dZp4QOadNDklgs#$sh< z)$1OKYqc~DL0S=28};!UH&&Kru8&<=U0t=}H}2Z8@zF;gAHR8Pd8M>mZOVM%v+X%d zEbOPGF)XDbg0(P4GaCp?1W7=e+G>eCx#Ooy}PZmFA;vV zUT@0=#bVL*Go)maB&(JB{PObFtpoe^?>~O}^w{K7rBW&MwH0#tN}N_!mQ~UeLWm$E zp~S|M3bY)u@7aDA}UX)--GKRL0mYg_+4yZ0asw~cO= z5@Xk{FD`WX2;fREBp$-&PmYaAgtm zbEsBeQ-(2uj8F_otdxbaR=}?DAZve&UK6ul5qsXprw**nbQCktjJmctzd<*Fc2h26NRlP zCxQ_mAxQ|stc}$qq$?v(2tci|Oavh;TWy3S5JMP8FbO2hCeKVqE0y{A(&A8W?@(K& zJL`6~d+i0c;8ItVdU<`btrS>pYRRAZ}SSg5v7HsaMU*jYB zG`A$ukOocyR|})9wMZE$iAY$M0;)xCu_J^d5XW(Oc{!fBX>Of^u0UBRf@L%{5&;pw z68s!;9uz@GXx7lE!=`JW*Z(kRjTHSSP^mXRJwN~ZfAquO|Dzwa7@4+Q<`c=F_&I9d z|Cab`w{#&}nb2&Zwb5FGTicnnATo(l$lmw4d;al1`u5`wZr6<0-#-4@YX{#vbfgiP zwvJxm1!2Nk8v^~Uh6Gw>F%|$Z0kCPR93L#0MHHJG6SpR&<~H|@Zo6yeqmMr}qj|ZK zRx7Kfp0owoty?$ldSvGlk3Zbo;f-CoIdyxsQcu9H?-w?1+MH2pYU0ZB+!RXl^TKY} zu%U5}LO2k?VzBaB%PNXDs2jLEmPkBp2+Hq%qri*vW;E35N2u2m|Pd-r{A z-`AB@{t+7-_cTey0&wt54 zo%nD(UY>{NS*`E8@4m+$e{6VoSV1YJn2ivkHT%PCnHjxRT;CBw8Ut&E;{}fI z*Q(*{?A+M+^(P)1-Lz@bx~p^)9ZXXo)_#}=1XSBi_UnS1u{f99EI2K#$VQUSA4N;-}qr7g5!18m>A z<)H`nR~pT$H*OVIR)p_w+`RdTM<3d^|9)Y|L7InBzE!wM@(cL_`3QXl>%M^$uFB4G1xV z1q%Twnb}b)k&3Jx>K_;#9nJgrk1xOdmw)l+SFc{p7248-Q)68}XoSt)-rkMt29w4M zUwQ6{dp@^sbldx9$L5kK%;oaTum-M^aa>ob*vM8~I!Q&+bprwOuzlr2M& zgpi5mM8g2X>jv)Kx9`Hu>8YjFX556L-MjDJbI;Df!N3A>94n<9&+Y8&%=NB^u*I3N zXm)CKX?b;emJFVH;^|GByRt!cbadPJ#EqGmxmpA3H*earZ{L+mXPZ|qmWw5bkOUR- z9fO0zLBR=ayxNSbb&}+OMQUNRP|}y=8qL0>n5~n~ZrL#4lfFHEr8qrRT#N`-2(jz# zJ$LWiI5@PfQ0Nrox(=B&1LB_()(W&r9N;5;9s|&EBFI>)VKk%_4k;3>W273&Zd$+Y zg=e4st#5pFeXqDNvHIg5|L~1>KUl3cA|u>PUb${!jIkl4T$>vEJH*Ulu~Kgqa=}Pn z*RjQx`OD~k_L%#qIq{!e`F9Lqg@CjSzyLx@*=m`#y2PypDwAj_R&a-f`B}YXh1J$o zUM796|{G@=Z8iHciz4AiLX5K$dh{{aOBvT!^ciH6XW_>hJM1)5H|of=tenJ}k+Er4^3!Gs^KoCTjtu5ZUSJTW8OmzIW#f z`wu+OQ3&?zzPD74Pn+ z2)M4_Zs1v~l*~x!A+^P&S-TZzs?Wx z(@VwTYQ$+G-5^aiYz2hlc*ghOyBgZ23}XceAq3l&zD587Y^@diF+TnyGTsVs%Quf1 zf&c-M!jb^NSZE`3N^GSRa0E++&_J57_SiTiTkL}o&<-Wq#zMk#kn!LJ0c0A*akZQz z5rlz5%7H7ausUuw5NR|*TUuC{@z7mx2m0HG)@Qqh@_s(IVIzAm(Q?B!Y`F}rktU9| zN(&ak7}Ayjh7tyjl7=9dNJ?d-f>waDrfCt@QRKLSB^hgDqoETdF_2kvbYPN}s1=6V zN=0P?3&GSf$rG(K6hXpD(Tb8`0u)F=C?ZKPADON2UuQG)(M4-nu%B85*F$IC>+f_s zG8`qUT3$SV7S$5M3WSE+iqj&n07=9eZU!Bl7#_Aewzl`}&pZR+r~$H*aFjGlUj+9snHed@**|yrHpLp48q>OFph=?s|2qOf9NJzj~Bnf1UIHuHk3UHJ)v8k4@ zyok6Aq)-xI#0Ew{IDkTsMdU$Pq;+r%0(=Ke7v_HmtNE7m%ctF2KEi?BTSxl4rWcCS ze}k9d@Bh&c|KAtiJ^CmAdZfSWpM2$s-~Xc@{?b;o|5+%{1E96G)_x@Ek}%9kTCR3< zwtsHleP8|ZSDt)idtz|#_0xa;=ieK@Fb%F zOC*)+x;jpbMj|kAYx?q)u}Alh4zFAP+u#0H`?j6$A3HZaHlI|Y?dvxjc;x@RH@ZUl}eakczyq~&wsH|uT70lcJ~iF`K7Ns{Kx}C!=3dgDc75=`vJ=$ zPK{=pTEy0}R4S8UM@C76u#xNO&*gHdMQYg3=7sB*%heArjcwnu<(UUIeEG{?_WZ1t zKfOG?TId-Z8S4A;^G`nh@b17tJ&BT7OX)~b%%XK3a?4UpwtR5qQn7sD>iE5rdv}fY zeEG{?%IEW42jBbf!u3q1`|(Gg`n4}UziUe_2vBd>*l0*1M=`T8##)d7Nr$aS6Afwn zoTFS@t=6wxxpw8+=l1UCd+xbsySjUOy4tT?z6f^ux;8%Y;A2le^XT@iZF8liQ>RW% z-kM5MQ?6ES-oCZCv^+36^w<-Rmx`rhM^8=6EUw#e|8M<+-@b3xhFk_*T}!gF)`Hmr zsWsZ7uP6BWSH9dkIQ-oo{bcOst&O9jk3Rb7=Rg0{ri~q|6+V6b{Kc!+QpO`sJoWHn zpI=y5ID6vA!tE&=C7rq4-FtR-c6G%mmX{afI1+-{A~lJSij6RAg(Pb&w}$(KpgU=J zQV1e4cT(|8tH~e)34-sLW>ZTylg(zFTwh;bKA%q*rBdnE^h{}~XqDe+#@dJ+oJPde zv8kn%mAkeK9eD8muAa{Aciq)<^4i?Qyw*BRVJ(=2weUPoW_@OkQ=MwpSh6fY1R+@f zEQ|%%GLdjxaz$#nSgFh|U~4a)d*O>Kv3~dXnWhz+w{3m?*{ApHxyx82kxkN=nSI~i zv2)j+hn~!4Gh-hfnH(92Yqh{pcWoZ+@9$@W<>lh)>gw&8+4l|~zGvS(&pmzDSAXL- zySv&?o;v!@;rE5gD%&|UurwXsvwa!0rRP zM}K)_o-Ii`wLTuphFg(WYs0V>%xu|0{8bjFm1zx-5DWt;mFv0^Xm4-dv}u!-Ud_)U zQyAzP+OzHMhj;I}Yscoox{Lx|d-L4Oue^T!#+2jbT;po1jFrtW(H=2ml-M}YuJnvh zjVNw3nL#NdHpV64=5vYGa|??f96P>cV`@6swy2&hDN^AGm+( z)~ySxy7oB?t1LuM|N&p z|C3iK84e0G_Q_LojCDf{|is=-Ls9q{jJWvzO&~qE*7gy-u9h)pMU!4FFv-N z1P&cOapc6AY9(?y+Cx^MrqEDiSvh{D&|a@Mj~zR9;ByoQ$!f|6);DO#RKsf;vMii|*F2_yljj1tWBp@B-_&Jh}v5hE-npGf0Kvr6t#=;m+$hhSKSgE3>u@WSUD=Uk&#s(er z4|KI>vm?WqWD7;hh#IIRh)h0#lMp*DD;J&zM}a6p>b61|tZ=QgCK7L_K9 z5M4b^dzRP%0sAddiX@ zEnuub>c9$U4Of4ZX>F}--3&mfR{PCb%VO<*)wZ1ETt~W2BABhVQb5wDO*g1T#|SW_ zhO|@ zPy&*%77OyhX)?BmG?; zUHSQI-(M=MeNindrJUBJlC{uHmlFi|+^%iE_0?Z{;K6%q2@V~){QVbSJ$2!lF-%^e znR2sOwjiZkPdPFFEi}MuIio*oX9`Q?kWkF2ASIPpTq++uerD6iz_a)5+O}z3e$%?q zoqOVy)V0)|%dXov(9wq~aOAD`4;?x*JGW@8a=i8+=-7Af-n%y9p1U^9-X1SxmFJ7@ zzTU3hp82K5$&<%#-kOF|rE=wi!$*DT+_!h=o4@__z4zb0yi{t28Zy{%_m18kOx?n} z?;SQ)fE-IsYDAJkI&QA59ij*!EHp!SerEHQt@qvA{rE$Bu6%f}D@@=}e}C`D`hn#l zu3Wmju(VW*>Ryod+yJbMfo1~|CbaQt4_F{E(q;TIu2Qs-JtTs1n+3vP=I}WN1 z)X$q@9uegpxyuclTU2jIJ&e_$>;kvZ5+yZsFo}uF1V=yhe?ueE67ZSNNKGB$M*xz z3q-ToXoObyfY8QVxpL+8*WbwdPw(8+|J)M?)~_3!x;ZI~>h9dIbNfhJ9?NC(=9_OG zJ9(m3Z+JmRqM8_< zLIFb5!=|6j+;{)|yLS2u_wSmYx-QZsZu|D3S`AZEQ{&?|8jWyba_YSg4iAm= z-?P2riD$krvT@TB&pvD6Nz>8OJute>uSK|Wnkd>hn+k=5KzzyPGatTKM6QUwr+ocW0N&L9U>Qg&~s|76}Qk zB#;DKD}Et;_-{P@!0&wXxo7{`|Ml@k!f;>bAO7w)@v&p;^`jpiyD)xW_vrWj;D7zZ zVgP^myWjjbfAQKUR(@LMIo#Jd+}m~h;(r5zMy{n7V9mtcS}RBi!4Lo}!&+tmDd-~> z1|NG6xPj%wYLkSC1orH?x9~p)O>L64&bpzD%5NMT-Z2PCxIA0DJTdvFfBKhK&t2ta zn$KmMVd8n7pUIOG`~5S908nkU`oZaQ zPBzy&@U0E~^6@7gT)$ysu~ca$CR=FVym3gRIDG7=j$>$1sZ?&=x|Qx8-gn>qu9yFE zM2n&N?oVDh`0C5AzxDo5XQsQObK{1-FZ}uwTlU>OIWyUa8vO&kcWv9zlcCwUDisPrx zEHAAJIOGYo1Xc`Y14so(rCc`9HikBaTiiPeo!vpcU9*ZBF=dr<+R|D&H(z=0(5b$j z!Dk=axp&WK-^jYB=N4AVl{m5M*KgagIS3es-ahx^7hk%5^ESMkakJHwjGI*+wDJ;2 zKbH#y#&1l%d+2aqZ|8=Q?qB=r7a!RF$hE6i0Nd5w*3;WLw7zeCq5Q$gvn`puW)1Tz zMa-}8_Z7d`yD}EU?2z!#lEw&Q$w+0vFwK}&YT;7F?I|GFj^Xvl>#pH`zs-+prRLIH zva*aMZkhHb7AysX0xM}rSmRijHP_fy#+q1DXILSaq!8LzSPNqz1c(3=hK*{u(zCvg zTL2J%P-BC_LNI-%COR$!hUFSx>i;I-@m>~lXFIzZg*Jp$L}8+}BOtXEMmo}AMv^it;7Rx{1&)?nj~lCD6=?{`aGX|bHbBC_ zF{BK+nv{{slC{cmDlLHpTO!-?#I-_`v{FHVrL;<02@SwnwzxxPeDVwPSM@R$%#iH5 z=qRA44ectSkgCgKWj-h^hxHPh2(AMMus~uEr|<}dVJ)f+ES7kwB!&i5-pRJLm%6)b zXFH0kp)m#)Ei0USw?DkDd)esEA96^vYLRpd^sU?A> zBnc3#5#+EDXr`uC*HK8h!0*T;oo#U@??#D?rI%VsRzk5NC`HO+!y?tNCKb>C(ikZN z!7ub*{+9>GE{wl%?7}yme&Bn5@Xvqa_wWfi=HLIT|LMT)(MrAfZ~pwXk6-`B(+~W$ zX1yQz@BaL??=KZv#(PrAmS0R9$7viRuC}%5J$ttQ=GVXc?9=-a;MIfYzWeo2`FerZBSZobeRiR{em@~z3~o$E(-@5t@kcCRm? z8MQ`wdwTkh|HF3(;Lu9bIP_Q3{f{d@X(R zjdw3y9!m|RGZM*4Rvh9_Ww+tcAY z?|*Rc;OkeeT(Q<@f}=xNKmPFDTZSHebZ_gP;^>9)#Q620 z4)=+N?BMpB{da4i0lfOgwb>h&fBmTk2ePBeeowRzxd-~PYkA;?A zlGLwHOr5!KdDG~+ox68z-?`(R_fF*Vc_Bdr&kLA2O|_$wFbRVU41pnCKTw`XVy!8K z>i`jy!$Kt5f)U5b_3_DrqQ0@mx7$ZY2EE?F9Wk&{$H~*zr^YWo@xZ;^9UC(FjO%;4 z*_@oZdGpro?c29*+u&^-*_DxSfUtp?naVrw9{ItKUrDv?=^tpu(b1EqU5`pnJ^Jwe z(cO2CYK(>n9KcbSp3$$q`ICbO4@UJ+cpXB>R9g*zWDsPf>uIfnd^RjCPft%x-nf3? zp25w7&bGl_tudrXV{Clsy+cP1zV*)Z+_G{5$j>-ak58pY-|6x=j*}*7%dR&Go7}7- z@cIV&zV%yQ`}OCa8|kKNH_I=*^wKM@zBW6*60~>jNg{{KFGeR`qzyMOp+t;f|y_%HtO&wl#v{`bFj@$^FR-~7dEAFce2-}}E?GSBIQ z|Lzkjf8+Q5ZHtTf-XHw)Z#@0L-}E%57mAKpDSfhM3WeBjuzi?96jwYmAlOkZEK7EaF2)3KA;Z1&;%_wL)hdB^qv!hpTgnt1i) zQ`6J4uolvppI;CcJ36|x zXYZulPCdd^MBNC&b9LH6#hSO9d zT`jGQjg8&6cTamZGkJUd!o@3%X5_k_V2|%)Y#0lGkXj7`qlIKRP7q|3aubGy2r`9i zuDuynQmy^HtEFglMfL}7!E5Wtq(hy0F#tzgOE^h{as;!1WT{{Q&qpTfwRiUB z+w+eZ0SHTuA=il1kTRqUStBe76}h@-mS*kZj2|~c&%heQj8upSu0g6J zkn|~OCK9OF#j-8c+06x+T&}0H+TDSAHEK4A0M~)5yn%tP;q~1EBXGRp%3^79#@=2) zv65rs2&>7&V9Sn#qS!TH+j2OzNYgZmB40a>;{^G9?0HtMg)3QM89+-0p%X4TKgMM@BiK(d~)Tn3*)aJ{jl};=dXSL)A&0sd0Q+DL1?XY9K#qWmCgA3_ip;y z3!i`L@ds^+_dYoH;)^dHJ9#RthoZfk9iNFD={ZullHw?`siDut#W2JjQH+m*CuU~0(ARcK9T_mI4AGd;Ze-TC=!P zoZq+mo`Ih3q#n&Kl+Iq5yghYmOJ8ASVNSZv^zB&$IVGKyV(IO74~=!W=gyx`jTVl_ z+OkQY)1(<)xpL*Dm)gQGoSR>Oa1w)Dws7hErFiL#w~E zU5o4GX1O#mIlfw~dtNrS9t%&v0k@hD#1IT_>*=X1FPuDgu31|tE>7*)zO5}^fTdb3 zy?kl>_1E8AH#qQHzy1a3qS~l?nV?w?MZG>TG4akj?-X+W#fujkjfQfZY&IKd0fyr^ zamu%D-8y)%GBJMn?5{){WC=KbV@ioEUPwZb6Q6f=07;{N$N9 zTBjpahx>Bl5#Y|Sj^AQ{^*C_J$&-y zBTql8@|~KfRI4v8&cA=?-76O_MfG~2vlqe}8^7_BmtI|1d4Ob+&$+H;m!TVtlgEy} z^X^+yb8{+_^*x8RU}N=~O^MaAMaIAi5QJ!1o3)HZnXOoJI%C|KtN?_Rf$N1PAxewI z;#+T>vnD)t2Oz0UA%Oq5yr0PC5b?4;7AAtDOjP6f%FB*VySZO z!^M}{)bSH-TXyY@$qSk07Uti5^YwaZQP);(Ppq4`alO%KWIDQLX6L^5gCES#AK28} z*5-0RB&?