From 9da9a0ce142d1e8b1f5ffa5c8e7034859e903e6e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 11 Mar 2016 15:39:26 -0800 Subject: [PATCH] refreshing build (3/11/16) --- windows/deploy/TOC.md | 2 +- ...-windows-pe-using-configuration-manager.md | 6 +- ...gn-applications-using-roles-in-mdt-2013.md | 8 +- ...d-environment-for-windows-81-deployment.md | 12 +- .../change-history-for-deploy-windows-10.md | 2 +- windows/deploy/common-issues-usmt-win8.md | 28 +- ...migration-scenarios-usmt-win7-usmt-win8.md | 36 +- ...configure-mdt-2013-for-userexit-scripts.md | 6 +- .../configure-mdt-deployment-share-rules.md | 6 +- .../configxml-file-usmt-win7-usmt-win8.md | 68 +- ...icts-and-precedence-usmt-win7-usmt-win8.md | 48 +- ...0-boot-image-with-configuration-manager.md | 6 +- ...ence-with-configuration-manager-and-mdt.md | 8 +- .../create-a-windows-81-reference-image.md | 16 +- ...custom-xml-examples-usmt-win7-usmt-win8.md | 16 +- ...mize-usmt-xml-files-usmt-win7-usmt-win8.md | 24 +- ...eploy-a-windows-81-image-using-mdt-2013.md | 28 +- ...1-with-the-microsoft-deployment-toolkit.md | 2 +- ...-go-in-your-organization-small-scenario.md | 14 +- ...igration-store-size-usmt-win7-usmt-win8.md | 28 +- .../deploy/exclude-files-and-settings-usmt.md | 42 +- ...-from-a-compressed-usmt-migration-store.md | 20 +- ...1-deployment-with-configuration-manager.md | 14 +- ...tly-asked-questions-usmt-win7-usmt-win8.md | 34 +- ...general-conventions-usmt-win7-usmt-win8.md | 8 +- ...th-the-user-state-migration-tool--usmt-.md | 12 +- .../hard-link-migration-store-usmt-win8.md | 44 +- .../how-usmt-works-usmt-win7-usmt-win8.md | 8 +- .../identify-users-usmt-win7-usmt-win8.md | 26 +- .../deploy/include-files-and-settings-usmt.md | 24 +- ...ate-configuration-manager-with-mdt-2013.md | 6 +- .../introduction-to-vamtvamt-30-win8.md | 16 +- .../loadstate-syntax-usmt-win7-usmt-win8.md | 30 +- .../deploy/log-files-usmt-win7-usmt-win8.md | 20 +- .../deploy/mdt-2013-lite-touch-components.md | 26 +- .../deploy/migrate-application-settings.md | 32 +- windows/deploy/migrate-user-accounts-usmt.md | 12 +- .../deploy/migration-store-types-overview.md | 12 +- ...1-deployment-with-configuration-manager.md | 2 +- windows/deploy/offline-migration-reference.md | 34 +- .../prepare-for-deployment-with-mdt-2013.md | 16 +- ...f-windows-81-with-configuration-manager.md | 16 +- ...vironment-variables-usmt-win7-usmt-win8.md | 8 +- ...sh-a-windows-7-computer-with-windows-81.md | 8 +- ...-windows-81-using-configuration-manager.md | 8 +- ...s-7-computer-with-a-windows-81-computer.md | 6 +- ...-windows-81-using-configuration-manager.md | 14 +- .../deploy/reroute-files-and-settings-usmt.md | 12 +- windows/deploy/return-codes-usmt-win8.md | 12 +- .../scanstate-syntax-usmt-win7-usmt-win8.md | 36 +- ...enario-1-online-activation-vamt-30-win8.md | 38 +- ...cenario-2-proxy-activation-vamt-30-win8.md | 8 +- .../deploy/set-up-mdt-2013-for-bitlocker.md | 8 +- windows/deploy/sideload-apps-in-windows-10.md | 4 +- .../understanding-migration-xml-files.md | 56 +- ...ws-10-images-with-provisioning-packages.md | 8 +- ...with-system-center-configuraton-manager.md | 16 +- ...0-with-the-microsoft-deployment-toolkit.md | 14 +- ...use-orchestrator-runbooks-with-mdt-2013.md | 12 +- ...stage-windows-81-deployment-information.md | 10 +- .../deploy/use-web-services-in-mdt-2013.md | 12 +- ...usmt-best-practices-usmt-win7-usmt-win8.md | 2 +- .../usmt-requirements-usmt-win7-usmt-win8.md | 18 +- windows/deploy/usmtutils-syntax-usmt-win8.md | 16 +- ...ndition-of-a-compressed-migration-store.md | 20 +- ...t-does-usmt-migrate-usmt-win7-usmt-win8.md | 18 +- .../deploy/windows-10-deployment-scenarios.md | 8 +- .../windows-deployment-scenarios-and-tools.md | 20 +- ...ml-elements-library-usmt-win7-usmt-win8.md | 298 ++++----- windows/keep-secure/TOC.md | 2 +- ...-credential-manager-as-a-trusted-caller.md | 6 +- .../access-this-computer-from-the-network.md | 6 +- .../keep-secure/account-lockout-duration.md | 4 +- .../keep-secure/account-lockout-threshold.md | 12 +- .../accounts-administrator-account-status.md | 6 +- .../accounts-block-microsoft-accounts.md | 6 +- .../accounts-guest-account-status.md | 4 +- .../accounts-rename-administrator-account.md | 6 +- .../accounts-rename-guest-account.md | 6 +- .../act-as-part-of-the-operating-system.md | 6 +- .../keep-secure/add-workstations-to-domain.md | 6 +- .../adjust-memory-quotas-for-a-process.md | 6 +- windows/keep-secure/administer-applocker.md | 2 +- .../administer-security-policy-settings.md | 82 +-- ...advanced-security-audit-policy-settings.md | 2 +- .../advanced-security-auditing-faq.md | 72 +-- windows/keep-secure/allow-log-on-locally.md | 6 +- ...-log-on-through-remote-desktop-services.md | 6 +- ...dit-the-access-of-global-system-objects.md | 6 +- ...the-use-of-backup-and-restore-privilege.md | 6 +- ...policy-subcategory-settings-to-override.md | 6 +- ...iately-if-unable-to-log-security-audits.md | 6 +- .../back-up-files-and-directories.md | 6 +- ...up-thetpm-recovery-information-to-ad-ds.md | 38 +- .../keep-secure/bitlocker-basic-deployment.md | 18 +- ...locker-frequently-asked-questions--faq-.md | 162 ++--- .../bitlocker-group-policy-settings.md | 172 ++--- ...er-how-to-deploy-on-windows-server-2012.md | 6 +- .../bitlocker-how-to-enable-network-unlock.md | 62 +- .../bitlocker-overview-roletech-overview.md | 6 +- .../bitlocker-recovery-guide-plan.md | 82 +-- ...ve-encryption-tools-to-manage-bitlocker.md | 12 +- .../block-untrusted-fonts-in-an-enterprise.md | 6 +- .../keep-secure/bypass-traverse-checking.md | 6 +- ...ange-history-for-keep-windows-10-secure.md | 2 +- windows/keep-secure/change-the-system-time.md | 6 +- windows/keep-secure/change-the-time-zone.md | 6 +- .../change-the-tpm-owner-password.md | 10 +- ...gure-an-applocker-policy-for-audit-only.md | 2 +- ...e-an-applocker-policy-for-enforce-rules.md | 2 +- ...figure-exceptions-for-an-applocker-rule.md | 2 +- windows/keep-secure/configure-s-mime.md | 12 +- ...nfigure-windows-defender-for-windows-10.md | 16 +- windows/keep-secure/create-a-pagefile.md | 6 +- .../create-a-rule-for-packaged-apps.md | 2 +- ...-a-rule-that-uses-a-file-hash-condition.md | 2 +- ...reate-a-rule-that-uses-a-path-condition.md | 2 +- ...-a-rule-that-uses-a-publisher-condition.md | 2 +- windows/keep-secure/create-a-token-object.md | 6 +- .../create-applocker-default-rules.md | 2 +- windows/keep-secure/create-global-objects.md | 6 +- .../create-permanent-shared-objects.md | 6 +- windows/keep-secure/create-symbolic-links.md | 6 +- ...g-a-device-guard-policy-for-signed-apps.md | 2 +- windows/keep-secure/credential-guard.md | 16 +- ...iptor-definition-language--sddl--syntax.md | 6 +- ...iptor-definition-language--sddl--syntax.md | 6 +- windows/keep-secure/debug-programs.md | 6 +- .../keep-secure/delete-an-applocker-rule.md | 2 +- ...ccess-to-this-computer-from-the-network.md | 6 +- .../keep-secure/deny-log-on-as-a-batch-job.md | 6 +- .../keep-secure/deny-log-on-as-a-service.md | 6 +- windows/keep-secure/deny-log-on-locally.md | 6 +- ...-log-on-through-remote-desktop-services.md | 6 +- ...vice-guard-certification-and-compliance.md | 6 +- .../device-guard-deployment-guide.md | 228 +++---- ...s-allow-undock-without-having-to-log-on.md | 6 +- ...wed-to-format-and-eject-removable-media.md | 6 +- ...t-users-from-installing-printer-drivers.md | 6 +- ...m-access-to-locally-logged-on-user-only.md | 6 +- ...y-access-to-locally-logged-on-user-only.md | 6 +- ...llow-server-operators-to-schedule-tasks.md | 6 +- ...roller-ldap-server-signing-requirements.md | 6 +- ...refuse-machine-account-password-changes.md | 6 +- ...ypt-or-sign-secure-channel-data--always.md | 6 +- ...rypt-secure-channel-data--when-possible.md | 6 +- ...sign-secure-channel-data--when-possible.md | 6 +- ...isable-machine-account-password-changes.md | 6 +- ...er-maximum-machine-account-password-age.md | 6 +- ...ong--windows-2000-or-later--session-key.md | 6 +- .../keep-secure/edit-an-applocker-policy.md | 8 +- windows/keep-secure/edit-applocker-rules.md | 2 +- ...r-accounts-to-be-trusted-for-delegation.md | 6 +- .../enable-the-dll-rule-collection.md | 2 +- .../keep-secure/enforce-password-history.md | 6 +- .../enforce-user-logon-restrictions.md | 6 +- .../force-shutdown-from-a-remote-system.md | 6 +- .../keep-secure/generate-security-audits.md | 6 +- ...ed-with-windows-defender-for-windows-10.md | 6 +- ...o-run-on-device-guard-protected-devices.md | 12 +- ...w-to-configure-security-policy-settings.md | 14 +- ...personate-a-client-after-authentication.md | 6 +- ...microsoft-passport-in-your-organization.md | 14 +- .../increase-a-process-working-set.md | 6 +- .../increase-scheduling-priority.md | 6 +- windows/keep-secure/index.md | 2 +- ...lize-and-configure-ownership-of-the-tpm.md | 34 +- ...gital-certificates-on-windows-10-mobile.md | 8 +- ...-information-when-the-session-is-locked.md | 6 +- ...ive-logon-do-not-display-last-user-name.md | 6 +- ...ctive-logon-do-not-require-ctrl-alt-del.md | 6 +- ...logon-machine-account-lockout-threshold.md | 8 +- ...eractive-logon-machine-inactivity-limit.md | 6 +- ...age-text-for-users-attempting-to-log-on.md | 6 +- ...ge-title-for-users-attempting-to-log-on.md | 6 +- ...case-domain-controller-is-not-available.md | 6 +- ...er-to-change-password-before-expiration.md | 6 +- ...er-authentication-to-unlock-workstation.md | 6 +- .../interactive-logon-require-smart-card.md | 6 +- ...ctive-logon-smart-card-removal-behavior.md | 6 +- .../load-and-unload-device-drivers.md | 6 +- windows/keep-secure/lock-pages-in-memory.md | 6 +- windows/keep-secure/log-on-as-a-batch-job.md | 6 +- windows/keep-secure/log-on-as-a-service.md | 6 +- .../maintain-applocker-policies.md | 8 +- .../manage-auditing-and-security-log.md | 6 +- ...y-verification-using-microsoft-passport.md | 12 +- .../manage-packaged-apps-with-applocker.md | 2 +- windows/keep-secure/manage-tpm-commands.md | 10 +- windows/keep-secure/manage-tpm-lockout.md | 14 +- .../maximum-lifetime-for-service-ticket.md | 6 +- ...aximum-lifetime-for-user-ticket-renewal.md | 4 +- .../maximum-lifetime-for-user-ticket.md | 6 +- windows/keep-secure/maximum-password-age.md | 6 +- ...ance-for-computer-clock-synchronization.md | 6 +- ...t-digitally-sign-communications--always.md | 6 +- ...y-sign-communications--if-server-agrees.md | 6 +- ...ted-password-to-third-party-smb-servers.md | 6 +- ...time-required-before-suspending-session.md | 6 +- ...pt-s4u2self-to-obtain-claim-information.md | 6 +- ...r-digitally-sign-communications--always.md | 6 +- ...y-sign-communications--if-client-agrees.md | 6 +- ...connect-clients-when-logon-hours-expire.md | 6 +- ...server-spn-target-name-validation-level.md | 6 +- ...oft-passport-errors-during-pin-creation.md | 18 +- .../keep-secure/microsoft-passport-guide.md | 22 +- windows/keep-secure/minimum-password-age.md | 6 +- .../keep-secure/minimum-password-length.md | 6 +- windows/keep-secure/modify-an-object-label.md | 6 +- .../modify-firmware-environment-values.md | 6 +- ...onitor-application-usage-with-applocker.md | 10 +- ...ess-allow-anonymous-sidname-translation.md | 6 +- ...-enumeration-of-sam-accounts-and-shares.md | 6 +- ...w-anonymous-enumeration-of-sam-accounts.md | 6 +- ...-credentials-for-network-authentication.md | 4 +- ...ne-permissions-apply-to-anonymous-users.md | 6 +- ...-pipes-that-can-be-accessed-anonymously.md | 6 +- ...-accessible-registry-paths-and-subpaths.md | 6 +- ...cess-remotely-accessible-registry-paths.md | 6 +- ...nymous-access-to-named-pipes-and-shares.md | 6 +- ...shares-that-can-be-accessed-anonymously.md | 6 +- ...g-and-security-model-for-local-accounts.md | 6 +- ...ystem-to-use-computer-identity-for-ntlm.md | 6 +- ...allow-localsystem-null-session-fallback.md | 4 +- ...-this-computer-to-use-online-identities.md | 4 +- ...e-encryption-types-allowed-for-kerberos.md | 4 +- ...ager-hash-value-on-next-password-change.md | 6 +- ...ty-force-logoff-when-logon-hours-expire.md | 6 +- ...curity-lan-manager-authentication-level.md | 6 +- ...curity-ldap-client-signing-requirements.md | 6 +- ...sp-based--including-secure-rpc--clients.md | 6 +- ...sp-based--including-secure-rpc--servers.md | 6 +- ...rver-exceptions-for-ntlm-authentication.md | 6 +- ...lm-add-server-exceptions-in-this-domain.md | 6 +- ...strict-ntlm-audit-incoming-ntlm-traffic.md | 6 +- ...udit-ntlm-authentication-in-this-domain.md | 6 +- ...ity-restrict-ntlm-incoming-ntlm-traffic.md | 8 +- ...ntlm-ntlm-authentication-in-this-domain.md | 6 +- ...outgoing-ntlm-traffic-to-remote-servers.md | 8 +- ...sword-must-meet-complexity-requirements.md | 4 +- .../perform-volume-maintenance-tasks.md | 6 +- ...loying-advanced-security-audit-policies.md | 24 +- ...repare-people-to-use-microsoft-passport.md | 12 +- ...ion-for-bitlocker-planning-and-policies.md | 36 +- windows/keep-secure/profile-single-process.md | 6 +- .../keep-secure/profile-system-performance.md | 6 +- ...