~IE9cK&ICSXP<*^&N?mpiO8m02JvGIDna_iR3o0AU>_IF5S!+NT?(`a10 zdiI?|Z%oWg6gs-1)UA|j$BrFeSsI+beXU+=dTtO$shiJ)t}3o9z5UMXHY#u3Fq~0j zbmEX)UM`-$aOKGHQxj9Onp8H|PHqs#pWS=@qkH&|wSJh{rYVFafa4G(ckSBsg+~s2 z^-EtI?kQZodiyVb@Zvj%jxH`2A&A_7l_!X$NR3WfpEAK3%fGl1`q+i*(+kCqOEO#d z{+q{tzu`_3moxFOgSS-06qkfQAq>N_AcT$6^V>jM<^SyJTaplsrI5BRv zz))l3lRteOSGt2M*RF+8l+Cx**nv)44Lp-3=PzDxL>SkK8`rP1q@V&LgE)+qXC_Y^ zKl$GAv-MD`j$TLyVR+-_t?&HchvQ?HZ|vVU*xQvxQL7W#Xhg5R^5)d+3S6IppjfFN zKY6Ctm!}8&*R9{OR7tPTH_lzY0zc37Lv&U5l9eQ$7*5Xgp;N; zkQ$aCkO~J(5Yj?PhQpT03er#v*$VP8sMS$i36~e!^KK#6*3&nVAf<)^l$MIU)Br(VcXkrU!AsDol7zC}Qg|N&pm~lp#(yMHr{h1nI*`Y%{5qR@{Zf>|nQ-@6EP%sGcreTZT!%6te^;l#+sH z$g#>rHiM2rVW6X}JE^kbngf2^LI3Fp&Z*vk<~E3l;_-BV-kXYzFz9pUq~7IEtF} zQd%u4N4Ua~E~SFv#6XL@6XbJ2wYo~=I?72kr(u-VYqr@$=(=qgKi^Sp??Pq;v9Z#D z=R##gSGVf!^b3Vp$I)sjnP0(51yL%L00|b-FdHJ0B$Ob_)^R}+)^Hjkth%vJIWO;b zg>D<%Hg?knwFbzAfdUb-0eafJj&`FQis}MN!qrw7Qku!YLJ&ZPtR_RkG8qtqEF?oi zK`0Apq1cj%ZKG+b6Ir`RYtKFZ#YZLZ;_FAh^ZlP3J$XKE>O%jphDuTs#|eyynL)yFRi-^3{Vj8p=+1f3 zvT=uUB?H=|tSzMSGg%=KHcD4+%#2OXnpfU-f~?OTl32tsQ<6A#d3D(%&(G$YRY+@H z*EMnT(2=7bo;_yMX5b1ziB!zM*u;dFZL_3YElTw`2=ZNhL#sby@33DVN+JiVPce{GicjT)cR3dTJu;OHM)s zO{}%nQ4%NGSn22bhK(z&pf~}N6asKmt3lxAJCe%s!euG|mO)B3wnOZEQn_rlo&g7iG`0h)8@tyx@t&UQiZ|et&XeQW*eSx_b#rDW(x&HoncI#>+0B9U8+t@%wIlvAs@JwrF8Rk?W~q79?Tz4U4PNj+Twb# znYbM}MHwZPbOgZ&d24?8!qn{9@u{V1GvC$CQr()k5#)2Jbp4J#@-h~(+Kk_Q|Im>W z$EC8Fz^RwZB25dvw=g#!H>x9Bx6LiDC?_jy3T@Up^2~QUj~PO+kVI>T7l1q7qQtFM z0}Eyi7J@{SgqF1+b?(B&Gv`k0G|YIOAunjlq}n!O&C&~Ud61LZST`D(Lc8w-r#>7z zb^elcGqLfM@1MJP>E`w8u8ElAhUQFnSECV4-Msy;4*j27HVoXJn`ne#wqqEIVL?jS z7;p&8V5?kst_zzMtBvpd@5$iN?+~P{P-b{K%)`eR9|Lnb6vn0uJCib~UL}uO2tzVGJ?mnl_wJuqi84>P!h|H|2bLpAWm?3&F$EU5PPE}T9WMpK7`{$p# zbCz?~vzZ+i^&fom+pmB3@1m4zLs!=#RUfcbn9S>$n4YDck9z;Z2Zz7=#BdDdQ8}3f zm^xHuI)!zr`rYsR-8*l**>}tmB?ikT%X=Z|CT+FkrjkRC-rGN6T{?)(S?&0o-$N%@g{oViT|M{JhX*t~3_Ha?T92aCWA|lFw z&?JOAoA~XMleBq#;s>WffloQ$pZ`z)8u-^wIpC9(=Eg8sk)qfog-uG6dar{xPm2P; zXk&d=oV@q;`v;Hie`9{^d_8b3D38Ij7)`W&wmKV6$47N0qnmf8b0&i#3bVBXH=9hq z`6qw&;oTqdgt@2wzz#Q9{FA-oKlr0>egAuZ=U68v$9bM- z#_sMPh+5Mdx&AO44Cm$a-Fpvz>l^=}nx3qUt`*Tlx3zmPM)ch8&!^)m$RGXLe}4T3 zZy%jJaJjflNOZHm`S{+U(+$Nya~q6}f#u4e7p$N&)n z@9WugltW_3Tn-gxo)viet#=O&$Fs^0bECwf!p0ai9s-GQmMuX!b8bA5`|o}5@BUr! zd)XiQGVVP&arwH?;ef6`R9N6oxl6x$Ct<4kB$zIdGrl>Jj!XK zZ+*$fagOK_BN@)bQ1B7ziTt33Fv^qZ?!*3#t>Iv;-`jfO)vr#DH4Gjjf2fn0uS%2^ zY5{Uw+rhQ%?Di|$KXrSsGpMG=^Zmyd7dQ@(EkrRo*m?EN;MT2&^I3KO15=J?hljH$ z=vj>V=ne2vZ*Vi)F|{iKkHgVeP%`p};*Sx--Zzd$=!udk^m(;g~RYn1|u0KQ4oCiM-m*BWxKEbpY*) zI4>H}cfq2L0DFL;v$`1DvT%NFrU=(Iapxsu0bz<+jTn(Ra3*z)N+2pR8ip~Jh!re? zASv03#VaokZoG2St!;Qd8P6XdA8K&|j+Ws9TjBJR3NaK@R%6Hn$C_DC42K^+x_|BV z=AgFL^fr1gzE&23`Yz@(jBaLkzHt5LzB;`1;@p=H-+kxF8*k##BSeAidHA{#G0Kjk zKw?qbKzWXe5foI%qX+TH&b2$&5r;asJ-ZWT$;aS@F1uxP?8N4W(kk9S&5i(y8s}vM zj2T=znjE75<^s$h1)9hib;BOpS3D5K^3X<5DE5^wDQA;;n@+n+4?MaZdp&?pD&qdN z3V1U07;GJRt&18YAOrHi5i=_rSi{UdvGn@u@9!S7I#q)Ru;E@F*+>XB&tiGzGc+nZ{1I4efBVtns-Dx{cn)Q71+oGT&{BDC60$6_qZ?Hf{mGMcin+}hpuvrp zZ|pvPaNu`CQ5_r?7!Fso7l8l(AOJ~3K~#{h&Cx^FkIJ zsN#v!L_1P*x}*s5#ZkZ;0b7i zd}B5T*n%PToJ^)sp#b@SS*#*Rh+SFtDaig?50wZgj*berjiN%$`S`({X-(b6!~Igh zJXkwAIF#aWACl%dFefrJTHl*j{o(rIbe0X*RdwzKW@~>Mf&9s&1QDbH)x@l3jfl#U zz^1IqvMK-}RbW5^%K%$TYBfq7d|id3P^ARL`M_aXLrExu;Yxs7gaC6%U&2zwo%EWj z3HZ9|_gxI-^yuW}J9qxafBBog{_DS%5Ae<|{@4HW-~XH6{=@Oy^+%hNc@UN1dfyt8 z(ozr!sgs!MI(%wK%;!de>9R8dfT{?!)vnX0=LNI3#A&VSnKdl)crYuBFhvUyQH>hG z0Ky5PMNWg8U@bh`ydS|uGGQQQ*i(vk9~_W)R+iCP1T;=Sa=h;e;(}(^UN{&Rk(iC~ z)0u%Iwv(bnc70sSaT!!Ij4R*(s{O$bfPh@jfDHsxs}h6qTH?Lk8AJfa)I&XJ#4b~{ zN+y;ykf|Accp@r;-A5A`2GuYI&eT3~Zv)Kbw0!*V5Xh=o1OkW-QIf8sH-uV%CUL5) z&i3a=b5i}@hj#~S8+}+Gq@VXf@bz>ubfz93gfM;W7yjXI{Ko%q>*na2|LOG~yzzsg zsIv8IC0i(isVXA~j#%Nr1n~f7lR3ML%=NuPuUZqaW@`e5M4*5&_fh&OG}78y9m9uv z6T|=&$P79KS&*}~7mcCJX5<2s08-ad*N?}ZRT*oDM#_rVPO2JqSPM-KXHcHb{N4}W zgR03hp&k)|n2oj85Sj2S$?UG=N}db3JTFEWfI^Z}fK&{i%4`t~g8``_5gPg$Mil4s zu?YnfFnz!pRm52xYjQax=&>C?-pp^_=x=NW>*{KbgA*Fh;O9W4T#JaPA}X>R0Qs8d z6GNbCrgaHF2M2ZrWS|+0i9S$OQCYJuLMWg$458nnQu2B24-Us~zhg7H)f--0+pu5y z%3yTu;e$uj{vk}BGO>ZFfBnXbFTb?DHgsim^!|M)K?I>jS?IjLd?Lk^Vnj?74`Pi_ zs8LZ>UqKYH!iSFz@?oZS`<2^+_02E*%+Kwu-#8g;Vs8)Q35pp+kPY0cuWi11`}S+M zN9+BA!^e-_edo#h?_xYgv{ZSG?1uf`@Y=>pcO=8{jqU2aw`DMjbq(i`^{};NZg1b* zSz9OZhbR8tF7{3^t>FV=iKy7$J9^jka@u+A_KjONId_jn8+fn_-bWcQ_h81xD0}(V z&KF)@+u0(g)5C+K5AM(3dx-rh)w)JGXIWiVuHUZ)1LRzllX7|-n1y}RS~-YHgm_jU zf*lZ0PV3pROvjmQZwv=p*LRMlFMujMx{EKoI?8&}CkNO&fD)Wz1$+cpRf$q@aRwsT zVA#WO(9iO$795WK{*lh6P=Tc&oC%B&frU{slr#gp_t91%2SBKbI33Hh7;SF#w{AL* zd;3So_W*KYqc+nd*VFT7yC{H1BXH=T_~-oV*jfMe$a0S1;3 z0=%HAGA|3K@1p##jrkLX6QP6quZhKYWyp*0&=1qyDXb@ao}Of6}uu z?BS?DErUj}`lLG9_jL_JA4`M0WcB(h`7z7cGzzQtInVPt zl`sym-|OAEef#TQ`-NZmmD^9|__J^Q`S1MB@BYpA-weWeZ;)!oput=OP$fu8`=Z=n zDbFH{U$v3{O0B<>hyZ3~JKUx=UDR^+sMsDRDOVQ&L?W`o!8v&ZfU{wM&6s4ZoeY3T zl7qYLimC!e)kbPiBw`k#6mHn0xFQ2XDQq*PaZUBkns$~hbI~tlB?r|mgauHrLLqEG zs_pGd#dk<4olcOYv{M9P1p$fh31C_4Bp~mfj+19VfjW2qL|Hq?NF5E$*y?Ia2%-M^ z&wuTg{_)p)M!*01Uw-E=zBL;kt@X35&Gj#T`OCld-~akA{a63E6#VDE`Oe?H^TDi! z8dfr7ELs~ms6xTKe7kKo9Ck1`=e__w^(PG(r7qbB=8QmrVU%R~6*7{{Saue(43K(0 zpVcQdDrL_-LS$YTbxHy7*Nlg>3_}&%6YL9wFdz3Y!;nwuF3*p`y(+ndJw6N z(bu*5kmYvk`u3eWKl`h{`l~XAtno1ky)9W1xv)VDH92~5@dN5%KEY0d>4(V z#%|XpYN~BRAy?Swm3&s^8Df-{X_;w@YBGO7+cM9pU>Z2PW*xKkVMs|E4<`T!)LKG_ z7$1el56e4W*w$!C=jHtH(W7{D0v}S0P$IPl5fDMC2MmoF8Z%(W%2MlszNms2Gm$=- z^}IKUZU~-4g+#Emj%6O>yukejhq>9cx%tBF;nuZRHolm@bnW2qa5}xCA#zo(Id^;e z=8df_%*$eTmpPSTQUFFV0Id<{)*gXohC#$_u|y$(kLwhI*n*-So(O#~CLWrs2fB0X z=H@Uz-d>xZyc}m!ltoUQx&CP5*5-{H!_C3*`0&9yZ|%MD1|B^|Q5qQ4pehXQ<=M{W z+RpXO=?mA#J6q9LlPb((5SRDY);G7eHwL46JUP01cmD@Jz{7`_O$Q>q5Nqb?!^aZj z2~)#zNW%G?2)%7DTy_Vh>V>gDqoy}}#qc?DS@4tWa;e-9R-oe9%sOBmZ z3B)EwF@~%qAodJ4vz$Re^dv+GakEjyPX9uvAx((fYcxh(V3!hkrLC*8)TP!+6=wzfBK?`#hSwkjv(@d?IbR3#M6>W{>0 zMbe$gz}G(1gv>x0#T3Vf<>7&>udS_bn!(_KWzmRUc4K>M=Y{Q~t-(Aqm3Me)8~vYl z{!Xv1P)rAmJTrj!7{s#XTvW9`I;q~ehnYu+@Uv>~;k)mTZV$5UmtNYsx#jxy`1*Qr zaA>M}qnF=Y-^kXtP7EJB_>hebU%b9GaX=<9FWv^4)u{|NC$J?(hHpAI5Q+ZQd|8 ztAh#{OGVEbMp%aMVtll@vA(&!_LZ-G`78hMjsk!FH+O&kKm5TPZ@udkMw4yM z+*Oei5&3A0;`DjX`;Y*WWq@I2Au%vQlHRLo5I{8u6s%;7&GHOnoN*Z$YmCdt1&{=R zG0-+!mYzOk8rW0w;geG8TZFFp1MR$emg8HStout<)t;lmoxPk+(tKE+4Cz&t?8)wQ zAWA495h++T={uxJodclUAwi^uNL*$kq$@J0X&S4Z%V$a3eRpEBG*{1^pC8YSaB3{N z%HwFMF$6SM0WaQ&4{`tC=v#kX{^_56>-T=|_l}Pz$ebPYi4#tsb?_@7&=myp+{j{0 zPE%J~(EQ9{Prqq=L47Vw)jtxBx3q?Lk4d)?&;reGj_e-8&b6=%#H6o`F%gR8{xTDh zF=qLPX**zTp5L=r%=tS5Aws)!;!$ZZ9KH6BzV!94{p`j@{&Qdb>0kQApB*~<(SLgV zkH7gRAKZJOY}!Ovryn%wmXz*vtK0E8CvW?naTw?uvCiXg@D$@KjX z9{Oj>^BQuuy|I?v*kVK$v5X#P^8Xh6PbU*( zS$*F=mTGeF#`z3Axa8`X2bl}`tXI#p|QF*F2eW((;4at z;I#2ZKnY4LfI`$DpbiRyK}1C9aeP=k+3Uab@+M>0@87<5?cSZ2w+4eReesp`o7WGk zxwV7A`udGQHk4O~EV&OlpHi$x{T@ils)94NmrrKX*~7iJKRodD*vA?{aQLKt5BHd2 z@cC%8J{au0c1Lf&Xrgxnsphlk{DbelH#<05fBDwUS6*B*1{(X&qk4wgn;vCEwaQSj zMY^s`BBhVHTF)6Ml^9Tg3Y0CWC=d}#j3YvQLaHbW+M$u#*jc~v!VRa6BRHxRgtCM$ zpUe)A_8;AQ|E+NJ5L{y|!(sV}E+AL(yvmYhqJ*+6Ma5dfAYWGZ@8AE%H@@-4o3Dds zZ@l?NoJR~dTsEkKin7geADjHsLVtfGDIp*{7Q@3~%bC7WJ8AegeMy>d_>2>Jsgr%6NXLQ3`q zAcQuqZFS_&y@Y4xLC_hy<>{8g+2gS^J-QasP@g{!Pqp8;k)a9xJ9G96ZW*_;zF`(Y zW1{*na~cjJ20&=b->8CC&Cb?nJlnbwVmQsmISst79*<|XxR&DU6%v9F88aBhy87Pt zzVH429)0-k-+sRc*I#-OYZ(~$^Vi?~t$+JF-~P+ji_&jhyER>1WV)+3Gb-&~Mhn5}`g7_j zrq;L7K}+dFX6_cT)8{2fjLK(j;?kStMWz|mE4h--pgd!Y5&*Px&!nzLA7C9pl@uDa zE~fjtyLSg>ZB*><$4PiMqq^! zmx<|H6tmsECu{FlLpy%_I3Ca71yMu@1~7nzczk$r|3RGX7sXyUI7Wz2MGPXUCeIxi zh@Z|vF*)4ZJ$&@x#ur{$zjfWM4ajApfqa|>IVh{~{{F*v-`Dr=ubG~v@^jU^+}}U> z;Jz8p<7{3%+1Fx9F%pYN6pm_%ElX8Gy;0|gOs$HSnlY}Pm(fSm zetLK~+1;!5_weX3#z#3*pVfr9QOU?|xU8tX-`k&0_U9iyIJvbQ?tFo+@3_c_frKJU z0o^N49vmLX(IFl`!NDQs6*6m?LhV%rh6Cz^d`MXod%K74y?->H&pv!4bqysZqpA>L z7&00~kP(Ukk3QTDm6YT1=tj1dJNRmCbg=*A!TTRn(*k5-<)MJF2E?F*za)J*c{xly z)A9c7k@I18@Z{0#;Ug5Yq*M~AGNm#g0h&@uCmJ}hFnk0d223aQ-tP3?