-the-health-of-windows-10-based-devices.md | 32 +- ...nd-storage-area-networks-with-bitlocker.md | 2 +- ...le-allow-automatic-administrative-logon.md | 6 +- ...py-and-access-to-all-drives-and-folders.md | 6 +- .../remove-computer-from-docking-station.md | 6 +- .../replace-a-process-level-token.md | 6 +- ...ements-for-deploying-applocker-policies.md | 16 +- .../reset-account-lockout-counter-after.md | 4 +- .../restore-files-and-directories.md | 6 +- ...the-automatically-generate-rules-wizard.md | 2 +- ...-tpm-information-from-windows-8-clients.md | 2 +- .../security-auditing-overview-glbl.md | 2 +- .../keep-secure/security-policy-settings.md | 14 +- windows/keep-secure/shut-down-the-system.md | 6 +- ...o-be-shut-down-without-having-to-log-on.md | 6 +- .../shutdown-clear-virtual-memory-pagefile.md | 6 +- ...e-passwords-using-reversible-encryption.md | 4 +- .../switch-pcr-banks-on-tpm-2-0-devices.md | 2 +- .../synchronize-directory-service-data.md | 6 +- ...on-for-user-keys-stored-on-the-computer.md | 6 +- ...thms-for-encryption-hashing-and-signing.md | 6 +- ...nsensitivity-for-non-windows-subsystems.md | 6 +- ...ernal-system-objects--eg-symbolic-links.md | 6 +- .../system-settings-optional-subsystems.md | 6 +- ...ables-for-software-restriction-policies.md | 6 +- ...ake-ownership-of-files-or-other-objects.md | 6 +- .../keep-secure/tpm-fundamentals-windows-8.md | 52 +- ...leshoot-windows-defender-for-windows-10.md | 2 +- .../trusted-platform-module--tpm-2-0--.md | 16 +- ...m-module-services-group-policy-settings.md | 60 +- ...ted-platform-module-technology-overview.md | 12 +- ...stand-applocker-policy-design-decisions.md | 4 +- ...rding-to-assist-in-instrusion-detection.md | 32 +- ...-for-the-built-in-administrator-account.md | 6 +- ...vation-without-using-the-secure-desktop.md | 6 +- ...r-administrators-in-admin-approval-mode.md | 6 +- ...the-elevation-prompt-for-standard-users.md | 6 +- ...-installations-and-prompt-for-elevation.md | 6 +- ...ecutables-that-are-signed-and-validated.md | 6 +- ...-that-are-installed-in-secure-locations.md | 6 +- .../user-account-control-overview.md | 6 +- ...l-administrators-in-admin-approval-mode.md | 6 +- ...re-desktop-when-prompting-for-elevation.md | 6 +- ...ry-write-failures-to-per-user-locations.md | 6 +- windows/keep-secure/vpn-profile-options.md | 10 +- .../why-a-pin-is-better-than-a-password.md | 14 +- .../windows-10-mobile-security-guide.md | 54 +- .../keep-secure/windows-10-security-guide.md | 30 +- ...dows-hello-biometrics-in-the-enterprise.md | 12 +- .../working-with-applocker-rules.md | 16 +- windows/manage/TOC.md | 5 +- ...d-unsigned-app-to-code-integrity-policy.md | 16 +- ...gemement-for-windows-store-for-business.md | 10 +- .../apps-in-the-windows-store-for-business.md | 6 +- ...istory-for-manage-and-update-windows-10.md | 4 +- ...changes-to-start-policies-in-windows-10.md | 8 +- .../manage/configure-devices-without-mdm.md | 10 +- ...onfigure-telemetry-in-your-organization.md | 314 +++++++++ .../customize-and-export-start-layout.md | 22 +- ...-10-start-screens-by-using-group-policy.md | 22 +- ...by-using-mobile-device-management--mdm-.md | 4 +- ...-by-using-provisioning-packages-and-icd.md | 10 +- .../distribute-apps-with-a-management-tool.md | 2 +- windows/manage/distribute-offline-apps.md | 2 +- ...configuration-service-providers--csps--.md | 14 +- windows/manage/images/aadj3.jpg | Bin 44481 -> 44553 bytes windows/manage/images/aadjbrowser.jpg | Bin 0 -> 67277 bytes windows/manage/images/aadjonedrive.jpg | Bin 0 -> 84125 bytes windows/manage/images/aadjppt.jpg | Bin 0 -> 43157 bytes windows/manage/images/aadjword.jpg | Bin 0 -> 62295 bytes windows/manage/images/settings-table.png | Bin 0 -> 14426 bytes .../introduction-to-windows-10-servicing.md | 28 +- ...ows-10-mobile-to-azure-active-directory.md | 52 +- .../lock-down-windows-10-to-specific-apps.md | 8 +- windows/manage/lock-down-windows-10.md | 15 +- windows/manage/lockdown-xml.md | 18 +- .../manage/manage-access-to-private-store.md | 2 +- windows/manage/manage-corporate-devices.md | 10 +- .../manage-cortana-in-your-enterprise.md | 19 +- ...-privacy-for-windows-10-in-your-company.md | 594 ++++-------------- .../manage-wi-fi-sense-in-your-company.md | 10 +- ...quisites-for-windows-store-for-business.md | 2 +- .../product-ids-in-windows-10-mobile.md | 6 +- .../reset-a-windows-10-mobile-device.md | 6 +- ...osk-for-windows-10-for-desktop-editions.md | 24 +- ...kiosk-for-windows-10-for-mobile-edition.md | 6 +- .../sign-up-for-windows-store-for-business.md | 10 +- ...-employees-from-using-the-windows-store.md | 10 +- windows/manage/windows-10-mobile-and-mdm.md | 86 +-- .../working-with-line-of-business-apps.md | 8 +- windows/plan/TOC.md | 2 +- windows/plan/application-dialog-box.md | 4 +- ...tory-for-plan-for-windows-10-deployment.md | 2 +- windows/plan/chromebook-migration-guide.md | 118 ++-- windows/plan/computer-dialog-box.md | 4 +- ...lity-fix-in-compatibility-administrator.md | 8 +- ...ity-mode-in-compatibility-administrator.md | 8 +- ...-message-in-compatibility-administrator.md | 10 +- ...e-environment-for-compatibility-testing.md | 10 +- windows/plan/customizing-your-report-views.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 32 +- windows/plan/device-dialog-box.md | 4 +- ...ying-computers-for-inventory-collection.md | 32 +- .../integration-with-management-solutions-.md | 14 +- .../operatingsystem---application-report.md | 2 +- .../plan/operatingsystem---computer-report.md | 2 +- .../plan/operatingsystem---device-report.md | 2 +- ...are-your-organization-for-windows-to-go.md | 18 +- ...ery-tool-in-compatibility-administrator.md | 12 +- ...ection-considerations-for-windows-to-go.md | 10 +- .../settings-dialog-box---preferences-tab.md | 6 +- .../settings-dialog-box---settings-tab.md | 12 +- windows/plan/setup-and-deployment.md | 20 +- .../troubleshooting-act-database-issues.md | 10 +- ...shooting-the-act-log-processing-service.md | 12 +- windows/plan/websiteurl-dialog-box.md | 2 +- windows/plan/windows-10-compatibility.md | 4 +- .../windows-10-deployment-considerations.md | 8 +- .../windows-10-infrastructure-requirements.md | 8 +- windows/plan/windows-10-servicing-model.md | 14 +- ...windows-to-go-feature-overview-scenario.md | 16 +- ...indows-to-go-frequently-asked-questions.md | 166 ++--- windows/plan/windows-update-for-business.md | 12 +- windows/whats-new/TOC.md | 2 +- windows/whats-new/bitlocker.md | 4 +- .../business-store-for-windows-10.md | 6 +- ...ge-history-for-what-s-new-in-windows-10.md | 2 +- windows/whats-new/credential-guard.md | 2 +- windows/whats-new/device-guard-overview.md | 8 +- .../enterprise-data-protection-overview.md | 8 +- windows/whats-new/index.md | 2 +- ...ures-from-windows-embedded-industry-8-1.md | 2 +- windows/whats-new/security-auditing.md | 38 +- windows/whats-new/security.md | 40 +- windows/whats-new/trusted-platform-module.md | 6 +- windows/whats-new/windows-spotlight.md | 8 +- 382 files changed, 3100 insertions(+), 3085 deletions(-) create mode 100644 windows/manage/configure-telemetry-in-your-organization.md create mode 100644 windows/manage/images/aadjbrowser.jpg create mode 100644 windows/manage/images/aadjonedrive.jpg create mode 100644 windows/manage/images/aadjppt.jpg create mode 100644 windows/manage/images/aadjword.jpg create mode 100644 windows/manage/images/settings-table.png diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 4ffbb4e95d..2c52ae43a3 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -1,4 +1,4 @@ -# [Deploy Windows 10](index.md) +# [Deploy Windows 10] ## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md) diff --git a/windows/deploy/add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md index 90c2dabd0f..1fc82ad701 100644 --- a/windows/deploy/add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md @@ -20,13 +20,13 @@ author: CFaw - [Add drivers for Windows PE](#sec01) - [Add drivers for Windows 10](#sec02) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). -## Add drivers for Windows PE +## Add drivers for Windows PE This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01. @@ -50,7 +50,7 @@ The Updating Boot Image part of the wizard will appear to hang when displaying D   -## Add drivers for Windows 10 +## Add drivers for Windows 10 This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01. diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index 67bf7b4350..1d6b025dbd 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -17,11 +17,11 @@ author: CFaw - [Create and assign a role entry in the database](#sec01) - [Associate the role with a computer in the database](#sec02) - [Verify database access in the MDT simulation environment](#sec03) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. -## Create and assign a role entry in the database +## Create and assign a role entry in the database 1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. @@ -38,7 +38,7 @@ This topic will show you how to add applications to a role in the MDT database a Figure 12. The Standard PC role with the application added -## Associate the role with a computer in the database +## Associate the role with a computer in the database After creating the role, you can associate it with one or more computer entries. @@ -53,7 +53,7 @@ After creating the role, you can associate it with one or more computer entries. Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). -## Verify database access in the MDT simulation environment +## Verify database access in the MDT simulation environment When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer. diff --git a/windows/deploy/build-a-distributed-environment-for-windows-81-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-81-deployment.md index 7812c3a7ab..e7404c2cc9 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-81-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-81-deployment.md @@ -23,7 +23,7 @@ author: CFaw - [Replicate the content](#sec03) - [Configure Windows Deployment Services (WDS) in a remote site](#sec04) - [Deploy the Windows 10 client to the remote site](#sec05) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments. @@ -33,7 +33,7 @@ We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 i Figure 1. The machines used in this topic. -## Replicate deployment shares +## Replicate deployment shares Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) 2013 use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. @@ -51,7 +51,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. -## Set up Distributed File System Replication (DFS-R) for replication +## Set up Distributed File System Replication (DFS-R) for replication Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings. @@ -151,7 +151,7 @@ When you have multiple deployment servers sharing the same content, you need to 6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. -## Replicate the content +## Replicate the content Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. @@ -247,7 +247,7 @@ It will take some time for the replication configuration to be picked up by the Figure 9. The DFS Replication Health Report. -## Configure Windows Deployment Services (WDS) in a remote site +## Configure Windows Deployment Services (WDS) in a remote site Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02. @@ -256,7 +256,7 @@ Like you did in the previous topic for MDT01, you need to add the MDT Production 2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings. -## Deploy the Windows 10 client to the remote site +## Deploy the Windows 10 client to the remote site Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02. diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index ac163d899d..b17f45b11c 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,7 +11,7 @@ author: CFaw # Change history for Deploy Windows 10 -This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Deploy Windows 10] documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## December 2015 diff --git a/windows/deploy/common-issues-usmt-win8.md b/windows/deploy/common-issues-usmt-win8.md index 02f0b32831..a084274da5 100644 --- a/windows/deploy/common-issues-usmt-win8.md +++ b/windows/deploy/common-issues-usmt-win8.md @@ -16,17 +16,17 @@ The following sections discuss common issues that you might see when you run the ## In This Topic -[User Account Problems](#User) +[User Account Problems](#user) -[Command-line Problems](#Command) +[Command-line Problems](#command) -[XML File Problems](#XML) +[XML File Problems](#xml) -[Migration Problems](#Migration) +[Migration Problems](#migration) -[Offline Migration Problems](#BKMK_Offline) +[Offline Migration Problems](#bkmk-offline) -[Hard Link Migration Problems](#BKMK_Hardlink) +[Hard Link Migration Problems](#bkmk-hardlink) ## General Guidelines for Identifying Migration Problems @@ -59,7 +59,7 @@ When you encounter a problem or error message during migration, you can use the   -## User Account Problems +## User Account Problems The following sections describe common user account problems. Expand the section to see recommended solutions. @@ -133,7 +133,7 @@ loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 ``` -## Command-line Problems +## Command-line Problems The following sections describe common command-line problems. Expand the section to see recommended solutions. @@ -150,7 +150,7 @@ The following sections describe common command-line problems. Expand the section **Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. -## XML File Problems +## XML File Problems The following sections describe common XML file problems. Expand the section to see recommended solutions. @@ -167,13 +167,13 @@ The following sections describe common XML file problems. Expand the section to **Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](http://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference-usmt-win7-usmt-win8.md) for more information about using the XML elements. -### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? +### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? **Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. **Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. -## Migration Problems +## Migration Problems The following sections describe common migration problems. Expand the section to see recommended solutions. @@ -216,13 +216,13 @@ There are three typical causes for this issue. **Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. -### I included MigApp.xml in the migration, but some PST files aren’t migrating. +### I included MigApp.xml in the migration, but some PST files aren’t migrating. **Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. **Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. -## Offline Migration Problems +## Offline Migration Problems The following sections describe common offline migration problems. Expand the section to see recommended solutions. @@ -263,7 +263,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex reg.exe unload hklm\$dest$software ``` -## Hard-Link Migration Problems +## Hard-Link Migration Problems The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. diff --git a/windows/deploy/common-migration-scenarios-usmt-win7-usmt-win8.md b/windows/deploy/common-migration-scenarios-usmt-win7-usmt-win8.md index 2a1ffc1db1..117f0e492c 100644 --- a/windows/deploy/common-migration-scenarios-usmt-win7-usmt-win8.md +++ b/windows/deploy/common-migration-scenarios-usmt-win7-usmt-win8.md @@ -18,25 +18,25 @@ One common scenario when only the operating system, and not the hardware, is bei ## In This Topic -[PC Refresh](#BKMK_PCRefresh) +[PC Refresh](#bkmk-pcrefresh) -[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#BKMK_OnePCRefresh) +[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) -[Scenario Two: PC-refresh using a compressed migration store](#BKMK_TwoPCRefresh) +[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) -[Scenario Three: PC-refresh using a hard-link migration store](#BKMK_ThreePCRefresh) +[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) -[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#BKMK_FourPCRefresh) +[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) -[PC Replacement](#BKMK_PCReplace) +[PC Replacement](#bkmk-pcreplace) -[Scenario One: Offline migration using Windows PE and an external migration store](#BKMK_OnePCReplace) +[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) -[Scenario Two: Manual network migration](#BKMK_TwoPCReplace) +[Scenario Two: Manual network migration](#bkmk-twopcreplace) -[Scenario Three: Managed network migration](#BKMK_ThreePCReplace) +[Scenario Three: Managed network migration](#bkmk-threepcreplace) -## PC-Refresh +## PC-Refresh The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. @@ -47,7 +47,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref   -### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store +### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. @@ -57,7 +57,7 @@ A company has just received funds to update the operating system on all of its c 3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. -### Scenario Two: PC-refresh using a compressed migration store +### Scenario Two: PC-refresh using a compressed migration store A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. @@ -67,7 +67,7 @@ A company has just received funds to update the operating system on all of its c 3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. -### Scenario Three: PC-refresh using a hard-link migration store +### Scenario Three: PC-refresh using a hard-link migration store A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. @@ -77,7 +77,7 @@ A company has just received funds to update the operating system on all of its c 3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. -### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store +### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. @@ -87,7 +87,7 @@ A company has decided to update the operating system on all of its computers to 3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. -## PC-Replacement +## PC-Replacement The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. @@ -98,7 +98,7 @@ The following diagram shows a PC-replacement migration. First, the administrator   -### Scenario One: Offline migration using WinPE and an external migration store +### Scenario One: Offline migration using WinPE and an external migration store A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. @@ -108,7 +108,7 @@ A company is allocating 20 new computers to users in the accounting department. 3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. -### Scenario Two: Manual network migration +### Scenario Two: Manual network migration A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. @@ -120,7 +120,7 @@ A company receives 50 new laptops for their managers and needs to reallocate 50 4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. -### Scenario Three: Managed network migration +### Scenario Three: Managed network migration A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index 49c9c4e5f4..8b59589f53 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -14,9 +14,9 @@ author: CFaw **In this article** -- [Configure the rules to call a UserExit script](#configure_the_rules_to_call_a_userexit_script) -- [The Setname.vbs UserExit script](#the_setname.vbs_userexit_script) -- [Related topics](#related_topics) +- [Configure the rules to call a UserExit script](#configure-the-rules-to-call-a-userexit-script) +- [The Setname.vbs UserExit script](#the-setname-vbs-userexit-script) +- [Related topics](#related-topics) In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index 0c5e9539c1..c3c9d021a1 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -16,11 +16,11 @@ author: CFaw - [Assign settings](#sec01) - [Sample configurations](#sec02) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. -## Assign settings +## Assign settings When using MDT, you can assign setting in three distinct ways: @@ -33,7 +33,7 @@ When using MDT, you can assign setting in three distinct ways: In order illustrate these three options, let's look at some sample configurations. -## Sample configurations +## Sample configurations Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine. diff --git a/windows/deploy/configxml-file-usmt-win7-usmt-win8.md b/windows/deploy/configxml-file-usmt-win7-usmt-win8.md index a50f69959b..4620637f55 100644 --- a/windows/deploy/configxml-file-usmt-win7-usmt-win8.md +++ b/windows/deploy/configxml-file-usmt-win7-usmt-win8.md @@ -32,48 +32,48 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only. -[<Policies>](#BKMK_Policies) +[<Policies>](#bkmk-policies) -[<ErrorControl>](#BKMK_ErrorControl) +[<ErrorControl>](#bkmk-errorcontrol) -[<fatal>](#BKMK_fatal) +[<fatal>](#bkmk-fatal) -[<fileError>](#BKMK_fileError) +[<fileError>](#bkmk-fileerror) -[<nonfatal>](#BKMK_nonFatal) +[<nonfatal>](#bkmk-nonfatal) -[<registryError>](#BKMK_registryError) +[<registryError>](#bkmk-registryerror) -[<HardLinkStoreControl>](#BKMK_HardLinkStoreControl) +[<HardLinkStoreControl>](#bkmk-hardlinkstorecontrol) -[<fileLocked>](#BKMK_fileLock) +[<fileLocked>](#bkmk-filelock) -[<createHardLink>](#BKMK_createHardLink) +[<createHardLink>](#bkmk-createhardlink) -[<errorHardLink>](#BKMK_errorHardLink) +[<errorHardLink>](#bkmk-errorhardlink) -[<ProfileControl>](#BKMK_ProfileControl) +[<ProfileControl>](#bkmk-profilecontrol) -[<localGroups>](#BKMK_localGroups) +[<localGroups>](#bkmk-localgroups) -[<mappings>](#BKMK_mappings) +[<mappings>](#bkmk-mappings) -[<changeGroup>](#BKMK_changeGrou) +[<changeGroup>](#bkmk-changegrou) -[<include>](#BKMK_include) +[<include>](#bkmk-include) -[<exclude>](#BKMK_exclude) +[<exclude>](#bkmk-exclude) -[Sample Config.xml File](#BKMK_SampleConfigXJMLfile) +[Sample Config.xml File](#bkmk-sampleconfigxjmlfile) -## <Policies> +## <Policies> The **<Policies>** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **<Policies>** element are **<ErrorControl>** and **<HardLinkStoreControl>**. The **<Policies>** element is a child of **<Configuration>**. Syntax: ` ` -## <ErrorControl> +## <ErrorControl> The **<ErrorControl>** element is an optional element you can configure in the Config.xml file. The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character. @@ -107,7 +107,7 @@ The configurable **<ErrorControl>** rules support only the environment var   -### <fatal> +### <fatal> The **<fatal>** element is not required. @@ -145,7 +145,7 @@ Syntax: ``*<pattern>*`` You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration. -## <fileError> +## <fileError> The **<fileError>** element is not required. @@ -160,7 +160,7 @@ Syntax: `` You use the **<fileError>** element to represent the behavior associated with file errors. -## <nonFatal> +## <nonFatal> The **<nonFatal>** element is not required. @@ -199,7 +199,7 @@ Syntax: ``*<pattern>*`` You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. -## <registryError> +## <registryError> The **<registryError>**element is not required. @@ -238,7 +238,7 @@ Syntax: `` You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. -## <HardLinkStoreControl> +## <HardLinkStoreControl> The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**. @@ -274,49 +274,49 @@ The **<ErrorControl>** section can be configured to conditionally ignore f ``` -## <fileLocked> +## <fileLocked> The **<fileLocked>** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **<fileLocked>** element are processed in the order in which they appear in the XML file. Syntax: `` -## <createHardLink> +## <createHardLink> The **<createHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. Syntax: ``*<pattern>*`` -## <errorHardLink> +## <errorHardLink> The **<errorHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **<ErrorControl>** section to either cause USMT to skip the file or abort the migration. Syntax: ``*<pattern>*`` -## <ProfileControl> +## <ProfileControl> This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **<ProfileMigration>** is a child of **<Configuration>**. Syntax: <`ProfileControl> ` -## <localGroups> +## <localGroups> This element is used to contain other elements that establish rules for how to migrate local groups. **<localGroups>** is a child of **<ProfileControl>**. Syntax: ` ` -## <mappings> +## <mappings> This element is used to contain other elements that establish mappings between groups. Syntax: ` ` -## <changeGroup> +## <changeGroup> This element describes the