`*d;~W7L!5 zYtF6r@_I7fee3Oskc@_$Im4(Vi0V9e4VC(;>gNn9%fh(K_43JdI(@k7e2jGs??DWi z^~)@FayCx#_R^aoFN_wPUPcaKm6c19jQ8f%z5y07D7Fhj+vXQdDX z<4N^sudqfqRC`AlvC=iGcg|KQ%e2M_P|1{4tn zJGVei#3&4@Y0`0DY&5zFShgB8uBGuCvbFTJv%5Qc`mTg5nV=JC|zkF(Hb>$?g z3(NKre!0%U*cQG&Yi4)vlac(9jh~BU0Ei-;mi!SY3;;0Lz4^np{>^XyzYiaL{VQMk zsh!O=3x$Tv@`DEtzW3el|MmC2^X3oUe!RD@?6UsA$1Gr>UU%bj(fD7~&!==rA?Y>Y z^Q5Fu>+&GpveV45afe68Z@l?K@n5|A!Gn1f*yd1cO{RpXk=;Oo2LRA1Vi%u*!_u2i z!^?WnE&e#iW7Qhzrra`yvS{xZGfTwdM&y_6CF}uVUTmC%i`F@29=jR2>@2O4U)cdnLSI2W%!Tp(%mV4?k zT-gpzElqKSTyyr}JteN+XSNccBqB5|s|Szv-hAtQp*vMMx%=J^{`f!s;kUm1SI0#) z9B$^r_1Qdp{jW?eKCS8^rKvk-p% zH!pWQY+Do~Fq9yq0+J{owq%_eBLOfj-`HHcc3rHk>w5b5Ax;jEai2Am1vH8hITtts zTa4DRbsbqBzQWM~j`zWF=+smNLD}?Xfotl+jj+Da-`dEH&Zh^}(Jp2OFp-E{zEew% z(qMgKcx^-3D~hr_)cFJOu6S!*IR+8mMTg`T-z*K2R2}XYg-ug z(a)1t4=J^Z7gHLY*HX<8<_I2$5HX^8tr;7pY)(42KtIFA5W^AR&>MmnwTCE_FrQ&O zMLkDRAXX!TTs*2GlVGzU+|Eg@<50l~)&|%dnc*nQ9jX|ER{<=A%qmCt62%;)U^+(# zWUUjCvSgTko}bK$-r9!d{fgO)HV4->D>C)*A@&}k7~702Q&pGDY+bLaBHRc8P)0Aq z#?Y)~YE@#Dt4dkLvX-jGtiZg6b%XvueCPrEce0)ivGZDY;%^gH6e&ErXaC-Mx;Ifqib+E3?T-D z00>yEHDO-3%#uPvU}kG=S(b8qIH-y^n^Ymf^mQNDyT_neRWr@i9c$Sxew3hKRrc zq}Hmj<@3-WQ>AK8MR1It)cXz^y4F_7j{xXKi4U0NFE6 z{$(g(;Xfx_M2b0G1GN>?Bwk$sVxY=Pyqi;R640>B3Gb*MT_fquQy4lI>b0WWwz_=q z^65@}a(+7(@Cdr|p1QPiu@WIb1RDE2cYSC3=GG`Pq`sC=4+g#Ibb54jbaXPA&C39? zCg-dl;i7QI8|rlHPsDar5@Qx|N$J1z-jc0j-Ou{U8tb^ewf^!8FAw`}ezgDQ-+s?4 zTz|k>55^WnZTkIK*FejQ(G;TstQs@RLv-%^dCGiyx}2R?7tPO$j$iKNGLm@iJWLnX z{cO3Nl*#)k*Sliok#tZ``#Gx+01+iJ&}2llrWC7k#A-C&Q|220OT7HNpNlbdqSR#a zxQuj|jz9rQgl@^4DW_v=U7lxUSwJ`a z@FhJjO8`XkCIQmtZ4hTWuLPUh5F}R7xk0}-@O71E{L%|MTU-55Pfw2a_Vyl^v)b9* za^}U>#F6Y%u3~vV5;V{0av#!4;@Vi?<;4nsv^=I0t*qMOCwGGfFQM5uCvq zRAclMC_w?nS~cPs(U5ZV^&szAYwIXJh!TqeDoC{|8E}9lSio73#Yss%YM#RYJ|fRy zGfWC7p(t`^v&RASQ;c2NkCkmtxUsGuql+Z3vGfX%@K10W>> zjzl^j%XKgcg{hh6tS}18Fd1qBX8<(-GZBcP0Wm^rKn!X`4=o)i<9s0NRUM}g?-czU z89{(h!wYch$32c#@gwu$c7`6_sa~S>1vb4bN0e0UrOEsPL}(xbwbASgl)!a#(k zdNT@Z;S7A$@Un@ZfGAWEssYz5HQ2ypYBH}BL6O+>^9Vuk@N-B62@nwoX4{%P#0u(> z5n_e9hP4A@$w!S)X76mU29CglC@4z=4+0xvs8LOOm2(*x=S71M*r))pf_N|?5yKRK z0W*kE%;Ai6##wT#iV#CR_knDda({l*lYX_OeWv8xFd_vyEXKJQqpxa&0A^<$fEc6g zF^FQ+=p)(O<$Vze^9s&2ZE^$z)L}7~u{}Pz+pF-30#QyYf=m9cvo>Ut`|#qHS42Te zez~*0&9kqa?RT!xepXGVE@R^G*ZPIFJrSK!XP_}dOJzdn#i^7`NS%H$WAa<`QgRl6K zUC(BwE-GjMS*@%o8{Lt2TY0cCjNthYW|ujgekJ_J0GIWL2b>^H^i0Rb$tPJuM zFXl>qQsj~`N{uh6`72c?1%XtUSwuvI0VWejAs+JxwU#MJM2zqhDGDL8PE~`zsDM;d zv?^gE=Y3IuicvS4_f>g;zWk3uf5Iv$m*;;3fmQ`6-m5RUvR@h`Bf{>Q82qTem zK$Vyg$!esULS!%f2xl?_BZ8>pAweau3Irj*d$578iCizYk*E$4F*q2nk}Jd6;UH&A zg)qCsW>WwFAOJ~3K~#`(2x5u~nLrGYAwa!{SA>WVtoHy1AHW3Tpb7~olGpg(lrvuYl8{`%1 zOgxGJCRmHi!Z1Pr6e_3{5)pwSSfnWQsH#llV?FnC*YDSLiQ1FP01FMM1t?=5g|k(2HB`VeE>Y1z!KIsVXYx%fy;B_^17UGlUwUX4^B? z`ruLdwEin08JnUC5L87YWtMV}cNZw`6<$yqwL9GuCFRKnxkIs@Aa%WoeC}jMe6quMuk)%e@|^<=R?4 z4k7w7-`E7%>coR$P>6U#l=p^gOz;(gAake{YOFKN1dSpgATl(>VDk)!p)OS@&-=ut z@~R*x8Db)^l1PwRMWmNmWeysK(tjQ)kjhS z!%~(3T-Ozp;oKrwZxUssXt`C=%_l2L02Aw~X4%=UXTpWzBJan?lhqi9WxagaW2r4^ zoR(5ooN@_Xr2Af&Qsk6v-1ev8A1s}2+2?ttjSJ(9&c!l>APIv=&g0I7e38OR(t^2; zGE18CU|^Z@Jg>_l#^|GlRIS>%I!LTNG!WTSn30NHl-u|zsbtRYe@tB#C{i`8^hy~c zLX0rwuGgG8_&NZ+^^M`$`tfuYs{kVaJ7emwyzsF=(!@EHGxA)NZMi>}&fB_t-&JvO zGL(-zUUfCqO9#hX)Xv$nFhw7_atEi7$5Vz-dei1bTFy#Cs!KH!7AI68g~*~Z*K+sH z%P|Z>%K3xyX8T!rmhlImyaZJ@0nl|>nylaJ^+K#s*5sVcY<**NCe5~RlF7sqJDG`X zb7I?e^2D}n+qP}nn%Ks~w!Y`w^PYRpk8iD7y;fIOS65eU)JE+M!87d%msgI+!D&JR zNvH*@hV?%r36mV>d=1_m6#@F zBAbT6+@mH!{*VJ|$mo7zrR1b269ZOnW)UfcEt9hvJ`1-`!pRE04ahtl!2|)dBlTMG z7zwUKYkx2TGYDC8zjsban8JLP5m;Fi#3K?S^36S?r$b~2gn_`y+ppn-sRYR9H9if9 zw2D>IOW+In(-W4$55t0*4anOi{%S5 zQ=rgih79S9G0NAR3e8$=>=cXW7dd*pa-J?3BraF#QcM)Ph>e5TYRSd_bg6` z9fmDY)jz(!6w^;WmJk_|)CPZYtZ%^FQsQ`4$Qp$TmOv;9F4k9bjhZ4Kj!4sw><64| z`=~btOBUe+88V-q@ULFVHS~$_N&)D06RUNS!^h+z3+O;77!e{dvDUJUvSJ!NtU#hs zSbi-CTLXL&wx6Jdv$p92)QOx+m2Dz?h%)n$LcJ2R#pR})!yrh^Cg2LB02NXa8Es`E z@b3mV>M55N+X22}p^?3&^v{KNWvr_&gbWHat75oN{o{r70)?68H^nr>$bmx8aT$y# zB5=KaNa}=C>1(}nwnKloDdN}xDMk#Hv-gqATBe|U8%x}1BqYcrhpD4FQ_(|>LdJRb zvn;aG4syqj%y>bb}9 zFqpc?5uPG%Q!U9C-x6F(o{QB0WWcG46XO?ZI<6JOd`ZP1GTW%yNvds zX_X+GE)*;Ie%wZiL4nsYF7PoCK#>IA#GAZ4-%?y%0cGVJdAH#7rFz>a)>>v1p)gH$ zk&=O^ifqa;V!N-Y*!q~q9 zNR%`Dk)kaL%5Vv*ENm5q$1u`q87m^6~Icz$26u#HxUlkr4@6kn^h%F}TR7yfMW5!P0DA+h!uOoCP+x&0T+r*9h) zJmFx@1Sy!3&1j6&=4@4@aMOcU*YiyRU8nKzX@*HqDA~Q$(uB2K&|um5GD0#`hmw!N zYVAl=7|+{2P(%4ag2zgnwijL5^8R2{&-8XgZ7z{`$Bg4@Ca&V)PNMoCA$Eey;GAzB z9bFwY*#eE_bO%{N-TQmt55$D#-)P!i;V8j#m=WV3f$ZvaV+PV~;M4Ke8I{jr@C}hD zG+rJ@$RNRmgA_j%D&dr&)bxoe%YRVf+i+;(Q>YC!j((4$G}CAi5>If#1!s`N1gBE# zlPH`_C;#O?I04e4URHP^b}F)8VX=!4ABbF}2opez8HOv~H(9vB2t^YCCKVT`@N>M7 zBv6lJCHZ+-+lx!ciVO!^hA@&CL=0L2RkO8}zc3x0xlaU|j8k}GndxLj!xth>4;2X( zllDh6th|yL<*-eL=^Fo zDU&t%8E{~xtil6S*z5@EmQMF}5`_Viwao5#hr@!)6Gf}(hBe!Cnh9Jpp0AG>Z5}I~ zu{N$zMR@P61BDNpsQJe$67)Z2jGNp0xUEuZ{QWW5wqNI0rHdjea;Xzq6ArEsU%vvU zwI0p*_|a=-&}^#zlxleEdJyDbg3QKe)f`|QwyjBjejd(i%W{HY2qthWRlC#Nj_w3= ztRO{4z3m@6balnggR*tA_3C!hr zx?X?~PCTs+`wKA+yCASsL^fnxbPv^Teh2%9U`Srrb?jf>vOHRTT*+`g^XhUOHU$G= zgKTop;6!Hm(BAS&*kCK8P z{v$lA96tJd`3HvsVI$e;t3O6V?qe;VR60Ez2x(jlct6tIeJy`dDvr!-c&)ty6%Mz} zi=;k4VEjY;2bj1iY>ynFJ4G%kzfk^yw#>)}=f#tz)_Fctj>F=ygp6d!taFSu_s4IV zpRNE`ZsF;sFQ3laf>#<|#g+^OeB~z-dyGa9{sAeia0XBwLyYJ5Q5a5?6rCKwIO7SP z2y$(pHfazRS}8rtw^3L=AtQlHwVh{O!nN$_Az;L7PRGieZ#A z`XZ#~()im;qU6&;PneS?8takVxV0AXl2Z{7`@{9dj|(#UX&2(pX`o4zFBr?1E$Lb@ zd5gEZz@*$x$GR4nnu^gV@kd;nlZe5*nEw_ijPO&k?uF9#Zw5gD9sIe|tkuzu1=X$> zR-D-FThL3LY-epimMqE`m4$CVZZV%v2%h(Sl@jQ&YmhHt?u&{wC~(r!DAap|3X{l* zmsn6oGhfVPh{8M%p+ylZus>T2N9<=C{+(%VV;e17AmH9^eagCCo=a;Z2)^)|{*YBi ze1%raAxy5B+ke6lLcu>?=g)18kua6H1Bq5CS<_9SD$_BUu1Yb#M%T>7gXB@q`=5hb zxZvs@X-jQUu8UEm3bn~3w`AdJ0=d2 z{>|q$B6%hh>1Eb~#!dzCWvl=M*+xNt%Af3UsZ5hZC=v?8Fzg{S`L_``g$i&K3(=LE zGNF=MXszi=LXwn{>II;9=F@^Q#0iN77PTRoFQzM|6Rx2W34xHgOA!b z=qV>N6D#;8Dna+p87U#{inJgq2O%nXQ!Tv_82Ag>Qsts2c((Dl41C;U)t%j@LB zftedemA(sJcO?wZr19TcER5_aI}tJj`)=)3E}~}MfKN|STbcJxoyT;NT%<-j4{AcO zCK;LL+?3Z4X=-evXlyHF3LI43nATcfz6?EEwzVJiEP?q5f*2Mqn9-9pNMx# z*b5xY|FT@>_)b+%wB}gmUs9;a&7|anR!sf|E*CGY8>x;I4p==1BZ#9iyz(ER6cDj? z`GEdLGl{x>lU_pckivy3#Gv0D{LPuE;L1>X?Ql#WRLH;n{FKREdMtTVO5eeWt%s&B z`y0y$LWpc2%fRT*Px&02d>0QEhTJE*=13_$L9sw`IIN)9Aa6i|R80B>iqpYeHVnUNDUq6j0v7%lV~j8po+GD-qDY7!I#YR_OX~Z zJ!h1nBEFAOnxb0FD%UdP2T4DCIv1@kvM742nV5o*X*r$WoMRCPKo$%J-*~9@NU2pq zj8M`jtgs&ro2Z}kD00w&+SldBH3`R9tH3hZpb zVQ=#fEk}0kI0K&O%!tm)al*%4w=`B*^*<&uUdu>&K$_@{47gE}*vI-^l>@{&t+5zg z+OQ#Ndq~I8iB(9Cw5?erocORF1ypadZ(7udFmbFKWh65#BPbfbHVMOp%EstQ!TB@t z$`zqXgY-(zWbZtPYUg?xKzzw5>dYL>WsE&Cl1M8Xup+B1!ZsoLgNnOtRa=xFd0-X>+i`y7VpjikojnS8Xull zY>JWL+oD7dL?DUyYpf|uCsKV=PSsLoa{tqH@+*9m?^TsDlB#tD=Z@CH>5&G zBqyp^gF+`Nu3nIuTK55i`D@3MbJul*g~)4tNsiWGwOClAZD$CBou zv*eKy$|e`H`Ii0|MFtfiwz@N@xh~PvigCT^6Ru%@A^`ILqD)>v*D)=1(k7Y@|7qkV z9@*Q(sxv+2oVm-XuiF#; z@ICE1u{yi0eJEt&bqUS?ZZ$!;C~hWVrD){t%j9a>|Db)EtM9AlDzoE2K^+I?4L%kh z8kx8?U_m4tU0l4`axC8D^`c;EZPbY`G&@sIV4kYe+q^~HjK z{02olK83#;6ylo(i21}J?Xl-Jw~?{33TU8MdPdkC>|m6T%25}Y4S?oJcl!k%y~oUK zCuSA%FZGQ~XF(1fKVs+iewwdMF3)i4*RBgTS%k~wp?j^Dn>pP-Zt^cuPmIkyY;e=s zSgG?1K5$bp=GU4N`B&gwFVv~BUPmrqyWWCPerI=|YwLVH8#dQ&o2#@RCyda25Bu@O zYrg+=d^xU)+I96SrIH!XQ|n{cJ|1Dq6Xu$=8J2fps~y)kE@pb-eN@9fyXL&WnP=O) zSJm4?%ewq(4)6C>IeaLQ*voYGZJjVa43%e3&JkVub3EHANl*3D>CM2ED*rWsD~9^y z;$c?s-(7nWOraDSA+Y;z7d}|v{D|OvA(Tc8umb2P;QSz+72XWMs{bjSR)gOp6|@fj z{Unf@6v`j}Uu8=cCMlNZUVBZJ0m^^J9JN06f2#fQUBBc~bD8;&jLjkW5k2p*tG@rI zD`1D7nXAHQN8pm39Sb}Q+7Mo^=v^KI$UgtuLbXZ`!$J6pUKu)q{J-9_1+Y%8bk@7L zyRTpteTEOMi%ypeFo?@93g}t_gPulFC&k0=!CgB z6QR^yC10~odYS**j34oxNk30Nea=ICWABseP97EupBWnZ-~acoYlU`d!97mr{yY<2 z_vDNWSg!dV<~KA3ST^E&8TkKdCN^r|9RM6$KJlNST$ubmR1u63=Bo?efPbb0IA71? zupj@^$T`zt6Q>Kcc)MFQ4TI&rOG|e9|5`!uJW|{J#c&{bho4Y+f6pY!zihjBygBqn zZz$D)fI8;=XYzsHuBJpMg@8^Rc%*4T+_|u(dAJ549KXZW>q7k_y2lc1wetTd7m)Q$ znG1X{MYUeC&2Y+#mD{$B$&szSe}0k;n!