source and destination groups for a local group membership change during the migration. It is a child of **<localGroups>**. The following parameters are defined: @@ -359,21 +359,21 @@ The valid and required children of **<changeGroup>** are **<include> Syntax: ` ` -## <include> +## <include> This element specifies that its required child, *<pattern>*, should be included in the migration. Syntax: ```` -## <exclude> +## <exclude> This element specifies that its required child, *<pattern>*, should be excluded from the migration. Syntax: ``` ` -## Sample Config.xml File +## Sample Config.xml File Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration. diff --git a/windows/deploy/conflicts-and-precedence-usmt-win7-usmt-win8.md b/windows/deploy/conflicts-and-precedence-usmt-win7-usmt-win8.md index 7021f52c45..812254b16e 100644 --- a/windows/deploy/conflicts-and-precedence-usmt-win7-usmt-win8.md +++ b/windows/deploy/conflicts-and-precedence-usmt-win7-usmt-win8.md @@ -13,7 +13,7 @@ author: CFaw When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind. -- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#BKMK1) and the first example in [Include and exclude precedence examples](#PrecExamples)****later in this topic. +- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic. - **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. @@ -30,32 +30,32 @@ When you include, exclude, and reroute files and settings, it is important to kn **General** -- [What is the relationship between rules that are located within different components?](#BKMK2) +- [What is the relationship between rules that are located within different components?](#bkmk2) -- [How does precedence work with the Config.xml file?](#BKMK3) +- [How does precedence work with the Config.xml file?](#bkmk3) -- [How does USMT process each component in an .xml file with multiple components?](#BKMK4) +- [How does USMT process each component in an .xml file with multiple components?](#bkmk4) -- [How are rules processed?](#BKMK5) +- [How are rules processed?](#bkmk5) -- [How does USMT combine all of the .xml files that I specify on the command line?](#BKMK6) +- [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6) **The <include> and <exclude> rules** -- [What happens when there are conflicting include and exclude rules?](#BKMK1) +- [What happens when there are conflicting include and exclude rules?](#bkmk1) -- [<include> and <exclude> precedence examples](#PrecExamples) +- [<include> and <exclude> precedence examples](#precexamples) **File collisions** -- [What is the default behavior when there are file collisions?](#Collisions) +- [What is the default behavior when there are file collisions?](#collisions) -- [How does the <merge> rule work when there are file collisions?](#BKMK11) +- [How does the <merge> rule work when there are file collisions?](#bkmk11) ## General -### What is the relationship between rules that are located within different components? +### What is the relationship between rules that are located within different components? Only rules inside the same component can affect each other, depending on specificity, except for the <unconditionalExclude> rule. Rules that are in different components do not affect each other. If there is an <include> rule in one component and an identical <exclude> rule in another component, the data will be migrated because the two rules are independent of each other. @@ -93,7 +93,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil ``` -### How does precedence work with the Config.xml file? +### How does precedence work with the Config.xml file? Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. @@ -105,11 +105,11 @@ Specifying `migrate="no"` in the Config.xml file is the same as deleting the cor ``` -### How does USMT process each component in an .xml file with multiple components? +### How does USMT process each component in an .xml file with multiple components? The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule. -### How are rules processed? +### How are rules processed? There are two broad categories of rules. @@ -117,14 +117,14 @@ There are two broad categories of rules. - **Rules that affect the behavior of only the LoadState tool**. For example, the <locationModify>, <contentModify>, and <destinationCleanup> rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the <locationModify>and <contentModify> rules. Then, LoadState processes all of the <destinationCleanup> rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer. -### How does USMT combine all of the .xml files that I specify on the command line? +### How does USMT combine all of the .xml files that I specify on the command line? USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid. -## The <include> and <exclude> rules +## The <include> and <exclude> rules -### What happens when there are conflicting <include> and <exclude> rules? +### What happens when there are conflicting <include> and <exclude> rules? If there are conflicting rules within a component, the most specific rule is applied, except with the <unconditionalExclude> rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently. @@ -143,15 +143,15 @@ In the following example, mp3 files will not be excluded from the migration. Thi ``` -### <include> and <exclude> rules precedence examples +### <include> and <exclude> rules precedence examples These examples explain how USMT deals with <include> and <exclude> rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files. -- [Including and excluding files](#FilesEx) +- [Including and excluding files](#filesex) -- [Including and excluding registry objects](#RegEx) +- [Including and excluding registry objects](#regex) -### Including and excluding files +### Including and excluding files @@ -278,7 +278,7 @@ These examples explain how USMT deals with <include> and <exclude> r   -### Including and excluding registry objects +### Including and excluding registry objects
@@ -359,11 +359,11 @@ These examples explain how USMT deals with <include> and <exclude> r ## File collisions -### What is the default behavior when there are file collisions? +### What is the default behavior when there are file collisions? If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on. -### How does the <merge> rule work when there are file collisions? +### How does the <merge> rule work when there are file collisions? When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific. diff --git a/windows/deploy/create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md index 1a39839510..84a9f0adcc 100644 --- a/windows/deploy/create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md @@ -20,13 +20,13 @@ author: CFaw - [Add DaRT 10 files and prepare to brand the boot image](#sec01) - [Create a boot image for Configuration Manager using the MDT wizard](#sec02) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 1 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). -## Add DaRT 10 files and prepare to brand the boot image +## Add DaRT 10 files and prepare to brand the boot image The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp. @@ -43,7 +43,7 @@ The steps below outline the process for adding DaRT 10 installation files to the 6. Copy the **Branding** folder to **E:\\Sources\\OSD**. -## Create a boot image for Configuration Manager using the MDT wizard +## Create a boot image for Configuration Manager using the MDT wizard By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index 090c58388f..cf6e244c42 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -21,13 +21,13 @@ author: CFaw - [Create a task sequence using the MDT Integration Wizard](#sec01) - [Edit the task sequence](#sec02) - [Move the packages](#sec03) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). -## Create a task sequence using the MDT Integration Wizard +## Create a task sequence using the MDT Integration Wizard This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. @@ -84,7 +84,7 @@ This section will walk you through the process of creating a System Center 2012 16. On the **Confirmation** page, click **Finish**. -## Edit the task sequence +## Edit the task sequence After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more. @@ -162,7 +162,7 @@ The Request State Store and Release State Store actions need to be added for com   -## Move the packages +## Move the packages While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps. diff --git a/windows/deploy/create-a-windows-81-reference-image.md b/windows/deploy/create-a-windows-81-reference-image.md index 7198485f37..176dfa81ae 100644 --- a/windows/deploy/create-a-windows-81-reference-image.md +++ b/windows/deploy/create-a-windows-81-reference-image.md @@ -18,14 +18,14 @@ author: CFaw **In this article** -- [The reference image](#the_reference_image) +- [The reference image](#the-reference-image) - [Set up the MDT build lab deployment share](#sec01) - [Add the setup files](#sec02) - [Add applications](#sec03) - [Create the reference image task sequence](#sec04) - [Configure the MDT deployment share rules](#sec05) - [Build the Windows 10 reference image](#sec06) -- [Related topics](#related_topics) +- [Related topics](#related-topics) Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 1. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. @@ -48,7 +48,7 @@ The reference image described in this documentation is designed primarily for de - It's easy to move between lab, test, and production. -## Set up the MDT build lab deployment share +## Set up the MDT build lab deployment share With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. @@ -91,7 +91,7 @@ In order to write the reference image back to the deployment share, you need to Figure 3. Permissions configured for the MDT\_BA user. -## Add the setup files +## Add the setup files This section will show you how to populate the MDT 2013 Update 1 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. @@ -129,7 +129,7 @@ In these steps we assume that you have copied the content of a Windows 10 Enter Figure 4. The imported Windows 10 operating system after renaming it. -## Add applications +## Add applications Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share. @@ -367,7 +367,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda -Verbose ``` -## Create the reference image task sequence +## Create the reference image task sequence In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. @@ -520,7 +520,7 @@ Follow these steps to configure Internet Explorer settings in Unattend.xml for t Figure 10. Windows System Image Manager with the Windows 10 Unattend.xml. -## Configure the MDT deployment share rules +## Configure the MDT deployment share rules Understanding rules is critical to successfully using MDT. Rules are configured using the Rules tab of the deployment share's properties. The Rules tab is essentially a shortcut to edit the CustomSettings.ini file that exists in the E:\\MDTBuildLab\\Control folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment. @@ -776,7 +776,7 @@ SkipFinalSummary=YES - **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down. -## Build the Windows 10 reference image +## Build the Windows 10 reference image Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. diff --git a/windows/deploy/custom-xml-examples-usmt-win7-usmt-win8.md b/windows/deploy/custom-xml-examples-usmt-win7-usmt-win8.md index b5836c734f..98f2a55bcd 100644 --- a/windows/deploy/custom-xml-examples-usmt-win7-usmt-win8.md +++ b/windows/deploy/custom-xml-examples-usmt-win7-usmt-win8.md @@ -19,15 +19,15 @@ Because the tables in this topic are wide, you may need to adjust the width of i ## In This Topic: -- [Example 1: Migrating an Unsupported Application](#Example) +- [Example 1: Migrating an Unsupported Application](#example) -- [Example 2: Migrating the My Videos Folder](#Example2) +- [Example 2: Migrating the My Videos Folder](#example2) -- [Example 3: Migrating Files and Registry Keys](#Example3) +- [Example 3: Migrating Files and Registry Keys](#example3) -- [Example 4: Migrating Specific Folders from Various Locations](#Example4) +- [Example 4: Migrating Specific Folders from Various Locations](#example4) -## Example 1: Migrating an Unsupported Application +## Example 1: Migrating an Unsupported Application The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file. @@ -96,7 +96,7 @@ The following is a template for the sections that you need to migrate your appli ``` -## Example 