<_{C^69 zrR4KL&u6WL1CPugB?WQxzD5*lml-?sf0G47A6tQ*)F*T*w?z^wH#G2Iy+6FyOGS#f8%w; z%Hcq|Tt+>~b}l<2-tfMIsDKEpb%7Fq%uY}j(h9(wUgo%afC%k|In*JmJ|NHP43DMMBDW%Spd+us& z@S}jvt2VZ_Uhe5}j^F{W;h;$SQSF;-#~vdv!1vzPvzVHjUZYLZItkt$RiwUcBbcw& zl?*@y)>qD#y8=WC*{yzy9Wl3y&G5;JsWs-Z!}@cvF8}GJeX`;gyXsv|<@E>szahPq zGm!e|ck$*>WEj5`9H{{UA9VIEf44_nIdOQc?cB)En|I~2b&pPJBiiu~Aqad?>QhF< zG;;m$F2f*w!vbPtyXsX2i6(Z+hEDQ&^QzNad}LM-CGjj(x?cdmg7Y|Tt!0IRE3<=K z;!<#ZSs8IXV9AVGBr)HaOxB#`3aY>Sbdkc%fbM|5AJ$Ha4Y^+KG%A^U!AVz=ji6ru z!_fHqtcP|X9DD4ym&=ikRhVzHejjvNT}(Sw2O>iiH%7-U-=R=eLfh-_qxXm&?g2# zfhc};B#6war57_WZkXqUT5Y9q8s>AN8BQ!$ab)Fud(en%=q0zjav8or%Nm0})bJmeuMikD*m8h-?(2DfqEmWRE!pJVOhAOIer~zh zDQ8aIm{jE}Ef=jR6jtic{}D%+!5uY-@1oJp*h20Fjwh*fkOh{nlLv;WmXS&x-Spc7 z6v?k*4|WA6xPqJ*m>eZj4TVIUq0hC={=;KO-!AkRb>r8!BcBpbnvXFE zhnqz(_xpIECR5|KAETb~$Ql>ONdE`5@mvTZp#7g_NK&$TR+H{HAact$*@x@f&jmDa zWT;adeo}s)j(Dw43ZqK`$5%s1TZt{G*G`Tmsw(_3BfdnLOTVbkc-}iu@MGJItz?=t z<5(ZAv*AQ7UJXGZ)w&!EIaU$*LWI2V1FF{#b2AXiT8}azAA`Vg=6e8ldl(#pWA~h) zZ8gkP&!pdu@n;iCFAS9tDn#ujvLYr9aK0!3`kdAKhC*wN1sbzBZ%1PA3zY)uOcc0o&y#6a4Nl23 z#*;wmG{41+B+|JIcag3Vq$fN!Io}5Qj;gOuVtHqL1bYy_%qNb%Djl|)>*LE*%otf* zp0~l6?N)Y&>4nt^0lk%)r*BjNgD9w7GnO^&uz$BG;IvCQ+$T6pZR~vhp_HB*|JsFY zCEIxFFURC;dl=Zi25|1|JWzsyAcf9O83?6@iPx;wT?AV!(cocIX#R9I2%V^RM2xZm zMIy(dn$}L`_Bo#ghK`k0k1ADE!%@c^fx8N&5iMRdA4(Qks_C|SYr4&D~X!3%TTe@hTwWQRs8f`csKPhD2X7KBN9|7WBfRu4I1n?)39Ar+~q>wGZ zI8Rjei2+uBoMcSqNlgl5=S}uc-xhNUy!DCeD+_5vLQ0U5=^sVf8ZP5sm;*bgCDuP= zYVZ(`N=DnJ&y_M~i=!-hZV&0S8tQHi=yW!oDo_#>k1d@>C-SMqLysZn--rd&q;= zhuk|eo1esd?&)5vbwl^wI4JUZdtY&F^c4{dtrtid_+Ms$7wgDN)zFGuz71yOye(8M zTWwXg)x?^?@uOXUX$@)lb^0RTM)SHqk515aHa2~cvv6pO}><_Vg9mqjc(|7 z>#Y#QtMS=U)C2G2+d+%>8vVW~K%z3ZjG$w5is?PZyjdPnJSr+PBe) zfvbmd9A)f;<}MRC6SQGj%5uBP=8#Q<2jyeZ@2FvcIq9sc>)0#&A&>sOGc=!HEw!;u z#1EnPOM5K@V0-XUrtop00L@{Nf9Cp@44@0ZlKxWkG5boi{+I?BL|E@9 zNv=K7x^;bnG>+dQW>g>mrKs>l6$$5dabt=qgb+$pZ#=DQR33ETWj7>2^4Im$Xs@!B zViO{~Ar^=LtK7Qi3sZ{q&P9>}}2 z&?RdsC3?YA=o-y7OW_}FEK?_y=Y_cZzb908S^wh;Fv$NCu0Tbw$eLB!a<$EC;>BU= zqXy6YysqSz$KJ`-Kmqs2z(YhtdKdBIqJrR zvw+bKRs_1LfR9GF-`eNLTnq<@<6X)Ne(@7A!O@li_ni}SDqSXM^3o7r6bKk>eo#Nm zvx1B|Ls!-a|tXDwqx>}Wg)K;9?yg)`-)6kvy5JG&gb-44k_Q>}?bU44S# zKDkXK8E(2o=&ojJyKWJ<@x}MW=eU|`V{5&S#W&|}mp6|$N%9}qr5SQyH*+yhXTU7J9KRKv*Rncq zCUSUhDoS!@>NkcL<43U)1owbZWa~U9il;PLt#ld;Oecz8AEnuB)Y?2>T=!FEcwDZZ z+uG95m$BuoO6ScvH1C9h9GJpa$M#n821K{H!JY6ypVG@f2F=wgonZ~dK$bPROI6SH z)PW8Mgv9tKMMzzpLGERuE}NOw&5YX~fKUCMPwd5rQwdD4T7|E+kJ&zQ{MNI_^{e*7 z;f7W>MJE+dH_(U z@F08{ZyWHvWkZF?wUU^jLPSiJ1@9Tn`tltg<)k@@5(?@M=gW}B0jGbrv17?y5G8TGI{Jv zQ!}`qPbEjTx&7Aatv4YDLXiWZl2^ky3*-z4E~jmQr)$))YKilO;DTYq3b)6azBGU zvpLN9gd;(shG#)nF4L+XzCVO-FSUp4`fOd$1sf#~Rff+0dyF&}qxb4i?9M;g53}^4 z9N12FQLh+Fn^n`;$Qj%Rf|UD>#y`l2K;ZNuPZL3KIADPif1DaZs1O~yBYr_}F}Bwi zr5UL&6kFN9*4ZKXMP2EG$n44o==2xlidIV<$g|1tcv^^_GOX1-NA}O!@MLd&QHyNn zGy4i849B!-ud{hwPM@{6q<}L7bbqW|+VD2NeZyV0VVytaelPKPm;`zvI$Leu5A-}2 zxU?0txZml%P;>#p+lS~rel=72mNPQNF~C?v60o}ENl=I)R+p8nmkTu^*+e!?hsnjW zm!JQ3b$+VZ)?#>_Y{F4_kD%kdK9Sw1b29vZMeu5Otcv)$-V_v-Azd205sRaWbo*>m z&Hgxgj7#fohi0M``1yRQ$r;GX>)C`+x zy+3JHs)3Ow8-uXA5-ujmZP)mS_z!y+kw|6jUKus>RVi{(5UT9~fyC0Fon;lxL_PWK zWy$a$YdB%a-YstVu!vOc60*EJXNrlOK&E}V*lqzkWds~;OB}#IRH$x@Gl)_OHNjLJ zRXkozaB4NJRRhhH21X5Ku|h^E0!;k7IyBAzSF~kUy0gZVy*2vqV3I^!lRh=7T^IlG z(R{<$-&zM6XzjfZH!=&v}hUO7NWr!03AvxlJLkIM0(Mr zM$0BWxLk5c3#qDj^Ic<28fm!9kUCQ7PWoG9()z{nvxBQ^ zgg6j$UlF!Fjs|{BuirM=e6n=E=p*D?*b1jvqm32))&eamZWVcp{9c-bHEfu6qlx-U_w`n6fNzqb5nlWpZ<9PXS6k1=>nEn&vJQTl@= zaz;5OCmpPkjCox;&0^hr04yFL!%|f^$?DP;Uo2ikJ>h9y?OQC~#JXV1Gf`hTInEv> z5)!Og#et@uzcL6$BS{BPj~5pm$&`>swI#t9zARW-pp;)S;~*(Ou2Umj5|Hq7XcECz zf6&22(%QX4uZ&cxKp9xP$usXKUuQaR*fn3E_1wzD`lZgaenV&wY3G(aV-$LEeO>!h zW?a1agx<5B;I6fsT7{<7FHnnKiLi8;nx1Cm%*5ifAkr=cM(A!H$`mo0*L*MFj}=vNMyY zRUDdSevQ=Os<@$Y zPLr{oT*Y!HT}0gZJ zFi?K%-^sEi4Ji#O*A~=J5o_=>Fp1T7Wim6ez4nw;SW~LBZpPNFI{_n)M557|8JX^O zGe|_VVFjIfjrEgBOQkGZScT4`LuNE(sOnocG|Slzd^ExOA)RS$^|o!8^=_5m#$Is)XnISH=vanXn1+_|M#4v)(E039p^JxU6O5R@s>v>#=MU4$ zT@Y`ILP0|3Bq}(*F^J90p=l(Jt}A9mD6qu6 zv!eEkZH}v0(dsyJ0P17K@haLL)48Q01Ni1>!bbDt^%pAEmIvYSjo|#+)ov58Yv*3_ zLdEeSgOz&{f~PBDaU84)$%uz5jD@3IYi5G)jwRx!Kgt+LNkZnDG##qbT3BegzK5np z)*W;a+^GB}E+Y`H9MbDkGd3lO~0&7+1K++zd>`6kI?KfkP`KDE*(cPxAO` zNTtW1fZF0ozX~>g{a}YOdId063Q&Uk!IYJUI&!_ZE5}$nz~2rQVTdF1EpquLn8PSK zdwNjLV?6!pI63rMZ`o$&(c0|3SX0&Ad>Xf~F>=6=wi3n`?QhOEJGia?eE~B_B%Uqa zVOmo6(|nJ-7__51bC1%E=R znob&+7?ekyBJ<;f7FRG)lU9JKC9=&ej3Uclxn-&Bnix*Qr|%Ecb67$|L`5j&A%omi zo1)VUYbGHo$r}_FJ;+DXQ`3~S;*Lq{gIQSOF=w_?rm&Rm!khG(4)zw5IBs>23m(G$ ztQvP%vQac64G5@nYneqpb1OQL?u8bvnPQew-3^b@P&P`}tQ& z6Dp#o9bsv%mo87pbgavy6$-^+&B}peS-H|g>C2M|qpR-aNoXBiOrHxIncC;G-srYdZuuDRn7vrBH+$OXtEN?T4qA-+*M6hM>#k;dvv(`l#T&4ysb^~I zw<}ppTIO6~phTci>YOo#4pU+)Ak*h|B4yAQn6IQ9ric?)wluaND_GhCVSED z_7J>iv0R;6T6>g5x~|bAzuxS%KDDfUmZ9hY+`{Y{mK@=V?l4*`o}FwyZFK|o)0svP zdLGX<-=2Ef3`e3foHrP`yK#+5Ox8WNT@9~3zp0-QsvBBmyR0E*Vd^^XKW4O8>)3!V z$r)LyCm+vb^EzJd}tsP*PN#7YkG!a>UU%jx5(0OxOqnneS z9#tVo6ophoK5?f}#rk_bGPPOP<>JS(b=@_jj*r(YFobI z!dVo1RnPrtg$F_>LrPNuxyo^u1hP75Eekq0O#*TI?i$UqRR<~S(L$M`EYF>kgY_D* z@`TV<0*vUe$P&`f620$SiJAKci>A$HU6)QBUC;gA*0N3*QMd5~Fxa#uHXdGs`2Jv` z&rOn-4ekbl?(+s3AY?3Nf$B`Prq%fDXt5&MW6Uc~buKWCD{DG!K0!1l%X@!H5u;eP zrJ+;-55S~VvFLf^VWEhC7$4th5?1b9szGxrk|x@}FkoLT0O<+d$7SE9|60^TF>k4#J{p|@6U95cC!RY3^0y}7j{oJsN@y7 zxET)Ba{$oK0t_(8y9kQ}2L+N(k%hbZmQk_ISQ=v01La(|zvbIiZMwj1&B# zN?GoC^~iB}&IIGwU%}mIncEjdI6fHaIJq+k2`=YyxpcjDc-pqTSi-5+8lUu@i@S{eOz#AvGn=7 z8*hn5FB^M5YAwZcv0D9tI3cMOT4u{pG z)b5vukgxNzoSd&KpwjN?{f};TY9>Ujv%$eh&uhZVL-SXfe2{>0UUnIMrg}IHU~)Q^ z>7bHfQjP{6oK_z#-eZh=QC_9jFaaZCKy=1sO^qe|Pu}o&7+`9?L0vvJdB5NR@IwwB z|0y2LO;jqr>FB*yx>BUKKF(+&I857R(|MvwQ{47dZG8Y{NZn#MmzgxCRIA%_wS=eb z%msL~dy1`!WM{+3#M-zWSr|^Hz;&_yH67AglQlDvM)xMi=lZ~ME0{$vDm~HI*|;3} zW?Y#H&wZy`+hwcyt~kmruUSLF`RPN!vh`}MLFb>$-#&YzX`b!q7IpSU zrk3Q+X_L&yN1SQo_VetneKRsMn8EHNdnz*29s7@22p>x&ymu!*Pvy`LPxfgjm`ul{ zg7??1pQYI<*V+%CT5PsIv#vh=j+yv4*)=C&I(%-d63!?TpnG@vNB50~-OOycT#;RV zEv(ev+#PduCt9-ddOsslS*_KYFM?loy$x^Hbl$$6)kL_E*1PFolU_+8`7Y8|X|%mB zW!P*rf+^BSWpgPyt|hS_tr%BL)<#JYZYH+_PSVuA1K_XB7abR2l!&xC+!QxGkB%;u zH|xDDSXHyxU5XFSjpWBTrAr+ECZ4TzAL*LTn_h2ZETqx~wmU4Yu~aNqJ@?J{+`fJixv^%9NXvaEmiS<)6$eE^7X2lkiB{yySurfi+jW+` z{j%|`WvjDXeqbm92<6iiObk+%A=rzum+f|rr93>Ww+T7i-nZvL&J|^-nym2crr*!3 z2^$=}ZvHW8KeKxrt55dh9b;&O#lwIEgXCI+O8QJ;_-oHOG`f6gz6&df)4sjAwm2LE zF0b&!%GmO~OXeqVnV)?>#(LgDI$CVbMSkga*&N?zeT}SVDueH2==!+wgubk?eYw+H zy*wIroYZ{*c*d z7B|s%F*Og>X4nK?$3N>ydLVxF0w5umdyFs$5U88S52wbR@udW@VW?sDm6oZCwe$un z{Sjc6M9tuK=b8PXkog)qs2J0-Q%xV?@(IN!&ntr!Z?vdj2YVBdzGZjPs*TBXIBEBp zW-{W;oOK(FEE$+(!n&UqkT#tU%^#3k?>5_SLlz$Js72|8_U88P_NV!DcTQ(28y+*8 zJs&S2*4uT(ihE%rx}L8mC9+wZhh22_o>S$@Js;N?-e=tz&RcedW)?L+e}Amuh!&Tm z#}A(V4y)E~IZ}Muxbe_^-7EeP#>xFKn63M{cWg49jY^S=odJX8@fCnj92KV$*L5>q z7lC1XOgdw|UJHyid$LmJ8Rl=x1Kr&CwyPidE>o^ zj_1DDq&kd7$Nl917z!}r+uIYfNij4}6wS!kkrmsf+Y{MUr{US}C#|bYLnpePW)t(~ z{mh@gwACwyx6T|Pr^=R20a0%}PAMWsVJ6vcy9nNlO!K&9F~9@`96(+-^)8sx;o%5p zq4GnN6hnq^;zBCxPF%r?C1a~2F3)KFsA<_so36A&3H?T=_mR!(SjUI(6Ge33-hcAKbAy_wIs@VF^T zdAwLpd6^qDw)FH|?t0qzI_bFVwj+Y!Vp?@SPnpSN_lVnfFJe%UJiX|=23Jv6!bb7` z$BSU6{06=O6OgNVC<8oU8!Dd0ZX6}0$F0W$QGUYe9c;xR4>%_(=Xwv|7_;5=Nr>&1l*+kI)Gd&c3(Z!GrtXKKChi zXylvf!vA6>vpJt{RI;!dTnx8SbmymApTH=VJM{p%JN}vW!-5X$4d&-m5t=Ln^=i*n zpSMxNtIMJ;8l(6%u`TO@c?h>!7~Fvbn1p(P-<_%!@$52rnJEC=w4+I8lBBplfBIjX zJE}l-IHCjjY6mOJ>BC1;;+Xrg%gw?He`aK==Whu8q~~fL2QLj^0)eX_U_q@bry`r- z>={#>D5x{vT-zNUm*7re`<;SxtPU56VAyJIVltiLw9OyxzArG3*0uzudemH4# z*W>vVHsbxccT+&tG)X1+ATyZcj%?w*IZTt&c9!koQrX5HaP_`l5c9D&Mwa81XL=~6 zplP$>g`xAC*~#*?=W9=}<-FBl9#6|P_o3?Rer>gx0-MRmybqlD(q_rF)Uk}2%RVWKTdm_Q4^EQ(jmgRR z4&B$oyB-B5tzr|d@A{t9BxMLBXR49gUng96-aFV}-p~8XpEn-cU#t5u$8O2Rb~=t? z+5pqPW8X}4+#PQF&sBeQ`b>D`v{K~!cKBTAYZ#F&UX)g6@>er7*Q?ah#;MRzM1LuW z;d%P{7(mE&djt#$hF1J-RJB^8?>>Hz<+gR{Uuk!{Z?8h}K*)}b51|ySrVkQ|EoDVr zL}}YUqOnNHGu?Yg(RDZ6&RBG;v~7}M+H-B(XH3E+Hd6>;5;nG1wvAGYu!m;^iZ8RJ z>d7t7K^Qu3Jzw+NJWpq;o)U-I`(n$z1ZB5J7HmGZC@tQfusK_`aCAKkFPm4N&toOo zZx0n7z0C|t6xzv7#$nG%1sGR7JugLc+^u#_AG;wuUZ<10y4;@@adZ3>;tnnfdK%do>nu?63cBi#JjbrmE?$*Q@S3g64oRuAi+J`G>pf)5$H>>Q=Dfq|ZP?;!s#!`m z;*_@C!Qe^G=XqVy#0Zba)vIQ+&1Svz(C6=w2xC?TR=a^{i>tRuvg#h^`_Z&>NZ#j9 zS)coZw0VrAxz}q68CWQJCK_#Kj!jC9spisTIEk|C(5eBY-W_(2)5vnJfs`+cH6)J2sz=r`cVZYQcgE^Cpdo-^*rG%_Nk^;m1B+_^iAY zs&g|NZAZ~Fl!TL>|@JYz|5!}U$mO6iIi zbd3|s@Lg?JJAJYnZ4d1@tX3V)AG<_k#l|LfrzX(AsS|f#iWV;#SOIF%>Y~G=Z60*?{!FwPC2Fp zTWJT(|L(ZdYMAV{+v|7fzI%%KybrrmOe>30F?Xspx2{N%sN%Ul^-GA(kxe*N^?qXF zYSwo7B6IGl`x@NZ9GSa8^Zl;Y2g4VND#G40c5ca|Q?uzY^3&yV7sJ3`I{any6e08@f?I|28eSd!Lku|!OXn3*R=zPYwvJqXgH?b3zX zoCaT*@IY_gj8A>RE%t~(R7}^&w8&w%yIp7-tG|zniV7p1KotJw#6S@A66*yt(srH2 z2~QAwtS<9@0ojiRqf=>xyd+-d-RtEA9&gVRjQIGO=(MBFMwiz<&|?0g?e)OawQ>CC z_^IpcA!7@c1O~E~QBfT|i-XMpv^$pBxyl%IX!0E9O43LkS2QeLNy=beB6CG1+ahh9 zIf`&U+rzIE zB41PD{8XQsD4qySC?qf`6Yqg+meB!Q4qUn3%~C7Z#NP{Vz9cX5W3)A5Ewl@e2-VcVTrvA45Jf+Yj;nzVuW z86KaVos99qL0@Xh4Wip=!Jp*WU!=p6!$c&s70 zD(?wtuFKAkcBqw)y-QI%ulv8d;?+^`Kj>np7V9U)2Qdj`3fMVquSaJR$eOLxA9jAP zTLZUXuSpe8r&!KKNPt_Z5BTmud_!h|k}mgwcG)ebt6}I&ZsqRJaY<2xbLn0~!vUkS zqU7MHpDbA_cL!s?YdV|Xvpra?+NQ0$oe$@0KzL&ICDa*5AADZvQ6nad{t>}<_OG&* zh8$Hnl=Zx^ktoW1>n*KaOTC}ST)Yk^a%>jzeu;-W&#NLEw@SJ=t~wHhsiO77(fc}EL|QKq@4{Kt zsl#B=VqLCEXs_d$Hn z8W35Jp+G`LjDI`a5E4ty0ELePRuIpmeS*xsiz1D6Z_=iJP!9dgLQWVaTlw3*JvW~m{>$_2t z4&E>A=t7=lGjwy5gmUpPsJg*nPV!C$k~~zET2-(GL4DNW3bd$OV;m8Sq}SpfIBeCL zbiICTk5}707*Y>;`X+nP1Bg-tNxT ztBwF%_2^Wr)U53Fo+~|__D0qtsisvkL294@uQjPjXT9O+`p3d<1Pk4Y?ErGX`}M@g;#IXEd#xJ4K3^h)CufUub3 za~AUT7&qd5kMUK`6#~^uaRD8eC5#PeP?WB17<=qCTlH;+M!7kn1dSw{KByU;&e@wk)R9w-rHHt$B z?(Po3-Q67;0>Pzm2?S{fZjAKCudYg(;r3qa*ovV=A|3E_FO4olbUDOS8h@XB zXi(a~(SOGQ78OPOb>Ttf<>iZu1^{|Ep7fr;ih4#`$58Y-!Z5HOK_`PkS(zF1twxaPf*3jBuei$ATa`Q?*;GjV&4=YM9gob}l$ zoyaz9`FgDRzCIT1oywwgb~I{mV;WeK8T6F6TREBO_bHxWa8ARju}!oZDJGJsBCDj< z2AmsfeOt2DCAHB;(pBm&lZ~U%?{;O;*0pSKzRAEJb!bo{lkn%|Xt>hZcj)D>m=%hu zYV7-}rMx&1A2n6RwzJZ5RjQub`S6%Bni^ZR{@e2{AAX->;+wD*-l8%pTnWd-nEJTz zpi=UH9iRCp-Wpw&t;}h{{kSYazm4%if%V^@)5lm+0cX)~2Uh-dIzIN}Ih46X>rEb` zd|w38qUP@?1;1Yl4h5owC%1k?W0uMrqYLkmRnLP1q)>3Wn)^J?9J*J$SHUf^vsE5k zH6_+2L?sDJllTA1;1n=ALC*(~3ni0L+Y6v1A#=;WOf>aJSLG1T#jkQ0X-WtU7T%7h zm-r5;v5h5e@dCP^FJWY7aX%{5=)_eUb$YDs?b4=q1P&)L(x1<;G~tkHfW-0*-&4Vv zr~;;C>qJ{86rO7LV71EmPhUFitb z_VQEa1GvCb#P@M=pIzNFP&vmdhCa91;)tKscJfv4NKNueyJr( z#LM5grdJD*AI{s~0v9I!+6AMkfaJS3@XO+VitP|YZWRJ)!?y2MO68*>+;7*5dY;cK zGZKE?Z+KfOi3{Cy<;EQrySJwTPV0(7@_*N4X*nl5=$um0vj(8KtA76$BKP{Ei@gX= zj6U#dB@3=sE0UsFr+?cVX%ry;aKNEDZLCwZ9vFgvQ1;tRedT1RZ((G2`zF64BE)vKwZFViK}3_oyfY<2v7#6z~!Tr1=U zTTHnBrCOb!ze)TAHwCD&-Ku|1AA&2nVIE1-t7K)#UG$T4jKE5c7W+%(I~R3jAo8P% zyvEYg&<0pCQXjMR`BNHdDIEzH4t3y=EH*xf(E&QfF9Jf!6V|Q7EVj~J6fxzr!=ZLh z&&j&P;I9_u|F_jB5)lmst9~=Lzl{x1U{@t{m}6gV2VFHl+rM2%H;}kLJwGIOe`tgNGq)G&05X5*uYPE%0 zK4V$%H!|KUvW{yq!zo+Bi~1OkT%$=Zx?l#^##(D4g#l*|Ap_2!5@IYWamr&L&Ry^G z&0tmj#3r(1Dsk9j-B`M)kA^Ag4?YAXHFoR0?6F^NJceqRaw-|JplTWtSLju~b8>nO z29^Ix#z&is8ngnBG#d?T^GUA^w*3M=w1;Wtd|jLo|F0M)ZVf$rm&+l&)8V6ecs;pkDRIB4VPec@ zLXbW5lNxXXBUmq6GJU8jF#1k*cwO@2IG}-;+l-Ca8%$62f+nTCX4js@KQ>aq5!pYE z3+_cGpDz4HcSw6L2hFW)y*-_84=$$nIn+N6h+>l#JOCO1N{c8wy(mfX^u1A{92{A> zG&J>N{4}yBG@tbfR`8JwfkfngI+|S~o!7VUtUpkf1!2*^!C=Zt!hLJg0PXTt$D#j- zjg6aeP((w^qOV6Al~+TsK&Bm`Ds7@+4{`JAAg^b*<&PvPD9XXBK=`R$^pj#hklLF0 zJA|<4r|d+UTte)RA8AcX*z6y*898Mc_->Txt!v%scWFBMmxfRceqFWv!jVh3>EsO@ zHFgKqu=yEM+W#R4^X95Zv^H>T5f@zTcjJNey`%8HDAuos%PLaVOHYxN3XBi-ZRl-JWcn^(M5{+n(}ZE$Bn&$2cb{V( zr9)y|tJDH&F)I^50|nRZ_O+v8aqwyFt6~kPK!Zs%{5OUjr|rKd`ad>|LvBa%eZ;DX z&SN=3uisla#|w6aYel-=*4FQ`-7AjN(_wMwP$ux0w2Newi{wW_*gV?OmYqjUvUhrp zObkYq_VbfWKrtsf)zfwJ%6h^so|jwSigxpt)kocy3#uY<7z1e~;pkxCsJK?@oB`RJ zPq%9zK@Sf09utx-7DHDx5Ih_yo?WY|~>3$Auw{RHj7SMlfzgbc!bs!L10ndf!>{G2rU86E;(6D2Thz}dVDIrX$&S9qN-1|hhmwl%e3=WIQ`dC2osLwCt@%;JUvMK00&%XnA%=N4H&-TW{)o(#U zULfl)?(38jO$^)t0_lbE3e@o~bmRdyH#)Vsx9Y^h7TaX7;0*APP^mqjUg@$fVUjdd zv~naI0udTe%xY}NdVHV49U37-WQMV4HZlMwP|d*ulq|(oHUk&VjDGD6>UbvrxL_QP zlbYF03=PQ3*AW@$oz#@a(B!RFSj1*X1_NRGh!~TUrs>L^j8ex6m_ZZ6Ts%C7s+36W z{=jkyOoij)JV|lF^)J~o;^(mGF%j+!9S>42f@E_ZJ`a7Y4!v63)fGPN7!ZXnCi&jk zR_)wVlo$ULX~678V7pBrNyY|xPPeQ*kb#CqOIAA=T$WBuJd`|Ae@56(C5WsY=8i%w zxG!JGH@;Z^$A+3FqFWWunU_S!&hRVid!5EN>f3L{&HUIVlT)0mo3B(+5v7$;7MsR) zyx;GLNAW|!dKHgY^+lyN$LBU|JNNY-8FTI1K}n{|_nZ63o8lW%OtQ|y?zJz@BNbfg z+23DghIz2XH8p9diL^-7k!2hxXti+}Lm(f9z-2dQ)g*oC3%(YVa#9%L4vC?3zyVGk zS}J;LnXYvO@dn;FYd+L|$EkCNy;&Nb+UhEVy&kj4QJ)-lByNmU1QsjRRB(|~2KUck zzcaq{bC9Xo=dEjp{SkYyNZIYRlkeo^RXP&6|Cxxas-?veDt$3P8eN!xb%Xw3B`7Zr zZzdDBxRTk(6McB_Kjxk5+F>}R=VI&}kk{NnpoVS%_}xcFyyluD#{AC9JW^kJ1R#IyE{@YN7l;WfLX2#gG&QFp&12!p;eSMk(msWGG1I zeyT?u8frMfP~Q*3yw>bIGLB5b-Edlg#5%49`C8m*Tm}FII;lM}_n)6rdX16q*1m0b zikyqmbvG!O5~*8=r#Esgs~%|yQEN=a@3$~q?U1)5&j_9S5m<&&yV~ylfP}5WMKNPn z#i5Vy$XaC_aeWV$c)$$!r_l9=JkcWdmndRP%E0h zcp;0jO`V>0o^PVawNWj^*V0<4yN{2LH7#P+e+3QhLf{N?>_>SpFXHIA9y=_~*E%RZ zo0@ic?{Y8btD%8<*ip<7_KlR4HYD-ri!WO3%z%5rg7m1&tvWXAKASU_GVj8I6B~)A zm1zx*Pu17%k2`}DD?;5#P!n;_lZW^_odUzEuZk?v=-sM2;16)KE67^!BUX{MjtOLB z2R1fHmHP93nA8#A`iS=ne!;6`)z?;b(t=K8i`<;_fz;y`3 zJi1&&V<*dmx)<+z5EKfB%{V{Ts)PjMz;JDEWa6di&3jRZcZ=10z`1x=$L|F^KF-e# zTDy1-(q(8T?7Qdi*vVR0fR!OP(u=mtbKMb+3dSmP=K|BM>EjfC)$mKEr~c1761F$D zrhnpNmp=vg@O_-v2mKfdwoF%=X|0hFZ`QiGylwf{)YTGO+VSzZQ1yebfw4L89R2~O z3>=9%6K_5LHYM!OCiw3A1Z(z?-@VDX4Q1z(k4*VnhRYjiFN_-;Kh^@QY>s&j8`ca@ zBYSoA=~*}?TIS_UGGP&dy@+#+B%GOjH3A|Y5J-duv;qFsaLq~*)>e*H%!&`!)qs0; zO!%@Mt;jHj9tPD_RWksiFSUBC)$wUtQ<;dqF$yq~(0q?v z59kU7d~J2DX=^>NorMd-a-$8jx_Pa&T{}(d5k#~j8iQLI6ufPVSiVQmWAqBw8-tOp4 zKmKJ1Qzr{l%8wxG4{{mSv6&~(NZ>e0I5(RExPJww#%-p8$xLrH9fFokHa+z}cHzGv z9B`wq5IJ496%J)Dbh6hBGmP>uPGQIZ4bpiSRsa1f;*zvC;@Q0Wm5)OI=66*zw;Tw>7*+i<`#kHN*6mnt#eG@-$A{mTE}O(bF-i z=)y*%DY!HENA*!2YKfv~6(&h4!*-`d&U5;M`fD)`(G-W4n0^QDxliRk#9i|u@7L~f z{kMh-32UpEo)DZz#c+nhJ5lX2lal#EiJTS2fI#JU4}(Jek=>GpSBnhA*7KJ1?KT(6)V=aSN*5uiu zNZh;+?ADO@=5|wAyEVapvp-)5;kQ%2ICs6=inve6vpRegJp&1Did>hS|LCx~r9_K0L;M@(*J1Vrr0TY}3+O$x2Dj`eGa}4CNc|m!5Y-!E`z3#HI zE;J@Nx1BbLxOCn0V3N1&ZkT~SaCH3JDvnmsV(QTv3L{4NH_Jd?S{;KNe;H28gDq(< zYeAFRC(Fm&SAxXD(3iD)yn8=Jy01WwLEiaryX-Rlv8&##xMm5UVX|!1epjq{`i$uCMh5%F~U1aVkB8< z)UCsrff)cy_#9c)Vf@9J#V|qd2*Kc z?rWwWJNJvCK^1uQn=?Le^Rk#HW1xBE`$j(UJAT`(Qh8k4dHLAlo`x@#K>r(o(FuUV zY#1B5MC3#rjeuy@CrvT3>*Kz;^>^`ObfqO(=S!36OA5!D?;SahSeD=EHS3^h`SHRr z6sJvIO=`Nq;i+-?8c5oaCCmFMo~B^#&tRV_f(6zt0>9w9^!l8`sP*~e3TpiOSF0t) z-TGV4vP+kTxigiWHlWu8*tQoXRU;(86Bf(f)#_(RGev6>^ZZ^N>2LM!8SI5ZHdg8&&dhi*UlB&-Q z<1SqKcUs=nw9k{K;WCd_4b_TiqO1 zqI#D3@a>xeWx*fv#xqhwdwWk2chK|Y=KXC-|9`ZYV)qBM&3fH;xgF1gZ<`KKu>cx| zkw^DE9yu%vkCF*I7+kPqUr&ROdJfo}4T+~L-8~Mhx)dx()LaVR>H2jS8QSrEXJ|FT zW$_^_;NOqbw7DGbEo4^x8mkcUDk~*zLqx~HAovJO@*{jN-kbXr+|r0jm5$emS*4q5 z#$54lPc_S!0rzp3D=$2`Z{KmF3l)BF)UX-a;bfFJRt)bhl8a!j{rUl{f4_>eOi`#d zEp^dA)RP6VE=%+Hqs^_|(Sus^efDcq#jCmEXegQA?W^xu>(i~@55J?jl-b0U=A3|s z`=i|}&O`Kiwtu!D;`hDd$P(9>5^vL(e)khBTTknLTkoO^iXR!19AocTs33eOb(JzI zRvwid?x4WqAX6kYDa>zI>%)a;j`iP9Q@&>{`#n!