2: Migrating the My Videos Folder +## Example 2: Migrating the My Videos Folder The following is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer. @@ -153,7 +153,7 @@ The following is a custom .xml file named CustomFile.xml that migrates My Videos ``` -## Example 3: Migrating Files and Registry Keys +## Example 3: Migrating Files and Registry Keys This table describes the behavior in the following example .xml file. @@ -222,7 +222,7 @@ This table describes the behavior in the following example .xml file. ``` -## Example 4: Migrating Specific Folders from Various Locations +## Example 4: Migrating Specific Folders from Various Locations The behavior for this custom .xml file is described within the <`displayName`> tags in the code. diff --git a/windows/deploy/customize-usmt-xml-files-usmt-win7-usmt-win8.md b/windows/deploy/customize-usmt-xml-files-usmt-win7-usmt-win8.md index 39f462328c..bae37705ba 100644 --- a/windows/deploy/customize-usmt-xml-files-usmt-win7-usmt-win8.md +++ b/windows/deploy/customize-usmt-xml-files-usmt-win7-usmt-win8.md @@ -14,19 +14,19 @@ author: CFaw ## In This Topic -[Overview](#BKMK_Overview) +[Overview](#bkmk-overview) -[Migration .xml Files](#BKMK_MigXML) +[Migration .xml Files](#bkmk-migxml) -[Custom .xml Files](#BKMK_CustomXMLFiles) +[Custom .xml Files](#bkmk-customxmlfiles) -[The Config.xml File](#BKMK_ConfigXML) +[The Config.xml File](#bkmk-configxml) -[Examples](#BKMK_Examples) +[Examples](#bkmk-examples) -[Additional Information](#BKMK_AddlInfo) +[Additional Information](#bkmk-addlinfo) -## Overview +## Overview If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. @@ -43,7 +43,7 @@ To modify the migration, do one or more of the following. For more information about excluding data, see the [Exclude Files and Settings](exclude-files-and-settings-usmt.md) topic. -## Migration .xml Files +## Migration .xml Files This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. @@ -64,12 +64,12 @@ You can use the asterisk (\*) wildcard character in each of these files. However   -## Custom .xml Files +## Custom .xml Files You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. -## The Config.xml File +## The Config.xml File The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](configxml-file-usmt-win7-usmt-win8.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. @@ -93,7 +93,7 @@ To exclude a component from the Config.xml file, set the **migrate** value to **   -### Examples +### Examples - The following command creates a Config.xml file in the current directory, but it does not create a store: @@ -107,7 +107,7 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` -## Additional Information +## Additional Information - For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](user-state-migration-tool--usmt--how-to-topics.md). diff --git a/windows/deploy/deploy-a-windows-81-image-using-mdt-2013.md b/windows/deploy/deploy-a-windows-81-image-using-mdt-2013.md index d7db9ff7ba..5631127c4d 100644 --- a/windows/deploy/deploy-a-windows-81-image-using-mdt-2013.md +++ b/windows/deploy/deploy-a-windows-81-image-using-mdt-2013.md @@ -29,7 +29,7 @@ author: CFaw - [Multicast deployments](#sec09) - [Use offline media to deploy Windows 10](#sec10) - [Unified Extensible Firmware Interface (UEFI)-based deployments](#sec11) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment. @@ -39,7 +39,7 @@ For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0 Figure 1. The machines used in this topic. -## Step 1: Configure Active Directory permissions +## Step 1: Configure Active Directory permissions These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](http://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. @@ -95,7 +95,7 @@ These steps will show you how to configure an Active Directory account with the 8. Validated write to service principal name -## Step 2: Set up the MDT production deployment share +## Step 2: Set up the MDT production deployment share When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md). @@ -118,7 +118,7 @@ The steps for creating the deployment share for production are the same as when 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. -## Step 3: Add a custom image +## Step 3: Add a custom image The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. @@ -150,7 +150,7 @@ The reason for adding the setup files has changed since earlier versions of MDT. Figure 2. The imported operating system after renaming it. -## Step 4: Add an application +## Step 4: Add an application When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example. @@ -179,7 +179,7 @@ In this example, we assume that you have downloaded the Adobe Reader XI installa Figure 3. The Adobe Reader application added to the Deployment Workbench. -## Step 5: Prepare the drivers repository +## Step 5: Prepare the drivers repository In order to deploy Windows 10 with MDT 2013 Update 1 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: @@ -378,7 +378,7 @@ For the Microsoft Surface Pro model, you find the drivers on the Microsoft websi - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3** -## Step 6: Create the deployment task sequence +## Step 6: Create the deployment task sequence This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server. @@ -444,7 +444,7 @@ This section will show you how to create the task sequence used to deploy your p Figure 6. The task sequence for production deployment. -## Step 7: Configure the MDT production deployment share +## Step 7: Configure the MDT production deployment share In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. @@ -636,7 +636,7 @@ If your organization has a Microsoft Software Assurance agreement, you also can ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#BKMK_update_deployment). To enable the remote connection feature in MDT 2013 Update 1, you need to do the following: +If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 1, you need to do the following: - Install DaRT 10 (part of MDOP 2015 R1). @@ -670,7 +670,7 @@ In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to 10. Click **OK**. -### Update the deployment share +### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. @@ -683,7 +683,7 @@ The update process will take 5 to 10 minutes.   -## Step 8: Deploy the Windows 10 client image +## Step 8: Deploy the Windows 10 client image These steps will walk you throug the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. @@ -762,7 +762,7 @@ When monitoring is enabled, MDT also writes information to the event viewer on M Figure 12. The Event Viewer showing a successful deployment of PC0005. -## Multicast deployments +## Multicast deployments Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. @@ -787,7 +787,7 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep Figure 13. The newly created multicast namespace. -## Use offline media to deploy Windows 10 +## Use offline media to deploy Windows 10 In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. @@ -893,7 +893,7 @@ Follow these steps to create a bootable USB stick from the offline media content 6. In the Diskpart utility, type **active**, and then type **exit**. -## Unified Extensible Firmware Interface (UEFI)-based deployments +## Unified Extensible Firmware Interface (UEFI)-based deployments As referenced in [Windows 10 deployment tools](http://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UFEI. diff --git a/windows/deploy/deploy-windows-81-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-81-with-the-microsoft-deployment-toolkit.md index d918c8d6e5..dc1a94c5a9 100644 --- a/windows/deploy/deploy-windows-81-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-81-with-the-microsoft-deployment-toolkit.md @@ -41,7 +41,7 @@ To download the latest version of MDT, visit the [MDT resource page](http://go.m - [Configure MDT settings](configure-mdt-2013-settings.md) -## Proof-of-concept environment +## Proof-of-concept environment For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002. diff --git a/windows/deploy/deploy-windows-to-go-in-your-organization-small-scenario.md b/windows/deploy/deploy-windows-to-go-in-your-organization-small-scenario.md index f542e8a4c9..6b9a088b5c 100644 --- a/windows/deploy/deploy-windows-to-go-in-your-organization-small-scenario.md +++ b/windows/deploy/deploy-windows-to-go-in-your-organization-small-scenario.md @@ -18,11 +18,11 @@ author: CFaw **In this article** -- [Deployment tips](#deployment_tips) -- [Basic deployment steps](#basic_deployment_steps) -- [Advanced deployment steps](#advanced_deployment_steps) -- [Considerations when using different USB keyboard layouts with Windows To Go](#considerations_when_using_different_usb_keyboard_layouts_with_windows_to_go) -- [Related topics](#related_topics) +- [Deployment tips](#deployment-tips) +- [Basic deployment steps](#basic-deployment-steps) +- [Advanced deployment steps](#advanced-deployment-steps) +- [Considerations when using different USB keyboard layouts with Windows To Go](#considerations-when-using-different-usb-keyboard-layouts-with-windows-to-go) +- [Related topics](#related-topics) This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-feature-overview-scenario.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. @@ -563,7 +563,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot **Warning**   If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable_bitlocker). + If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).   @@ -579,7 +579,7 @@ The Windows To Go drives are now ready to be distributed to users and are protec - Instructions for how to retrieve the recovery password if necessary. This may be a help desk process, an automated password retrieval site, or a person to contact. - + **To enable BitLocker after distribution** 1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace diff --git a/windows/deploy/estimate-migration-store-size-usmt-win7-usmt-win8.md b/windows/deploy/estimate-migration-store-size-usmt-win7-usmt-win8.md index a3c31299ca..ecc4a77d16 100644 --- a/windows/deploy/estimate-migration-store-size-usmt-win7-usmt-win8.md +++ b/windows/deploy/estimate-migration-store-size-usmt-win7-usmt-win8.md @@ -16,36 +16,36 @@ The disk space requirements for a migration are dependent on the size of the mig ## In This Topic -- [Hard Disk Space Requirements](#BKMK_SpaceReqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. +- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. -- [Calculate Disk Space Requirements Using the ScanState Tool](#BKMK_calcDiskSpace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. +- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. -- [Estimate Migration Store Size](#BKMK_EstMigStoreSize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. +- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. -## Hard Disk Space Requirements +## Hard Disk Space Requirements - **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](choose-a-migration-store-type-usmt-win7-usmt-win8.md). - **Source Computer.