*-K%&xg~c^eq<7C63yO zO~1lnS2HeDfsWPw&2=L2TC9Wd*qK_~IP_d_3%yveLpH42v-@$B0gsE8&FhblCyM88 zi5F;R`pxV0L3C}-dtCXNW7AT}cpR6}61KSdv@d=Wi7au~kZbt4n+IAg{xCMxoT`BC zgB}syFw~BnfbotIKo*M(Mj-5XLZHnW3dp3Pr>*@G- zTEFDs{r;jd6UXHhh?Jmt^VAOspC5&$ z%WYn7$FD-sT&ee#{*SFXHq<3{Yzrm&`PK(d%>Qg=@<-@(7OswhK**jJK#&R_9 zy*B3J&u(<@(d}y6KIQX2zxN0t^sr=s541W*FCMa*I%?b{%n3Mz-ub(CzJ2ssO?VsO z@Haotc@g-&FH)N;WT4l}*8P?2bV&SqvM~4I8v1;~cxFnpfvk~p-yrdHrNamfb)1VQ zww8}G#=x{d%1nThEm0kz!aDv10q4uV2wna1e*OFYn|F{1%J#cS=d{Vuixrjq9EsbL z%anf3wq@qSUn^m?O5YeVmn`zD)q@*JRG(Hw6n4PIUucsg5#Sa|D<&GqnAq8kANIUD z{d$8Q6evL(`xHt4!EhxrNe ztE+(LnJGezT(R6;Kd66GL<^*6TwwjVCEz-Y6m#|abKmgW@jKbfZelRvdA1u5IF25A zB-MVMTevw@Un2is3!rRK{}hflLjtyF7z@n{1U7)Mqar9DH#lDYKrwv`05$tP0%|-5 zP+0HMs~WJ=cE5x2yd`m7Uu1)giT5FCz{U7x-B-2-dwi(w%Asz0m!B8*5*n=XU+; z9}z5N?Ktj9Wl~~LI2}Hk{Vjn9JI$p9Nfq((nQfK-IGlUYE5C{6;?oJ47~4CsGDjAF zDF1QRY4^r*?21LQ5X|vCX)jp9dpn2}n=dn>T$OBu&>c|aT1wSi-+hv$pIYu zJ3L+6b${8TK+(Qi>i@{|bbH$N%`WS)O+Ds_F;2{D>u}R*i-Y5n|9+ds*baQGgx~&Z zKQ!RA$5-M$=%Y(#f)#lgZ_2>8?aelq&O>?L``c!dr>nPXMh-IHIu=V8Pfr|jYQftb zIGzo&l^jfB7)T;lUbO_4p-yf(mJj%_Sl`6&<~0nCK zwX38boeh?8bV4m|qIERHhPUvHONZs>tTM*c4(w}bKj6DLXh}0U*wvmb{2_WjsX+PL zZvBQDZ8mYhKB>m{tL1f{<4f)c|01d#DU&il=+6h@ zM(VWP_@nBpw9cFRX3y*Acm1RH;AY3$$^7e;#`nvc=(IE$J;ANd^E@3E>+dk^c{??Z zi3G=qO6Y+!Z;d%0Qzm~biRq`?^Y0I1ZK)8L1;esSXO7SJ&jD{K>(AQDPS@%a#wMWa`GDh9?aGMlqbbw3 zYE%D{pxWoXv^A&K{}(?nU$D-}9l~&Vy3LS~h=9@Bo)UptihLyC9Hv;Dr#HSPSxn_v!Q+RMuHauvrMLAMk ztOa$CtuaBu*Hjytd`|k4Faqj3n{E$eFjv|GHoJSmBCbRj@$n9JQ9>CuiwV{Jw%a7U zFT;`u**__(s#VA&M0_^~H9ijrlip>9WU1@ zT@!RCsC01E?fss}uruFv+nB^?N|cgtmCZi(*)mUd z%*nmDl}203y~d1|!^~3QD6FF?GlG0Bb+v{V0x>o+625(ozFP;~4}EgCftrZEjyOb* zs&w>>nKgCI#mk1FW-YS?YlV{}!jmGHEWIEo(@ns9l#~zrE%nX7Ee=vP`xLVoqNqz# z==jxo*H@!Mm+@}kVOGQcvBB39Q~Y7*6T*E{HdlnQ4V%;q>G&A@xsL4u-!SkDM6Q)-a@M=MdJxIcBOJ-*TVxtNg6&hxt+(caYsO zC*3*qQaCei&a=D)`v^Gt)U;?`0~ybcu09iK-z zGpsjE2GS0F=M;1puqZD6toasJSlX3(`k%%dhxbNAi_=FQbuA6O%H)^bIveea4amGH z$SK*tg)k|iyudC`b6YlO!yKo+-Yy4pF|*r0%a|+Te~x@6Nm`=c4@z@SB?$J@Ttlu&6KD~a}=ExSl9lP3xcF?03beazT zh?v?B298gk4C|XbhDdz%Mm6w4|I~^=`c1E z9OQmyyQ7tbtH{n7MJ3$V`}+(|jD}wrrBS7?NwR<9Xvq%*eMk+qgWj=swY(|>{Ofp6 zDWW-YKCONqFZ9uUSZoRQq0(2fXh5JDyJ!1SxpTp2^0J5fp3IG;V3M^w?PX$?l%#$p zY>60Na=jmGfOdV~+9^+Rnc>TRev8TOyu; z`7g}ev$~|Pl--m>;`Qdd^WS3b{Qrlr`R1`B?YXhmJF5bnld4xOp~C6y5v$&mq6$+x$T zvk}f=8GfE=j>|DsMLbPlT;hllSqd(8@x})!dgGU>lf27b;K~KAY#U#xiK4`18=B+% zw<^^|N3EVz%bqXO8nbbbb|zG8Z0vn9o=k(7IzLFooQH9$H2{!QWbUj{B)O9ea|we2 zE17^?&gyjZ(9*LO7Um{O#?HaqwtG{bo_lWH!gW*MPIPSv;Ha*V{I+c0DBmX=kE4sd zl1I4r_(J0~p{pH>*TJK)GBfLH4f?A6U@X9x)=QQ^YyH==SWag<8^2|jcoz}5R-7nZ z9#B;D>_B-CyoBAbP&Pne<_jFZZdim+B*hFkI21i7ri0!~pnQ>4N+=Y7@c~CW~#Bw_VSF11>cDFOt+R&R?Mt_b;{nH`fm;AD>*< zVh6ETa$QPp_t2JjcW{Wzc7E3?aWmL3r&`)Ev=Qt%uXMSHQv4XP*PRR`^_RCqU zeA^Csr&>L%?VR4HHR$W5L&@uGXBIf^avn@5*ycKDK2lgkqREz&6YE!qHrMkflw8PR zM~RjP4(%IE^VWlomeJztYXa;37tMM3j^3B+t+LNtlE*Hgz-PV^GN58e@8eJj}63A5+3rxp&v)fJF-FSJZxm@N`#gkWH&G**iXH^qvOhFI?fas?U;oq$)M3MN0*KPH;FAhP5mJV2 zwQH)?sBmr3mCb??L&*#{tX|@G`-qccIeF6N>+Fw)t#sAHX*J>Sj%survTmM2I!C2d zl|D?=r9ZOes*Vhg;1nUD%^(4I4se)4Cr5q7Zd?B7%1S2HPh53lR2~(Fez@y>25DFixGe8a;j%$wDk_?L zFlC+j8!KK}fV#j}Hdrce2A!|w;WL8QK5|+ps*_b7xZ0k@iENV#M$IgF(mw|Eiqw&f4K>v{!A~qQ5a(+~U}nsv&*}d7$G<^&2kr zAW`0>r4C`kgQcxHf;c$XY2XM-BV(Q?|!6xrnwm? zd8}#t!b1L3%aT7EuBz|BY>iGkXK9m*Ct6XNd6at@28M@mFWtz&06w_!*hbX~l}9PE z1GDpB{I+3I6=wjBWN)gNT)-MyH94M7mbYa*RZF%Y!#D9`CHZva?Wo|hZzzz5AAW}E9EtuNSa8M zSX=G%S&SXQP$?!a8hE}`-brgQ_<4{^v1JO#q#6(#{2mOl&3r1v(-AW>jjJRmfg z*$5{}N!MU}0YvQ?hs5LFVUkk>)Unp*^BCe`F`A}JMjvAubyo-pgXqR?S+zTu?*(D{ zZ%lmgQV;ijJ*Z16orodbb;L@UNzc-U@7v%nT4)YKZPD}5Nh;F~b>!qJ1!<-@nnz$) zwy-G0d@%Fg!_p;T=$H2w4l%3h{xe~$rh~r(eK8qSELUPKuOJa3{GJ+OJUx?&HxU97 zB-;a-T>B=HIN6s8O2ge;8d=(BlqG_*KlTVkh(ZYnbd!{onPD?Po)cWwfE_mXHQ!5h z`XEJsj&jqBQo(;cPvQ2QpU39!#nvioVPoOqx%f83N<)HA;+M+YGv+9x$VWt6 z4y08q6*(8Q?a?}+p%1FSUmV+LE zkZ~c;lkT`*esbLBUjeT0B{_qA1~oX0YK4CVan6m0ka}!}jd1vH2IP+n$!|4?R_z%Nu#W;3OW7VkZa&g?QdULkmXqa9O=YEp4qTe~ z$6Fn3x9bKECTi!ekS(;aP+-otQ%z}y%F#yx0KAIYL6|3EPm{XnzDgBp0GVoiyfH;3 zMr-0(wn$}r#VqYq>m0vX-hzrH<%q1r`V33_Ah2c>`@LSa%k*UP;(5R`{?-5HVsTwU zHC^n$-k1#%{WPfnJ)V$sNJ5>Egk+aonTa>RD1(t0H@Bh9j9hA#2%gxUl3!>2BEe>Ys7PM zR{kGJo_zrqB>rv)m7z9{o<%xn%$;BeM)qe2V_CZVz39nO0*hNma6(dKBy8RovKx&B z0<2@@9b->KXCDsGHOFr+ixFcu43Bm!FB04!`fV3F4Tsom6|0Z_qd|BUO_i zD1w+_8nJZR-2B?%GMt#m+6hZk)7>O(h9)z-#h9=Y)FZ#0^We7PZFYa7f(A~CSQ0|( z<8_N`jD}+J!mD-YT}_ypm83Zpml=yu&&JCt(!oKHVP78Z20JTmt;!Neg1VdmQM$4E zm?|nV{rko~T#+;(WCnMnaAEjoD*ZA$+6o{-nh*m}Rlcx_NjfJ%8IL3l*Ddb5nQL1u zB&x3n>0D;7tjYmEkFcMO*;1#Xm2|M=y$ZTDz)-4Vc2HS^TtT2bQ|b0$V5l1dBqri> zyIa1YoX+ak<^0^26U!g|*L!8&4-fn5*}~RFuC-Xjbdo4$l>PiP_3H#C6G(_fH9c`M zNMOb33R`6|wNFvSBqy81C$PwjnRSz=?L_Z&vNS;!B6qYh3(cO)UVQ<0x2QVK4q6~z zRRI9}5#f3lw*@|D7KR=&Vc2q%U;UbuI=&dfPO7s%&e;GDH5kP7E$eSl zWBhVw*@CGVu+=eMAU`@x+Y&nPbUYZIXDq*Z61H3PlziEU)sl%gUbjv>$daX=?V1c? zs3X9vbb2*Liz%h~d!CyHB@cfI%jJfnN9*{e0$ z42~&Kwx3VuK6*np%S$J|pNp)E`#pZ^6-jBZA{ghMNW_uF`g83IQ^E*XBbAh|j>XVgi zFanjA^I?EcIft(WKvZr?DKj7~6@sUfwsZ_kUQwdv{K0rITAlnX)yI4RQp-MD9MAJ; zHEH9Fs4&f)76!YcL=^dDe9bU89KdYY#wAU0kyb)tr0bA03Jh;##TA;Hxra4zNuW$> zomT}*d7``!$Jk5^Yk1;qC)jQxhz>$@FhbsEem*asFY5#Z7SrB>**--P#Fa0 z747HdBxla>7qI>`sb94-mi#SYZd7BQz;!3XNWdox4l|?CeCNQEbaA`8W5(C;Va-GZ zkOOrKY(s;=Os=j<=ozvfWL@Jzyu>tQ)soC$M1Y*lhg$d+Vh!$tw!cXfj+uNq4>CtT zvFHl!0D%Lts_JUfMM{cXqtcmw7?f0Tz&)@AL&)&h#Iwap7QdqRi&Bq}nBP%t!iUF8 zRBiV+pZW<+DbfHbq#&I5pin{jpo%;3#)yzc z8{NQkHGEe&4F~`ygQVb(=Adlqk+7BA6eSZDt}G56i>=S)_rW+q1>7B>baS(F=FsHH z8OsUoFiC`pjc#gJf*FzhtfEjR3#1%ps`+D{q^Lfk{+OWzOABte1b77CbW#WGPK>b- z*`J6Nu&dRUoeE~ z>$9-1rFh(yOaHV-6BK5=-@~PY*m2eMSTYFPBVF5>qD8`kQu@V zjJyTRKg0r9)c1wwQ-T#z;hKH*2t;emtHOY3n2n8Qz#fczRS$w23nwxmvaf?almuVq3rI4{;={qOu+p2tuc|$e{F^XXGa%~c%0Fenw!-%P;eV%C zs7|un=ky#Qjp!b&TFkB%5 zUSA-8lijz=U!PFE44$%R!R`pT$xbmLoiB%}(GDAuHRpOPZ-69q0H(%)iRE@UlJPfY zqSauCcx57WtRHyEB=Uef|}tsYZ<| znds=(E{CQ#;&iw0jgML$hK_m2RL#W=)(l^6%Ep#Eo8l*&kPSK-X_4nVjrUE%*q*BiZ?*QN7 zW8;uIS%O?WCBNYQR8vW-DOsAReC*TaLAm%Z!|BRrtx3nJ1M0LosN3=}Zuri&p<2Bf zeU6W(VF2YH8qrLi&aRxK89c~sg#ou*N|sFyS7on;J+20cB?uylc&qG`k%l9J5mcHH z>4c;Xfq={G9o#}=GdRx0c=Q2$Hv|4pGi|C$i=UOq+v|h`C5Q7Wa9Gp1g5Y^@rM{m5 z1Xxl^re+zYou>UCTInrL$dC4ad4|`zXN@^3JB7{y36rHhOe~;iu5n}Jdh$6r?vAgT zIn?Su!Q{V`b^jWx@Duw$7rs5Zu(PHfs zjE6O^f(Do>`19}HZ3nQ|$uSsxI_glu^Ym&uXjQ&vc25U&K*THQQ%LtX_SJy3*L`~} zmYPMPtX%1$cvHUeBydR8;qka#hp5q?SQDn^v~yaK3Ww1tU-AnF)!vok=xf!&LXwWM z70?28swgm64CJy=UOW&^Fs(Nz35Z;>uhk>9KevG(FNPnV&DvFw&;no=bU$={GN#e^ ziN{9|#GvMsp({y_D!>BU*>{=PAE$5dk6D!LwSIBnlFU4s4@Z!huk1hABPb|0gEeEx zVxIKmGa=t6Op~jKx{^)e%C}Vj$oYS@0Q_>=>&)6t zRhy}^YioMPtEB7T_1oJ+)g}~^FZ87j=;7S)|pskz)88cbfA3HsrD5&4M_?|#k`!a(k&XrOTtE67U;wjuSg_`rxZ}-O$3g*cD;*= zK?}HIE6x=hEZh`N*yC3)(<8gGPoLcrtJ@z+n}Le^UZwbMr@$gCIBx#kGpq0H6sP!6 z&SZv;9fqY%UQF2Q>jEa7M40F+k^dEi!z&E|6LBIHfEfwhkjd`ALMtUQrV!kK)6&=b z2-dFiFZ~b(EPIwi&IH?}$Zt*Uyy-R2_X6xDyvKq`ogt73Td`5g01W=+%06&VC>yB> zM@$snkY7=H=oW{<6^LiBN3VzyJcMd(@qw#MmfkW`vPd42hK65W7UR}zj}6yv^KT) z`)8Uy@iOi3dfsTpbghXjq$IR>d_IF8Q`a(jMPqsZ_is(( zC~!_IyKGUs-1$IjKEDt-t3ZV!;4T}>AI69sx94Fdm^hJ43T}wJ? zECN@R3O&}v=TFIqojEch%$ zuA`;-oM_R}FEGvZ?rPywTAxxPQ9ubiYII~36tOPzT>VFiqvLZ`j*HV>!osN`@}c*? zuR*%CLa*Wl@W#7kKa0_Vl#`MaN-QSpk|-`hL~QpD4&yvdipsp~HU4vW|L+WQDcv9Y zP0enE3Ro zZ>-ey(d!9n>t*&xj z^9&GkOKq}ZNCQIWuup)lidg$v)KQp2D%VuhpX66p}8+u7w4$u;WDVr3ZdOc9M~ z>yXk!!lE$JCMymkDJv0$kLgBZBhU*jU*a5V_WG9nX<=)IjLXDuNtfhnk+csGQOAg8 zg8F20`hCqA9J#3Z8;cJ)ox!CBtrr~xf&Z|nw>AF=F3=8&eoj^_U4nIQc$N4!k)HD? z>rbpF{)`+t8(4Bg#0mtZJb(?U#$h8c^pG$6f)rF~``%YOZ{|&h?!c5Rx?;MotNO~I z>dC^%npJy{!Q5*;ZGff7hOuzL(rEAF6seQwB_-=FP%_5Hsu~#Ol%0ho+>PLpchb54 z#*}~E%jiJNnHYAvCg+W16ibgP{4=c!rdGsN=6^BX27f!~`DUN~*Y1>ZKtqgGmF<6? zXTtphcR(i*hT4P)%y>a@kxNd(Jk_nM056&V#6YvUmN7O5%oFnctV&bYBLRBQ8aY6VmpK(H-L_T!y! z>(!9g&9g3Nf8F_!hU2LD<3cH>xS*@yxBri+ua0V~Tiy;@3KRmR5Gd|eAV|^T4izZw z?(PmniUo>Gv7*IYiWm1F1%hjVQmkljzSH}@_x`^9M;42fbym)v*)#LZer5&}l-WQ) zKqyT|4~{hEI{lEsv?gCp&A_K5(D043 zO~==OEVLz8#Ty9yn=oKio z3{#CNRp4jZDF2fo>tVHV>AaqsnGfYo)nBdC@y6lADs(J!-QW+w%t`${(AFgj4DA6- zLUh80i@_l67QNZcEGA5=BI4tCt}-+xitWVBSMQ8N-GA3~%Na0-ACYCb-&%!Evs?vf zJx7s;M7-^6_+%af^a>YE@`~M818rZ1GX3}LK3>DPH7UYjo!K10G^_Av=Px(q^2ReO zOzk$SZ2CnI^rJiMjQ7Jw&=0p=Eh1Fv2yCoD-}WT-UEUap>@^G(O$SFbJh z)-3!5mh;)=c>KvLi}B%iYQIVSS-*d<7)aqan7JY>b4uFPou3KG+AUP0T)9Hk*Vep=W^ zsiyV}8u8JZ9Q)m)93W?|ra5C&O*J4@EU>3+08`@3<*2oDcFxtWm&7vX<4`(u6Y|d1 zRG(R0=9D^sSvS?Pr8;nJxVgW|!oge%8Du}NLN-(}s;kdP`kIJG3Tisy8$= z@R8$A?tZ9n<`_SvtxI`KXqr@UXOl81^%X^e_pWM^{j5Z6;C-`gwsp=C_GXD(2DVj7 zV5#8hetQWzp%6@5xLYE{k|D0vC0~PL{{x(m=PgpXCl=3ORZr%T(BwKrIYGx8J^MNm z5#gmFooNFZapit8Q!Nw~qH;+UhNvJ&tTFe9ck!bEo(1v_3cMm;kL-L>o9r!No{Y-v zv2!B1C9~Mrt>Vpu%)vpn-txTOfm>TV!eJ5ND7S0jEjkn8oRfrt!T&hrzlYz|7CQFc zS7c7KARD&M9t0^Xn&E~89X;j}44Vi|6e;ZE_0UN{a=k}?egUTX{JSwon1Gw73{}{Y zGoX^IVIgI#&$TQNxwy)~`QrW<8F;x#B}To7{UIc-DxY|p|7huYJn%tSjPwo>c)wHY zGrgJvTs5^Ow~AOrxSKIzYVXMt&?^#|#_)~WF>OYrKZ&n>c}Pa1rivIO=Sk#)3!3U- z<+3VGQ&!+PbsNf}INTO|man%SVpk6;Nw$845|8-SGIx{na4L3tl9h3H5aY@=a<{y! zF&W94b3Z_0xOD$xlPNx;8H2M1Ux=Qz*!{w?&(YeE;`-9c{gBjb@hogtnz=z9_ zz&*1oCpFoUOxI+R$Sq&~)rY;+JCFKKWEa&#bw|Jh)%_tqzvD_v=lz=D!xqvo!2K)N z_I3)#+!njyX(~Y%PhZ3TBkw@QF%Mh>Ck?&-Ea=@JXh~OJ&afp zTW@Db5aygnWNgQ!tG5xO%BRtc8%v;ey$=A(^@imaqgZg-!9`lJFuHqPHuRMqd0U2M z(AS2_q7ZiH+Fzh4b1Mb9n!x0EW4AvR$r^nbR*WyA5G@zeu{7VyX7#{S?!kvtOmI8?(=2>(pV|%Y3vg8 ziZF?|=czl*G#q;h`Y~Njvo2q$^QI8ays_92xtFH2LnqeVctANMO2H2+J_7LTth&#a zbmm}NeL75tDNj>%b#+Tii;qKCZy6Sk&Viq`b0I>v&3Uu`YmWbMI8X=m2tIfsY3tt1 zLrL2!)YPADXTG(x@H@&KH;>aXaAtMY&_GAeV1LPPFUBL@{*^b;Z|8V-Se?xhpomod z7YuXN?(Jb=dx$F0Hs4mVLmf0u)(DO|+ntmuy$&~rlAQtn-r9pvRVG9I-}~pMqup_w z<+~myWvQImoz+65`!_B>vC`S}RyusHrZiVYm~}FngqOn#f#uNjYOV;(_AZVL`AK2en+vWadpSBPd_}{tmCA9i8)bcYy!N5& z0m_a)NtkcNCav)(Zby;su9b9mVmh47Dzw=h@BNsc61;Eg(>HtZy%h zc7Nzfp&8rpFt}rHWANmzdExE(V$5Y4P@S7tXTyBMh0_}yo09wXC ze$fBnL+8R(lZ@!lh=VRUG~`9eK6~~|-HM1IZ>^6ERn5daZ7#tk6UHQMmf0XfoNNL< z=hMzGZ^WzPJD0%NuufX)a*4+(KzGPvoui$7$AA$cukw2M9)8F~75J^SL7(VANwZR~ zJz#UAFM6}~{<^HH;{d6UB+*fd04m4=9|H6>-2XJK1R#IM>>YL7RF3JmQ{3MrzTInq z^E4e_=JIUki{0N(_B>iPh>oC5Z+AX-x{I`J2=DRl@jDov5vwToYdxO0S+l346}HsW z)Ev(dv#eNNT=YHr`50}Du|BpPd2U81^da5T!y~g$*f7B3A)|@~^N23pPc3}x-pl*o zc1sD71rQ3V5Qicfuy8ua4`GD1fnNPAcZPwbaZT&b%sNG&357)s;#E_vS}c-M)K4H? zO?4GWQdo&YW*d5cR%(V$Mf&CQSjkMwe-C+yR5AhoR}dV^NfOp<^LI?beEbcmvw&|+4?ib2@gFX`wzrF9^}cysaRwq= zadtQjJDjej3Y9$X&%&_OO4#>qkh2eeRv)VC8uSt8IUV2b#O^o6?k}ny?iaS$Y;A4R zYa%x0%+hf>t}hM|IRTf(tywZw5#)m!U&0DqpMT1MT_80yQsEWs{uKV@XxcLR%^Hnu zZA-gunEC4==i&HNqN1HXaNnbLd&RY&V%4UZ3RgybC!(_LL*$1|~rVfdA#`TXp zTJP@e)}8DkQ%O=`&iRv8fm|=spK`rVd=8N`Ql+U0E$;nNtXN9BP|Ur7CW$^x1~0eW zk~wsdQcG1& zJIugRgeXFpF$4k=m*J_2J#DNSIT&MVT@*%eROz=kIeU9+dm{79k4C$@yZag%@|ZoE z_yJw^!yWtPH*EoLo*Aw!Pq#-kIoPXZXG(l`Q=Yst`}*T%*NQ=)Wm9EopTp5fSTvG2 zRW@HC+cFhim8EM?(m(S?P^hUEFtLpQMf=YX0%b`@Py2Tx#j#W1yI3agYy^v|>VMM+ z@$zjB3B-v4QPYW$GHpDLmFwoiid||81oI><+EkrEf50oV>ln6Htd%X0Z6pKJDLVQA=I)YHb z{If`kbgqp!dIVx=d*w>e52z-(cjASRR8;b5$2UD@L?`$l?RC`tX_VQgxlTh8f*)RU zkNN~}lZK9khY_>`{_;c(;e7*%3H?(>EOZ$mRY-M?QOwR!Za8^x;%z-WE=`Xesq>O#ylB%yIZ0IQ@YGdHmuKElXv46O~ ze{exkm1$_8r}L|k2FkyE+nk)d)i)-$7r?Ejr*-H-lH!9y*5-cI*N|LB0eQ> z>3(3mSan0D^nZ$;BdiduK>qcjE1l6CmqnVsUkhPA3(vO!Ks?zy3p)@Eb_j=I$K_7v z{b`d!yZSd1wOH<+EQg!nJ{;uH>KM=A8FAoww60_4DSUV;p@FDW$kp%QcVY63fjXYt zroLs#dm=}@*2e1UcgY>C)pPbpO0oIDaz5PNFTK-AvW9LI=++>HTiIFJ0*EgP>%L@zMmw%2! zZuUmmOAAy`0PL#v86CRuDk4;(oXgB8Jv~iQ9kp8-gj?fU$sF~jtf8TX!cBnpPwJf)Ys8z@mm+62d7gj&mZ)0cI@KI0nSi_ z@~O(#AG;o{GTSLFSz&K7cpdEQL<27WWFcio%50UCMh7>)c zVpXU2$))q;a2@;eSWHBv{!O3nQKq5p^3qay+0cfnX0T3P3%R>cUxhBe*wxwU(Y_t2 z6!cmtmE-RC6V>fv=l%V0e$2g*)f^!-ROcWz0w#xMI#xJB0t6j~MDtDpqo?F+_lNh1 zOwWNTDZ%XQZp*3OdH-48K)d;4=@;5_cFE_rQk8*yFlpK>BGd+xfb z%cWLqqNf(Za2|g2J%mwby|EM^4{+asTN?UZZ5=H3rx{f7LvYpHy}bq1dVGjPNN2i&`a{;80^f#8;xa2y1sgxkjfF;G5xizhWO|!jURBk3 zKC9b#yTyqDy!cLQYpdvVUJY}t2HTOF4wR$)?gCI)Z_}D4vk1Wa7PQ{9(x8Jvx`NV? z7Z*TV7*C)F(WDbC>U%A9a|?C#7!ClcC^b1O`yI6-fxbYN73SNMRxUg6tWRRs0Iu^j z*N(JNAxfP55|!)3*srCoo?@=aVd#Hz&@_-AIfnD{FvAylXx& zyX9@`>FFs#CSbXk1@GV9J~Rk)^}U%)956!cx<_k_Y|R^0^RKMlU2c9l@^km)B?GHW zYA^lz#B4iY{i?{OsZ)$H*?Y3X>)0hw&rnZSf8Sk7|KQ-@Nx0NeI}}rV69)}6{OGi* z^ycOUXcm5TM-?Epe?%;^C`XpWXTA)fQw#4g?p!t82l|4rm6eqtIP^!^Z%Ru;yo~nm z3NGNyVGiNB72O|gc;^@ceZtQhfbFip5#b3XQVkPOb@{ zy-5D7sFs7SEegSt0y0Uhz(2n>Z{O4U>{amJZ#&*^Z;$aeH8$R#uih6{+7gtM+VGMc zTr}~&qPNw^OBz*kjvn=wwYl)4PT5?-T`~q z$_-%Q$nj2>ypQVG%UH$8VuowaR;0d?h7sg5E61~_Z0&*b*-j=4%0qIz=9lL0{%nqS zUSBVE0f7^Z=?Tr7VH;OpWa9Y!W=54m$Qe*D>xW#{CE)-X3^fJrtTg32V=#KWENyJ1 zkbm_VM)k@YH_~jMz8XkWnsU20R(5a058*2-ieFt%x5u*Xy3Wf|TeB`^FW{R4pB{yv zknYqEQ5h2Qo9rFi~us2vAw@KMU4t%k(#Z zg_tk`{RwC2N8mYPowK^X%EgwPs@*BTQU>1~n(XHn(D9nN`486J)r%lwp! zy&~73J!#`!?hG1mk+l0Dk1nyaxOj6r!a0jLdTuEfV!XndIrMQ;CD0eVmteP@$+m~B z-2b^qwBEInedG~7;^F4#p;`>$om+a5(R!0O74kw5;n1M0Qays+QrC*y()9e;b9b=3 z{2Vx*yTe;~i;D}3cN-&O$?o<{o3)j5pYwiLSk9+ue9fn3c>lAnT6Gim>CB3wgT0vF zSpkqo!6D%^Y_E4VKFE}P__clwpDmJZfOl7e9}|enWtosg3<~Jh>w32)TVl*F#m|$f zQ5s>X4`D+}`! zZ$FyFjNw4N8JOOt{&P+CpHo4V20)8gW7tsE`HG{xeY^Yl!ucM;ap_x4^GwynBWe$& zXuw~zy6h%EEgT&kO>Nm&b+TgnFAs7$ZZCkcR-c=(hm)L#aOA^}o6dWn5c1pc&--P^ zes$||dt?i?ouggQwRZM%sdj^LE&ip0=fdTs!@g9K)U@2}QNxdz<-jGywXU=2(4V4Tqw z!|;lk#zu{1=fq<`Nb}L^>gr8u;0>blcGz~A-gu$uhw(3?Q2T(Y;N zrKM_o#ZfJTD@4%^pYp`xmfO3odtyd*;4j$Oms{Lz0Z%1BF6wt#&90QOGpj=oR*QO~ zc9PQNMZc2TaRL1ZF%=}hvmsw(kC5)=x_I085-Ha+vNK+hZMf&L2o$COhC6XsszxkZ zWM!en#rgn90LcDs$rSN+3k(d*!Hu?2M^yLieJlUpc>r!K<)=&t2a5L=;z)5ZKT*CS z>+s(jE*uHGY3)38OQjT97>>SZ#@Si*Mpi_VaN>n80^eDhn;WbR%iwneI=56*t#44y^xQ(fYOQ`a$f7>GPVYs5q_D|y20RBt<9N2)AZG~0}H)B=W z|89`uy$-Cl`W-E9lqngmS7eZI8tCb_*7HC}Q_W@Kh3nee{dX?D0%Hcw zy+jN;oYrsqaDaIBo-^Qltr8}FhnAevWdrc=Z_2nPse~X0dfQxc;5fq z(eB=&^~Wy6)C7h+^v`IBf~Y;_7+2ONH60{lE@Or+vg3%y6+=;9mp(;dfw&7|VwrV~ zlBbhW)6#B(ZF&d$nG=x)(zUdfwrSew=wx}IAZhhoccJ#aFpsLea#!z_Lyr>;0)}hI z;c{o7`CZpmnP$LonW4kJ-SXXqXj+svem1e6juX=v6ZRo)^~=8zxn)cYp3zRk>6iR1L8e6JU`G)jd@IS z*?t$G{btbJep|jA{DtZ5=l|b2B^30v*=6heVs&~acS+3{_RNP-v#&y<=`-$d*UzpV zxxcCDH-S!f*Uuf>yzA=RI7(r1TZv42hW^L%IUSck69LRQmJFeY2zK_0^2*Bi!Xc+i zFVmaEPof>jwaE*OKwrs+P^$~1mLJBqiq`-xi|n^=n>;LIs;o}=D3m7{4Poi5E;9b>&rlgV)9>ZJxB@8LO; zKYQQq=+LsQb|%N}C^b;FHd zt)&5mVqUl0{7DQ>RyRGYb!f^WNw*;)h|}5-`ZzTAXRyrIF?ey8!=Ej${60~1bf)o4|Ku*1o#gI* zwAgC)U7ALg(WYT>M?;f@grtH6r1tk(3|L$3hFV&G@vng%Y0SV~K%k>zXDKVK3r7?{&jUiod>T(f3r1mPO2o0FLXz4&v&M2zBsWzYW7#c4%TB$;!%_^g7DQNR@~$q9x-W@_goTcf8qkZ^rw% zm^E=IOMm|bJI8rSDv76O6Ms`v|0dyR|F>d7NiBWtJvSjB$Sh^L%UWJ{8XWaLbXaMd zhlRR*Hg967IlCMJiWWZh80#b8>B)s*$;ruK4qsP~91r#npU4u>=Si65F6wLRw74Dn z>Bm0uy=(6RG)F@;0;o({PX9KQ@cQL^okbu7-YuU9{Au=|kMW?_I-^ScSY`d}!Xqu&q>=5hD-W{~OsAH8Pb8Bq7r)k?$M_i(kAhMo8KJHH zJ>A)yLVnP!83jS3WszZydJL71=%1$@8FD(y#S^_=J7KTmD7`GbfO18otD}S1LSwa+ z$aCpg(a~sa*`c^kTaV51O1-num`4)Qbt_Vk1`X+$478>&DCS3|Tu~*2E^WL3&o6wJ z6t@S3fAUJ8IFlqey4dK`Kd0iwWl>mWX|HATXjL_ysYPPFvxM=D&T75XPMIIwVoeU! z3K#MTCBtPzGc}!tFz}Sx!8XCXvot9TTlNghMyKqyO?14o9kD3p7`8C?efAJq-cX3z z+Nj>?44XYF=*rv^c749*yKh-z92uFsB z*^SdGT(uAV9|yA%6$AlPb=2ffMyC1}`j{#a8Vyx`PgJ=`_Xf!rq?4H^mFOkaHPyAd zt9fRd+tLpp=vLg%sOnVmYi74dpQFu`R+iZWgX5YA=mh^FK8Pt+Zl$dlc`#{zb;GE# zG?2eSwcPaql5Ar9Q+G`N03%fKztP9LkJC0WH2~8|I!2tDcFC+CLt2{bu8qJL zW|<6p1!U?93_7U;zea?>B@Noy&jz)mYuQg%e2=8`<(@_|D~8J3dMj8+&-7=6r0w`S zAk~Lv&9%1&BcQU$>FLd-th`q~YGGKV@u0A=Ogd@Ph~ju2H9jx=M?0DN)m8=1X)PLK zzdr-ZYd?O^R?wT0#VkSnE@%$Ip@ov68~2ifHL(R%TpHeNL1_X5+Lf5XN)xbn(5SFb{da3X%}vzutx3X$lecd89t;BRTD}x^iFsMgL(K0qp?6lLW{ixtT9lI@gi1b z7!CTf<1KW!wr!+*E-PxJXfGJ!oh(t1dT3f$7?B1B^~_q=@UUG((ptNwBwfGwvr)MA zj-Ix9DQg}$k|sDJ?TIrCH3&t}VaNqb#gvEuWCr8;n2y3gOHi^$#xpOk{ zT>}vi^&v3dXM!L`Sr(t1XJK&Aguo+$$xk;M%K!JqIp_+}-dD^NSJu;{;?QLcRErDt zyeT3`aQa6Ez6Ts=t)zKNqo#TUNV@VJSQ4E#DwrkM2tw1%HCN5o`|+_fqfUND6m(Xa z8n~Nk@5NGgXo#5S3Xzuq6R}1(JG>~06idLO)sosLb1rvgvNlPg1<9BiKZ$6Q{xYcv z`8W?juto@e1VwTw!=Wm;WHQdYKJt-j$yogf&So%a^B`E5EP8E)p28O+M%4)EV-#q& zAh$9#Bbsfp(Ol5{4cXT|X7gESBFf|3NjI>Jw0uNNuC^@1f?FAiUW-{e_Ni2MhB-bd z?r%D-SMU!}&h)UJb`mqb8ccJcK(`=Fzs(_%>|n1XbN^%6fz zOY_S1TIt9nvTL+e6{3P@xx_I6L?eN2Dlk%HZQlNf>y^y=he5&N+M>#dQ`0OQ8fwaV z-q*8JR=i(3i{{^=TY#XUS_o=dTYS{$G;QfMIuh;oVddHy6Lzvm>^umG0``1D7yDt0 za4kVXLq~#tReHRKg!AhG^GTAO= zmzcin1`-DFQf}aldhwO%0C@cN-|HBuDH8*3Les?6Mi!`&9ZD@11WsYJdHK8MN>1@Vc4gsU?s ziN4O;Ob8T{^Zrm~6syaicI}QYJ@)yacd;j$A?GRHNpOwemFV{su*8%wX z+CAE z&tMgW+E-sZ#-VQxEE6#vbq6tLBjB{=9f*#14?9*582i?|@B8E$KfNWm+-;E`uRS%y z=T0S0>_~b;Pq^Au(iG9$`C8xrLvr8_{BO(`utNW0o1y15M=~kT*EFgh*lCvTeoksS z6WVT5@5iTbQ7)Sg&a@xA_i-*Bnim66ZtT{jK;oqI?}f9-v+YGvlk-n++lejTjQn*w zs`5GBo3Hq`e+kF^IPn8|+I{WyWc&vT-?A&{jM{G7wb<9eGhe-7<`$r38Qx3e#f&U_Fivm9= zXZq85V?5Qfj((0Y3^uK=hH)qCnNb-yTW$}OC@f-Mvsj44R1uJ=o~l^Oi_ov1xZG?M zGB$S{I!U`-7n|jAa;0gZoM#DM%bWkg5&xLA_Xilq# zx^$R3sy>RgR}0~8K(yo%Y~gFRj9z~u?OYu8irqx!FkV3+orp#0)y+t1I9L!X#Rr*JU}$M-b<05 zaJ*$)3ugudc1^@9Qu)wOY5d|hS!qw6IIMWjIs5D9*?;r?kLE1>1GBxLX)&deQqxvi zz7;0T_Ag8XDPNqmKsjPZ9`ndeP9bK^UY{fZ!&U;ouFsh57qZzfVBUSHJ9?Yyl0@lc z53$?e1p}i11HLMs`=^n;pGZ>8S8jkF`dGA6=sQvJDGj<68mHqTKkU!8EZ%KQ>=GM(q54XgfUxG7p^AW2cHcVgS;( zQ_)iLyLL}3jR52uu*}d(-)$>4yQ)(W_ls-P6W+HmQ;b>rdQm-W z{!W1(jwQGEz+}2J5`8@25-JB{L9N#hln=6L;{I29C zi$PNDn9Rn?D28y)N43l=0aX1_Cqj!9H20=&xsEIEA8q&xRT1{@VN)YvlDOI{rKJjo z%;R=~q)O#46pW3*U$ViG5Nv6C?BF+sr2_{Ne@5}`BD2N(*>?%V;&;SGqMc>?pBuX2 zR@nq(Pu>XLd3NL=T=@P<*s|+$zcv0lj4^hj@)*LpHfqyg`ALTXh`KsxQ;*2m`wcZ! zTiqL(Ul^jC1|hVuhZym4x8YNk_M-5H z=4@v7djq)dZRXo=uBWJ*S+-cG7Z2sH@;ZNC0gtfEnMd;beCg(Wj!s-0j8Q(V^=!r> z!>Y7To^BTWs~*1wR z&NGh2#`AdkhIACYT`1`N$MOI;(g3Bvh(V~vgk)phv<$UeTJoC0+{PePth;SI!nI;1 zLj=t=_sr(2i2+lp=E4I>T8`#eS@r{v0lyIR$+2sD_3Xz)KBGJCcscnzrZ{$9&#T>l zsW?WO|L86{@bg*I3W?TtyLIr216~q4fNNSYOFT4%t!L={PD-^Lc z;zkv7QeJHksS+a_`LdOrgs6?y<%@~PPq|YJ6jmnVu;%|n}DFdq7W0ZBL0ZZ zpo)Uar~O+Ul2sT#W6ev;iWMpTR6Havn_sDlaW1 zP(e5OQZT_x!`z^pxbaqjNF@XeGp4KY7Ic0eyPmAb%8C0pNnCR5B`nXI+uUBn#BJf! zf+Pg5)Mo0ju&d8K%>fSH^=SP=56sg5t`oSu72b&l?5d^1^GM3Ki-_Z9r|Fjp6ThTi zSfPSGxFmAC{;Ke!poGlJP3=L<*YTcwz|Nh$-|?&L@U^*s4o(p0yWq~PD}xN1Ic$C7B6l*C znGf`*PjtSq+Gw6h6~8asc=bX0VWn)fPwM7I@u4X2N9XS9*^%MG>P!h(O6pG+`yEqio5AgfujASgTq zwIBn!eGx7GnZDGV*a^r8jAHL{v;4b2_}#6D2{|qhXgZorwm3N!1A+SN*E_Z$0^C&D zkV#62!-N*O1P?~PJenSwQ^;qVq|u&qqQr#%tdlt7(S!C5LK;j^{Vb?jL~dI{Lx*_k z3qhwvLb<}f3+3B`4z3cr9Z8N>l4;W8=Tp!@I#SIBJFH3wb4gnD z>@O`4ty6|;Wx-3#dV?ru)n|+h|5;nMi4k-L8xSEkj;(smaacI}m=<7+7+dPME4IVhiTiIkx4F76*y9oNdP;Qwyz?ffaoCaG8`lJ*k= zDMmvzM7;bpPilzVY*U4yArWn6Rd3?c%4uhYvj)N-4iGK3QTIfKvv&A?(!Wc%RyBr@ z+X9p)uS&(xp9Ym>aVJSVMY#)VFcyhvuPg zBp}`(OjB_-QhssuikGd9)SY{iqKnp}aCB$f z?ulpxX!J#=wfhvpxKN7+x995WN+322tYbS;3o-3D5{`9UL@+5J4C80EEvh_j%C_Kd zVw&=jTHew%^RUI78pK#OEOu&cde2?3F>FcHPMw1Zl2uiRwp^NHWAQ+L{8t+fW(=wh z1tY$h#16e^rpN#E7TZ*rr7)@1URSXs$%Wj~&ThYV;A^b^j`RKr03G;#Es6vn4?2AoGBb?i8xf~04k}O4dVD?PkWt>%V8pPESu^(5N?d zi?cf6#$JnvD&9v`ZsXMp=ly`aDEAOqRkJ&;?ps3Ih~O^<6c&icYqWGY!y9H{H9)m9 z!riqwbH^Ls%dTk)k7QK$A(Gtw=rp2(bx5DVyn{DmY_i7o;U@4QP^w4s7e;?tb91w7 ze$DjK^~>^tzKLuXc!_ob^e<~GqA0(8x$yuFhaVm~wDidJGDmep@xLCfm{?a=jBjKJ zjoAD)X*Jh);7v)Znht4a$CZkD%e>4|f~WL`nDiwRQ>-Yh;CaD~6a2-9j(uh|;WkeD zxZ}fUPrrR&-%vHxcKlc1+}$et`2z6gcES?0ammCd$m?bELA2;pHJHVu3%JjM^k#!1 zQ6L~$SsoA>4AjQS(soyoI>Ju53Jyw<*d`0xS6$NXhR`zj7@V1L}S zBr0}R?YQX8KEOW%3gd-6_8}065iHDDUPn1$v{g^wiyEFZZm^M;mzSAYffl>y#hmGt zUp8@00*Mp6lUJ`fx`E+yLIOGY#`AH{R-Q=mIuY}I4H=fd8nngX#icV^JBY?-h4LMy zfeFSP^MeNAzmo&?f+e78R=@PsqRmq5he5v?n8-X%FWz@hn(=Be6E)h+PtDJhe$0h# z<3)S1g(b7SdZ<4Clb?}K5pK5lMjh|c@-)}xMAhvk->hufXEVs~yEmr^qd z1$|5PB^g==SBf10L*G+0uj$`bo)j<1IV^Ok1^#sz%{xn$FEA7De~?WCp@0eurj=c# zV`abOTB)J*2a!R|tiZfz6}V_UyeH!`#OS3CEuB60IE*D-4)*p3zklc19SARh{ND31 zBBOlO-@A5d+gD87t=zYhjrTMfvasMMBzNR=93gBPnwte(8or%IzwaQLYJ)-PBi>~x zHRz}-(rjXK!Au6u8;|C$dY`@(0Yu+tay%RJ1*Im~gLt3@y8Yv=7{+&?2F)xWfF@&X zp)q;LY_Js_)Xh~;kRg0IS+GPZ|BlAHnd*V}ycmch3hK7bxQiwrwO^!KxEg*41nEj%slU$3i z{9~Pa+ynTDUwU|HE$4@ho)L3tAMwEVF#> zCpAPZDQ@xWMRnS(355O4n_Y_OyS`d>9ckK-GCQj?=8= z*2apnO5s&!faf%eyo>z19xHx$98BGeuAL&o@X}LjMgFeh5SOBf8tYAt=wBN1_C&4} z;6kdZ9331E0UA_Z!f(gGo5enp$y#>6cbpXY6jEam6B7sAEUr=tx&696-_zIEcP4+h zM|R@(Ow^VG19=*El(eUhFUq#Do1=|8WzWI%?0C>WepXYFlmL?@kOP$(-ZDh}sR z;fqI4j@+YRTTD=+%7IY@(cmBgf(dFK5T-a9$JR9aqr|qf=~`p}O{f!jxW&>>O3-1} zcCF6AW84#aD73SxgZ}!Jj?y0KELOv!LNKn}cDD9Vhd&mOsw?8NteqaULmO7a%?VVuI$2?D7v zPNt>e|Ht8NRccodOYzBJ;<7jIFp_MTBSjRNc4eCMZG3wZ1Gzz%_ToypT;$Jwe53(A zl8ymR9~a01jBE8BqJ>)w!iC@k8KHyFl8hksIi!tt+Uq!DbtoX%rC;c_2kYBm!ur^O z)F962mm1Hb%QbWrY!y@wX__?nO|I`0ueP;z-+Xk~9BL1)OfM<+EV^}FGqZ_6dq zR%sIAt{JvTUC)TV6asR*zOL(s@bK`sp8Om_uJ}6o`L)&6{b)RR&d)eoWk~gL9jJ+k ze9F{-i5MdnaQaeFF(`;2V+OXb(vV8b=WGsO!$1WEt+iv#wT&UdvHVLL)3 z{iXLUHpXBl84aC#7amhvfw;coqC$!YKtUfcC#;OLIrz~)Ax5yg*@Z}Ax=0-7tx1xF!(aQ6!al5rrRTd@N+@L{JNm>I2n4VHU6Udx#t4)w``C*3z?v5g zY&013qN7ug&%*h$Qn#onF68tpH;almb)nu$+a})nAjKg=C^+&YfqqMofm)ZqAiv^MPpOp*rO zk}WoHMvM*(M4ddX^Bmm><{UdRR^|i^)+>#?eR`E!bgS+3sAAqZlM8n@*c3(}`HpqK z-thLj#@C~@FV1@q%51(<24}Nl%rp(M`dJl-ZBN1Uyqy7;t&dB;BX13#V~PX2@h+## zQ?@WX$)F?Db3l5v1c7K>|_iauW;06ABV~*geFL7)=@2@jyB#n;@*8 znUV}@XEAxDKg|ep_XHV4ogG(MXgB1!p!`erYlJm<%EnB&#d!Rk)K5jJFg z^Lo6ou~DZ{vqTMU_$_q*+=uRR9X~K_yjcfrCm0GLO~34XKsGtvt|RN}>OkzVh1KMo zi8#SVmG#u2?GATqb>pH+G~xD(#t?#oEZ)dD*pa?AkED0@x8hjvy!A z=Sr}o6R0@J_C?=IH1>$Xlz@KMZMM_Shr1)-(1i#i=%y z%5EC#F8G}_1}M|H#GG5nCVzLY7ZhKlU%@3P@y+U{qQN4V#|#8!d93rEfEZ+zb>@yL zJ{CtaMN~pc4f?1OF-S2|`9cjSOXo*@(Rp*1`qFXL1VkUiY5J+djJJ%83k$OWQ+y47 zgn|06t1~uF*1<&$(kZ7w#f%tA8V>`2P7e&Kg9bqp!i?ymvF}Fh`Jh5VkAe9l7)(2r z34JH4$dYVkk>k(+xGeYGmxn^n$vlRg+b%3< zb$J(kUkOoZ!mxPcw4!MMv zuHWKY&iA?KA9Ic>6NNZA`kC4PkEZVqr}}^YKSn4cdW%DZLiQ*-JCT#Z zA=&HLdquX)3P<(~;Uvk*R`$vsWs3?OnPqRk+vj`z{MA*L9Opb=_w#;?`*COL=-Y=1 zQAD=?g3J5rROKg)FMo7bp(u{(DmF!w) zSzNqgFl}G|3&%h=$Na!xOXIt$mfhlbvx~KcRs)$b4eNNfTA0fiU4GE%YB)yJWLWh> zDwUNC8~B$7IXW>^Z#~d}rMifC__}Tnc8WG0uEkEIUc&3V;h?`ugZZFSIMCmZ#K0oI zg2yKQ3uT=Tx_DbYnEj{>3$?r`UOAba#FFqoa#U zDQ?_6sz8j0QwZ>^s24x9X6pcSEGn&3s&sqYd5JV7_2jH z2_%Z#FDk(>7_?l-ebt}5T$kaBdqmrgUATs6lC)tCW&0zTWXWF@M)=(F1C$vd0SftY z8YyhKM+o)ORV&TmaLV*1yP)67B%|L1@3#u=0qR!-3yyR|YX9rth{QUgP%$~hp3}O9|f#2MRu3~Fzi-LmUX=bP74g3#M z(|&dDIo0giqyG}o`u6CsckAKkC92i>$EF+)<}<(N45rwstWD|%W94&xuwzMj#K}#h zulJ<8a$XGGo6br%u58H^(3j=-xAw~sVPaThw7U0Lu|xRUHS4B9V(#lkm8o%JqHIMNTl6)lO)?)px6+gn zN6*vtqzqS&OdANY|S56{aNuGE^|)JbU7u(4Hj@~!>R^>Cu< zHP;5}O2?}>^Q0TT=&Ey;YJ+|c%CGzpR3z)rjgum{|KG0%OGhCp_KRz4N6=cXdmAIe zVU~z0xM}m|h~0=y-rk!DhfG<2Mw;lKzB?-gV};JJo_9T9_Y?HEY$?liBX)_5sW5ch z>FNpdHk0-x$3I8~@$RV>*6|a6san3)y5mn4OimW&Z{U4LWrki3%E@o7mY#&vSsK=6!E_H|&_)cV1o-%p#-3ROE0Z8D&>}R5+a>d>T{^;gEc0w6&mrAqE}E*!8*=iqU30vVC(M5F_i$x!!J>#{V%>4GAMNuYUY`knrX` z%fnHAwOpMG8n)lQ7J`JYgTZdFBbz{o>_QM-3T-gqAS#?ugz-x3b(h@cHb#mdd-xvxrFReJ)E@-0 zP%BVB%}my=6k&}1ny(J?WPWybFNJluXkmFm#V9#BIb3Q`Og8ty#13%XVYZ^vhIbLB_PMb>7O z-XPk}r}#0+{29mUneBVyE^H<4Jl05gZn~IpjfjNM6t@Zt$I$}y-PlrQHl?^K)yIly zo((RQ`>=YY&JRqpjuRg(eS8=ZITAsa1s?R26h>7bamvcdFgGv$@U`^Uq3_!pJ%Zp@ zC-1pnDJ>%-BP~7s^(zrVlb!j#OMj*IJI(j^LUJx$Zg!mHQ{{1Gy6)C{Dyb^l>&bErs@~< zOPahVcZYfG7NMiRtrs`L-7KeZ)auBoElh(8R=Rb?wgo(1#`5SVQEpJ9_R639cH`!l@=uFN!h)p?&`TF<-Y{X}+%pCGt8DKenz0*tkEbQt(A97s#$e zF0PjuQRfhvdC|fd*YOlIOr1~#I)usOP55~pZTg$o!^G(7f_o-@NX?_$xj#)EguYPRArd1+6g(iSJ1-@|dDDGc5={pR|;?xMrD}_hfmU_g~ZJ^CSpV z`pjaL#@finq#c@74XDVIJ8x`q`~@4r%QlXV;G}Kz-(Gh>PH&Y%%KJZmUjlia5GJp+ z@ss&@^$yqG&wzdN0e9y=-%7qdX$;_UiIk9&T*@U&STX+@QxIu3qA*C- zG*nq6ot!Bz?yLT2#jk9K9wn+Vo=o975|Svh=MBP49>jx6^9aJhbJS!()YnEuc&MpN z-zi*iY=YO^q-fE>8bop(v4EC}BC#l7+BD6s&Ch#u$=C7URS|B&8)WSOEWKfdU3t$@wI>4c_+y|o$43w#oe3q zEoo5xbE0^xmCKd$#OOWwr${EZ4ZGSu(G{MknE1aU&pwmHeIf)(XL$4Tlv4o5W4dl! zzVDlP!|B#1V*{e1N<_+bmpffQJnHb5*HHou>>__Ae&0-~`YozJzv%a&EMjnhv~iGm z^xyye_a8v}Dn~rIo-SM1Cb?~R2f{pesK##}&g{`e;&a=>6k+1lyx1>#)FkX_x2ux7EGkG)yQO@*WQzT@j_0|BUtTkt@UX=d z@*0)dvU^0VpYg~GZhG7c-d8!a1|?dB^3?a=k|$JHx{g&Aj!0Q{N^gJDO0pDX?9O6G7 zcvKFYe!UhaTiXJi!Z5{Wp()DcG{nywYmGaEm0cTbYG9ijjeW4tJDtMkDFb+;PRk6o z2&?bAOr*%KuG4@0iz?IqeF-1<$QKe>#7>8k&utazUND?AMRq8X^~WCBfI4b-(D$Ni zg6pNezW(IP)%yB+{bl{44rIAxWWkkI@dWlnP#ZV!%{(P<5-=af%bpJgk+8I|yjxgM=ez>I+Ub zOkd=Dd15rXs}6KxGbsz}FL$T{ONAxBH@z>cw+JPmrLcEaldgKt)95$tLsAIjT=)SO zXn-&xTa>T&v9gMaeP!C5M5EalOK9IhSd z9%Qx$8@j+o|MQ(o)CFv)0?;GEV;3e7P0vUbjIycH`yg3h-GALTckD)gri|~OVU9@f zO21Zam4oISzTi2lcAO$X6t#OIQc_-0mSwVupCzkKFdP&-D0RaJ?o<44F8