** The source computer needs enough available space for the following: - - [E250 megabytes (MB) minimum of hard disk space.](#BKMK_EstMigStoreSize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - [Temporary space for USMT to run.](#BKMK_EstMigStoreSize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - [Hard-link migration store.](#BKMK_EstMigStoreSize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. + - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. -- [Destination computer.](#BKMK_EstMigStoreSize) The destination computer needs enough available space for the following: +- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: - - [Operating system.](#BKMK_EstMigStoreSize) + - [Operating system.](#bkmk-estmigstoresize) - - [Applications.](#BKMK_EstMigStoreSize) + - [Applications.](#bkmk-estmigstoresize) - - [Data being migrated.](#BKMK_EstMigStoreSize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. + - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - [Temporary space for USMT to run.](#BKMK_EstMigStoreSize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. -## Calculate Disk Space Requirements using the ScanState Tool +## Calculate Disk Space Requirements using the ScanState Tool You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. @@ -99,7 +99,7 @@ The space requirements report provides two elements, <**storeSize**> and & Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. -## Estimate Migration Store Size +## Estimate Migration Store Size Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. diff --git a/windows/deploy/exclude-files-and-settings-usmt.md b/windows/deploy/exclude-files-and-settings-usmt.md index d9afd8b9dc..ac1e728397 100644 --- a/windows/deploy/exclude-files-and-settings-usmt.md +++ b/windows/deploy/exclude-files-and-settings-usmt.md @@ -15,20 +15,20 @@ When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, In this topic: -- [Create a custom .xml file](#Options). You can use the following elements to specify what to exclude: +- [Create a custom .xml file](#options). You can use the following elements to specify what to exclude: - - [include and exclude](#BKMK_IncludeExclude): You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](conflicts-and-precedence-usmt-win7-usmt-win8.md) apply to these elements. + - [include and exclude](#bkmk-includeexclude): You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](conflicts-and-precedence-usmt-win7-usmt-win8.md) apply to these elements. - - [unconditionalExclude](#ExOne): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + - [unconditionalExclude](#exone): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. -- [Create a Config.xml file](#Co): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. +- [Create a Config.xml file](#co): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. -## Create a custom .xml file +## Create a custom .xml file We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. -### <include> and <exclude> +### <include> and <exclude> The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference-usmt-win7-usmt-win8.md). @@ -37,17 +37,17 @@ If you specify an <exclude> rule, always specify a corresponding <inclu   -- [Example 1: How to migrate all files from C:\\ except .mp3 files](#Ex1) +- [Example 1: How to migrate all files from C:\\ except .mp3 files](#ex1) -- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#Ex2) +- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#ex2) -- [Example 3: How to exclude the files in a folder but include all subfolders](#Ex3) +- [Example 3: How to exclude the files in a folder but include all subfolders](#ex3) -- [Example 4: How to exclude a file from a specific folder](#Ex4) +- [Example 4: How to exclude a file from a specific folder](#ex4) -- [Example 5: How to exclude a file from any location](#Ex5) +- [Example 5: How to exclude a file from any location](#ex5) -### Example 1: How to migrate all files from C:\\ except .mp3 files +### Example 1: How to migrate all files from C:\\ except .mp3 files The following .xml file migrates all files located on the C: drive, except any .mp3 files. @@ -74,7 +74,7 @@ The following .xml file migrates all files located on the C: drive, except any . ``` -### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp +### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. @@ -100,7 +100,7 @@ The following .xml file migrates all files and subfolders in C:\\Data, except th ``` -### Example 3: How to exclude the files in a folder but include all subfolders +### Example 3: How to exclude the files in a folder but include all subfolders The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. @@ -126,7 +126,7 @@ The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but ex ``` -### Example 4: How to exclude a file from a specific folder +### Example 4: How to exclude a file from a specific folder The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. @@ -152,7 +152,7 @@ The following .xml file migrates all files and subfolders in C:\\EngineeringDraf ``` -### Example 5: How to exclude a file from any location +### Example 5: How to exclude a file from any location To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. @@ -168,7 +168,7 @@ To exclude a Sample.doc file from any drive on the computer, use the <script& [USMT XML Reference](usmt-xml-reference-usmt-win7-usmt-win8.md) -### Example 1: How to exclude all .mp3 files +### Example 1: How to exclude all .mp3 files The following .xml file excludes all .mp3 files from the migration: @@ -189,7 +189,7 @@ The following .xml file excludes all .mp3 files from the migration: ``` -### Example 2: How to exclude all of the files on a specific drive +### Example 2: How to exclude all of the files on a specific drive The following .xml file excludes only the files located on the C: drive. @@ -210,7 +210,7 @@ The following .xml file excludes only the files located on the C: drive. ``` -### Example 3: How to exclude registry keys +### Example 3: How to exclude registry keys The following .xml file unconditionally excludes the HKey\_Current\_User registry key and all of its subkeys. @@ -237,7 +237,7 @@ The following .xml file unconditionally excludes the HKey\_Current\_User registr ``` -### Example 4: How to Exclude C:\\Windows and C:\\Program Files +### Example 4: How to Exclude C:\\Windows and C:\\Program Files The following .xml file unconditionally excludes the system folders of C:\\Windows and C:\\Program Files. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. @@ -267,7 +267,7 @@ The following .xml file unconditionally excludes the system folders of C:\\Windo ``` -## Create a Config.xml File +## Create a Config.xml File You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. diff --git a/windows/deploy/extract-files-from-a-compressed-usmt-migration-store.md b/windows/deploy/extract-files-from-a-compressed-usmt-migration-store.md index 46b26ceb99..70d6bc7564 100644 --- a/windows/deploy/extract-files-from-a-compressed-usmt-migration-store.md +++ b/windows/deploy/extract-files-from-a-compressed-usmt-migration-store.md @@ -26,17 +26,17 @@ In addition, you can specify the file patterns that you want to extract by using ## In this topic -- [To run the USMTutils tool with the /extract option](#BKMK_extractSyntax) +- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) -- [To extract all files from a compressed migration store](#BKMK_extractAllFiles) +- [To extract all files from a compressed migration store](#bkmk-extractallfiles) -- [To extract specific file types from an encrypted compressed migration store](#BKMK_extractSpecificFiles) +- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) -- [To extract all but one, or more, file types from an encrypted compressed migration store](#BKMK_excludeFilePattern) +- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) -- [To extract file types using the include pattern and the exclude pattern](#BKMK_includeExcludeFiles) +- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) -### To run the USMTutils tool with the /extract option +### To run the USMTutils tool with the /extract option To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: @@ -62,7 +62,7 @@ Where the placeholders have the following values: - *<filename>* is the location and name of the text file that contains the encryption key. -### To extract all files from a compressed migration store +### To extract all files from a compressed migration store To extract everything from a compressed migration store to a file on the C:\\ drive, type: @@ -70,7 +70,7 @@ To extract everything from a compressed migration store to a file on the C:\\ dr usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore ``` -### To extract specific file types from an encrypted compressed migration store +### To extract specific file types from an encrypted compressed migration store To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: @@ -80,7 +80,7 @@ usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\Extrac In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. -### To extract all but one, or more, file types from an encrypted compressed migration store +### To extract all but one, or more, file types from an encrypted compressed migration store To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: @@ -88,7 +88,7 @@ To extract all files except for one file type, such as .exe files, from an encry usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt ``` -### To extract file types using the include pattern and the exclude pattern +### To extract file types using the include pattern and the exclude pattern To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: diff --git a/windows/deploy/finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md index 0857bdbfdb..457b990a4f 100644 --- a/windows/deploy/finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md @@ -24,13 +24,13 @@ author: CFaw - [Distribute content to the CM01 distribution portal](#sec04) - [Create a deployment for the task sequence](#sec05) - [Configure Configuration Manager to prompt for the computer name during deployment (optional)](#sec06) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence. For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). -## Enable MDT monitoring +## Enable MDT monitoring This section will walk you through the process of creating the E:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. @@ -51,7 +51,7 @@ This section will walk you through the process of creating the E:\\MDTProduction Figure 26. Enabling MDT monitoring for Configuration Manager. -## Create and share the Logs folder +## Create and share the Logs folder To support additional server-side logging in Configuration Manager, you create and share the E:\\Logs folder on CM01 using Windows PowerShell. Then in the next step, you enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. @@ -66,7 +66,7 @@ To support additional server-side logging in Configuration Manager, you create a icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)' ``` -## Configure the rules (Windows 10 x64 Settings package) +## Configure the rules (Windows 10 x64 Settings package) This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment. @@ -102,7 +102,7 @@ Although you have not yet added a distribution point, you still need to select U   -## Distribute content to the CM01 distribution portal +## Distribute content to the CM01 distribution portal In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point. @@ -113,7 +113,7 @@ In Configuration Manager, you can distribute all packages needed by a task seque 3. Using Configuration Manager Trace, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully. -## Create a deployment for the task sequence +## Create a deployment for the task sequence This sections provides steps to help you create a deployment for the task sequence. @@ -144,7 +144,7 @@ This sections provides steps to help you create a deployment for the task sequen Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE. -## Configure Configuration Manager to prompt for the computer name during deployment (optional) +## Configure Configuration Manager to prompt for the computer name during deployment (optional) You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-2013-settings.md). diff --git a/windows/deploy/frequently-asked-questions-usmt-win7-usmt-win8.md b/windows/deploy/frequently-asked-questions-usmt-win7-usmt-win8.md index 14cc5335fc..a7ce688d17 100644 --- a/windows/deploy/frequently-asked-questions-usmt-win7-usmt-win8.md +++ b/windows/deploy/frequently-asked-questions-usmt-win7-usmt-win8.md @@ -13,10 +13,10 @@ author: CFaw The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. -## General +## General -### How much space is needed on the destination computer? +### How much space is needed on the destination computer? The destination computer needs enough available space for the following: @@ -26,7 +26,7 @@ The destination computer needs enough available space for the following: - Uncompressed store -### Can I store the files and settings directly on the destination computer or do I need a server? +### Can I store the files and settings directly on the destination computer or do I need a server? You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: @@ -36,11 +36,11 @@ You do not need to save the files to a server. If you are moving the user state 3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. -### Can I migrate data between operating systems with different languages? +### Can I migrate data between operating systems with different languages? No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. -### Can I change the location of the temporary directory on the destination computer? +### Can I change the location of the temporary directory on the destination computer? Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. @@ -48,25 +48,25 @@ Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternativ Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. -### How do I uninstall USMT? +### How do I uninstall USMT? If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. -## Files and Settings +## Files and Settings -### How can I exclude a folder or a certain type of file from the migration? +### How can I exclude a folder or a certain type of file from the migration? You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](exclude-files-and-settings-usmt.md) topic. For the syntax of this element, see [XML Elements Library](xml-elements-library-usmt-win7-usmt-win8.md). -### What happens to files that were located on a drive that does not exist on the destination computer? +### What happens to files that were located on a drive that does not exist on the destination computer? USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. -## USMT .xml Files +## USMT .xml Files -### Where can I get examples of USMT .xml files? +### Where can I get examples of USMT .xml files? The following topics include examples of USMT .xml files: @@ -78,25 +78,25 @@ The following topics include examples of USMT .xml files: - [Custom XML Examples](custom-xml-examples-usmt-win7-usmt-win8.md) -### Can I use custom .xml files that were written for USMT 5.0? +### Can I use custom .xml files that were written for USMT 5.0? Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. -### How can I validate the .xml files? +### How can I validate the .xml files? You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. -### Why must I list the .xml files with both the ScanState and LoadState commands? +### Why must I list the .xml files with both the ScanState and LoadState commands? The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. -### Which files can I modify and specify on the command line? +### Which files can I modify and specify on the command line? You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. -### What happens if I do not specify the .xml files on the command line? +### What happens if I do not specify the .xml files on the command line? - **ScanState** @@ -109,7 +109,7 @@ You can specify the MigUser.xml and MigApp.xml files on the command line. You ca ## Conflicts and Precedence -### What happens when there are conflicting XML rules or conflicting objects on the destination computer? +### What happens when there are conflicting XML rules or conflicting objects on the destination computer? For more information, see [Conflicts and Precedence](conflicts-and-precedence-usmt-win7-usmt-win8.md). diff --git a/windows/deploy/general-conventions-usmt-win7-usmt-win8.md b/windows/deploy/general-conventions-usmt-win7-usmt-win8.md index ede5939950..147cdf05e2 100644 --- a/windows/deploy/general-conventions-usmt-win7-usmt-win8.md +++ b/windows/deploy/general-conventions-usmt-win7-usmt-win8.md @@ -16,11 +16,11 @@ This topic describes the XML helper functions. ## In This Topic -[General XML Guidelines](#BKMK_General) +[General XML Guidelines](#bkmk-general) -[Helper Functions](#BKMK_HelperFunctions) +[Helper Functions](#bkmk-helperfunctions) -## General XML Guidelines +## General XML Guidelines Before you modify the .xml files, become familiar with the following guidelines: @@ -51,7 +51,7 @@ Before you modify the .xml files, become familiar with the following guidelines: When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. -## Helper Functions +## Helper Functions You can use the XML helper functions in the [XML Elements Library](xml-elements-library-usmt-win7-usmt-win8.md) to change migration behavior. Before you use these functions in an .xml file, note the following: diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool--usmt-.md b/windows/deploy/getting-started-with-the-user-state-migration-tool--usmt-.md index 76c9ebdca4..4655b7d762 100644 --- a/windows/deploy/getting-started-with-the-user-state-migration-tool--usmt-.md +++ b/windows/deploy/getting-started-with-the-user-state-migration-tool--usmt-.md @@ -16,13 +16,13 @@ This topic outlines the general process that you should follow to migrate files ## In this Topic -- [Step One: Plan Your Migration](#BKMK_PlanMig) +- [Step One: Plan Your Migration](#bkmk-planmig) -- [Step Two: Collect Files and Settings from the Source Computer](#BKMK_CollectFiles) +- [Step Two: Collect Files and Settings from the Source Computer](#bkmk-collectfiles) -- [Step Three: Prepare the Destination Computer and Restore Files and Settings](#BKMK_PrepareDestination) +- [Step Three: Prepare the Destination Computer and Restore Files and Settings](#bkmk-preparedestination) -## Step One: Plan Your Migration +## Step One: Plan Your Migration 1. [Plan Your Migration](plan-your-migration-usmt-win7-usmt-win8.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](common-migration-scenarios-usmt-win7-usmt-win8.md). @@ -48,7 +48,7 @@ This topic outlines the general process that you should follow to migrate files 7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. -## Step Two: Collect Files and Settings from the Source Computer +## Step Two: Collect Files and Settings from the Source Computer 1. Back up the source computer. @@ -71,7 +71,7 @@ This topic outlines the general process that you should follow to migrate files 4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. -## Step Three: Prepare the Destination Computer and Restore Files and Settings +## Step Three: Prepare the Destination Computer and Restore Files and Settings 1. Install the operating system on the destination computer. diff --git a/windows/deploy/hard-link-migration-store-usmt-win8.md b/windows/deploy/hard-link-migration-store-usmt-win8.md index 46f33cfa8b..e1b2f13561 100644 --- a/windows/deploy/hard-link-migration-store-usmt-win8.md +++ b/windows/deploy/hard-link-migration-store-usmt-win8.md @@ -16,29 +16,29 @@ A *hard-link migration store* enables you to perform an in-place migration where ## In This Topic -[When to Use a Hard-Link Migration](#BKMK_When) +[When to Use a Hard-Link Migration](#bkmk-when) -[Understanding a Hard-Link Migration](#BKMK_UnderstandHardlinkMig) +[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig) -[Scenario](#BKMK_Scenario) +[Scenario](#bkmk-scenario) -[Hard-Link Migration Store Details](#BKMK_HardLinkStoreDetails) +[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails) -[Hard Disk Space](#BKMK_HardDiskSpace) +[Hard Disk Space](#bkmk-harddiskspace) -[Hard-Link Store Size Estimation](#BKMK_HardLinkStoreSizeEst) +[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest) -[Migration Store Path on Multiple Volumes](#BKMK_MigStoreMultVolumes) +[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes) -[Location Modifications](#BKMK_LocationModify) +[Location Modifications](#bkmk-locationmodify) -[Migrating Encrypting File System (EFS) Certificates and Files](#BKMK_EFS) +[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs) -[Migrating Locked Files With the Hard-Link Migration Store](#BKMK_MigLockedFiles) +[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles) -[XML Elements in the Config.xml File](#BKMK_XMLElementsinConfig) +[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig) -## When to Use a Hard-Link Migration +## When to Use a Hard-Link Migration You can use a hard-link migration store when your planned migration meets both of the following criteria: @@ -55,7 +55,7 @@ You cannot use a hard-link migration store if your planned migration includes an - You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store. -## Understanding a Hard-Link Migration +## Understanding a Hard-Link Migration The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario. @@ -91,7 +91,7 @@ The read-only file attribute on migrated files is lost when the hard-link migrat   -## Hard-Link Migration Scenario +## Hard-Link Migration Scenario For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated. @@ -107,20 +107,20 @@ For example, a company has decided to deploy Windows 10 on all of their compute 3. An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer. -## Hard-Link Migration Store Details +## Hard-Link Migration Store Details This section provides details about hard-link migration stores. -### Hard Disk Space +### Hard Disk Space The **/hardlink** command-line option proceeds with creating the migration store only if there is 250 megabytes (MB) of free space on the hard disk. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration. -### Hard-Link Store Size Estimation +### Hard-Link Store Size Estimation It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is very large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual. -### Migration Store Path on Multiple Volumes +### Migration Store Path on Multiple Volumes Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example: @@ -134,11 +134,11 @@ D:\\USMTMIG\\ The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store. -### Location Modifications +### Location Modifications Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. -### Migrating Encrypting File System (EFS) Certificates and Files +### Migrating Encrypting File System (EFS) Certificates and Files To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax. @@ -146,7 +146,7 @@ If the EFS files are being restored to a different partition, you should use the For more information, see [Migrate EFS Files and Certificates](migrate-efs-files-and-certificates-umst.md) and the Encrypted File Options in [ScanState Syntax](scanstate-syntax-usmt-win7-usmt-win8.md). -### Migrating Locked Files with the Hard-Link Migration Store +### Migrating Locked Files with the Hard-Link Migration Store Files that are locked by an application or the operating system are handled differently when using a hard-link migration store. @@ -159,7 +159,7 @@ There are some scenarios in which modifying the **<HardLinkStoreControl>**   -## XML Elements in the Config.xml File +## XML Elements in the Config.xml File A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option. diff --git a/windows/deploy/how-usmt-works-usmt-win7-usmt-win8.md b/windows/deploy/how-usmt-works-usmt-win7-usmt-win8.md index e8efda8bd4..a0e7e4e3d7 100644 --- a/windows/deploy/how-usmt-works-usmt-win7-usmt-win8.md +++ b/windows/deploy/how-usmt-works-usmt-win7-usmt-win8.md @@ -13,16 +13,16 @@ author: CFaw USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. -- [ScanState Process](#BKMK_SSProcess) +- [ScanState Process](#bkmk-ssprocess) -- [LoadState Process](#BKMK_LSProcess) +- [LoadState Process](#bkmk-lsprocess) **Note**   For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](conflicts-and-precedence-usmt-win7-usmt-win8.md).   -## The ScanState Process +## The ScanState Process When you run the ScanState tool on the source computer, it goes through the following process: @@ -78,7 +78,7 @@ When you run the ScanState tool on the source computer, it goes through the foll   -## The LoadState Process +## The LoadState Process The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. diff --git a/windows/deploy/identify-users-usmt-win7-usmt-win8.md b/windows/deploy/identify-users-usmt-win7-usmt-win8.md index 71e4a9c73f..ee151348d5 100644 --- a/windows/deploy/identify-users-usmt-win7-usmt-win8.md +++ b/windows/deploy/identify-users-usmt-win7-usmt-win8.md @@ -16,50 +16,50 @@ It is important to carefully consider how you plan to migrate users. By default, ## In This Topic -- [Migrating Local Accounts](#BKMK_8) +- [Migrating Local Accounts](#bkmk-8) -- [Migrating Domain Accounts](#BKMK_9) +- [Migrating Domain Accounts](#bkmk-9) -- [Command-Line Options](#BKMK_7) +- [Command-Line Options](#bkmk-7) -## Migrating Local Accounts +## Migrating Local Accounts Before migrating local accounts, note the following: -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#BKMK_8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the**/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the**/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. -- [Consider whether to enable user accounts that are new to the destination computer.](#BKMK_8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. -- [Be careful when specifying a password for local accounts.](#BKMK_8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. **Note**   If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.   -## Migrating Domain Accounts +## Migrating Domain Accounts The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. -## Command-Line Options +## Command-Line Options USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. -- [Specifying users.](#BKMK_8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. +- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. **Important**   The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.   -- [Moving users to another domain.](#BKMK_8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. +- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. -- [Creating local accounts.](#BKMK_8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. +- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. -- [Renaming user accounts.](#BKMK_8) You can rename user accounts using the **/mu** option. +- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. **Note**   By default, if a user name is not specified in any of the command-line options, the user will be migrated. diff --git a/windows/deploy/include-files-and-settings-usmt.md b/windows/deploy/include-files-and-settings-usmt.md index 86238d92fc..04eabc2f5b 100644 --- a/windows/deploy/include-files-and-settings-usmt.md +++ b/windows/deploy/include-files-and-settings-usmt.md @@ -15,19 +15,19 @@ When you specify the migration .xml files, User State Migration Tool (USMT) 10. In this topic: -[Migrate a Single Registry Key](#BKMK_MigSingleRegKey) +[Migrate a Single Registry Key](#bkmk-migsingleregkey) -[Migrate a Specific Folder](#BKMK_MigSpecificFolder) +[Migrate a Specific Folder](#bkmk-migspecificfolder) -[Migrate a Folder from a Specific Drive](#BKMK_MigFoldSpecDrive) +[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive) -[Migrate a Folder from Any Location](#BKMK_MigFolderAnyLoc) +[Migrate a Folder from Any Location](#bkmk-migfolderanyloc) -[Migrate a File Type Into a Specific Folder](#BKMK_MigFileTypeToSpecificFolder) +[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder) -[Migrate a Specific File](#BKMK_MigSpecificFile) +[Migrate a Specific File](#bkmk-migspecificfile) -## Migrate a Single Registry Key +## Migrate a Single Registry Key The following .xml file migrates a single registry key. @@ -49,12 +49,12 @@ The following .xml file migrates a single registry key. ``` -## Migrate a Specific Folder +## Migrate a Specific Folder The following examples show how to migrate a folder from a specific drive, and from any location on the computer. -### Migrate a Folder from a Specific Drive +### Migrate a Folder from a Specific Drive - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. @@ -94,7 +94,7 @@ The following examples show how to migrate a folder from a specific drive, and f ``` -### Migrate a Folder from Any Location +### Migrate a Folder from Any Location The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. @@ -136,7 +136,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf ``` -## Migrate a File Type Into a Specific Folder +## Migrate a File Type Into a Specific Folder The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. @@ -164,7 +164,7 @@ The following .xml file migrates .mp3 files located in the specified drives on t ``` -## Migrate a Specific File +## Migrate a Specific File The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location. diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 0304c92711..75558b9f99 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -20,13 +20,13 @@ author: CFaw - [Why integrate MDT 2013 Update 1 with Configuration Manager](#sec01) - [Why use MDT Lite Touch to create reference images](#sec02) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md). -## Why integrate MDT 2013 Update 1 with Configuration Manager +## Why integrate MDT 2013 Update 1 with Configuration Manager As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 1 adds to Configuration Manager. @@ -94,7 +94,7 @@ Figure 5. The optional UDI wizard open in the UDI Wizard Designer. MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager. -## Why use MDT Lite Touch to create reference images +## Why use MDT Lite Touch to create reference images You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: diff --git a/windows/deploy/introduction-to-vamtvamt-30-win8.md b/windows/deploy/introduction-to-vamtvamt-30-win8.md index 8f3de28db4..44fb49fbd3 100644 --- a/windows/deploy/introduction-to-vamtvamt-30-win8.md +++ b/windows/deploy/introduction-to-vamtvamt-30-win8.md @@ -21,15 +21,15 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca ## In this Topic -- [Managing Multiple Activation Key (MAK) and Retail Activation](#BKMK_ManagingMAK) +- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#BKMK_ManagingKMS) +- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#BKMK_EnterpriseEnvironment) +- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#BKMK_UserInterface) +- [VAMT User Interface](#bkmk-userinterface) -## Managing Multiple Activation Key (MAK) and Retail Activation +## Managing Multiple Activation Key (MAK) and Retail Activation You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: @@ -38,14 +38,14 @@ You can use a MAK or a retail product key to activate Windows, Windows Server, o - **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. -## Managing Key Management Service (KMS) Activation +## Managing Key Management Service (KMS) Activation In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. -## Enterprise Environment +## Enterprise Environment VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. @@ -56,7 +56,7 @@ In the Core Network environment, all computers are within a common network manag The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. -## VAMT User Interface +## VAMT User Interface The following screenshot shows the VAMT graphical user interface. diff --git a/windows/deploy/loadstate-syntax-usmt-win7-usmt-win8.md b/windows/deploy/loadstate-syntax-usmt-win7-usmt-win8.md index ab7074ec50..1c3af506cf 100644 --- a/windows/deploy/loadstate-syntax-usmt-win7-usmt-win8.md +++ b/windows/deploy/loadstate-syntax-usmt-win7-usmt-win8.md @@ -16,21 +16,21 @@ This topic discusses the **LoadState** command syntax and options. ## In This Topic -[Before You Begin](#Before) +[Before You Begin](#before) -[Syntax](#BKMK_S) +[Syntax](#bkmk-s) -[Storage Options](#BKMK_St) +[Storage Options](#bkmk-st) -[Migration Rule Options](#BKMK_Mig) +[Migration Rule Options](#bkmk-mig) -[Monitoring Options](#BKMK_Mon) +[Monitoring Options](#bkmk-mon) -[User Options](#BKMK_User) +[User Options](#bkmk-user) -[Incompatible Command-Line Options](#BKMK_CLOI) +[Incompatible Command-Line Options](#bkmk-cloi) -## Before You Begin +## Before You Begin Before you run the **LoadState** command, note the following: @@ -45,9 +45,9 @@ Before you run the **LoadState** command, note the following: - **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. -- The [Incompatible Command-Line Options](#BKMK_CLOI) table lists which options you can use together and which command-line options are incompatible. +- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. -## Syntax +## Syntax This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. @@ -60,7 +60,7 @@ For example, to decrypt the store and migrate the files and settings to a comput `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` -## Storage Options +## Storage Options USMT provides the following options that you can use to specify how and where the migrated data is stored. @@ -124,7 +124,7 @@ USMT provides the following options that you can use to specify how and where th   -## Migration Rule Options +## Migration Rule Options USMT provides the following options to specify what files you want to migrate. @@ -162,7 +162,7 @@ USMT provides the following options to specify what files you want to migrate.   -## Monitoring Options +## Monitoring Options USMT provides several command-line options that you can use to analyze problems that occur during migration. @@ -269,7 +269,7 @@ USMT provides several command-line options that you can use to analyze problems   -## User Options +## User Options By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](identify-users-usmt-win7-usmt-win8.md). @@ -500,7 +500,7 @@ You can use the **/uel**, **/ue** and **/ui** options together to migrate only t   -## Incompatible Command-Line Options +## Incompatible Command-Line Options The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. diff --git a/windows/deploy/log-files-usmt-win7-usmt-win8.md b/windows/deploy/log-files-usmt-win7-usmt-win8.md index 06dec9afc1..654e113b1d 100644 --- a/windows/deploy/log-files-usmt-win7-usmt-win8.md +++ b/windows/deploy/log-files-usmt-win7-usmt-win8.md @@ -13,17 +13,17 @@ author: CFaw You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue. -[Log Command-Line Options](#BKMK_CommandLineOptions) +[Log Command-Line Options](#bkmk-commandlineoptions) -[ScanState and LoadState Logs](#BKMK_ScanLoadStateLogs) +[ScanState and LoadState Logs](#bkmk-scanloadstatelogs) -[Progress Log](#BKMK_ProgressLog) +[Progress Log](#bkmk-progresslog) -[List Files Log](#BKMK_ListFilesLog) +[List Files Log](#bkmk-listfileslog) -[Diagnostic Log](#BKMK_DiagnosticLog) +[Diagnostic Log](#bkmk-diagnosticlog) -## Log Command-Line Options +## Log Command-Line Options The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains. @@ -77,12 +77,12 @@ You cannot store any of the log files in *StorePath*. If you do, the log will be   -## ScanState and LoadState Logs +## ScanState and LoadState Logs ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](scanstate-syntax-usmt-win7-usmt-win8.md). -## Progress Log +## Progress Log You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows: @@ -218,12 +218,12 @@ The remaining fields are key/value pairs as indicated in the following table.   -## List Files Log +## List Files Log The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe. -## Diagnostic Log +## Diagnostic Log You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file. diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 22cc1be3ff..f18503ab18 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -30,7 +30,7 @@ author: CFaw - [Selection profiles](#sec10) - [Logging](#sec11) - [Monitoring](#sec12) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 1 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. @@ -40,12 +40,12 @@ When deploying the Windows operating system using MDT, most of the administratio Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. -## Deployment shares +## Deployment shares A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. -## Rules +## Rules The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: @@ -64,32 +64,32 @@ You can manage hundreds of settings in the rules. For more information, see the Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number -## Boot images +## Boot images Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment. -## Operating systems +## Operating systems Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. -## Applications +## Applications Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. -## Driver repository +## Driver repository You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. -## Packages +## Packages With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. -## Task sequences +## Task sequences Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. @@ -106,7 +106,7 @@ You can think of a task sequence as a list of actions that need to be executed i - **Windows Update.** Connects to a WSUS server and updates the machine. -## Task sequence templates +## Task sequence templates MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. @@ -136,7 +136,7 @@ MDT comes with nine default task sequence templates. You can also create your ow - **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. -## Selection profiles +## Selection profiles Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: @@ -151,7 +151,7 @@ Selection profiles, which are available in the Advanced Configuration node, prov - Filter which task sequences and applications are displayed in the Deployment Wizard. -## Logging +## Logging MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. @@ -161,7 +161,7 @@ The easiest way to view log files is to use Configuration Manager Trace (CMTrace   -## Monitoring +## Monitoring On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md index 3f350a40d8..8624b4ca16 100644 --- a/windows/deploy/migrate-application-settings.md +++ b/windows/deploy/migrate-application-settings.md @@ -17,27 +17,27 @@ This topic defines how to author a custom migration .xml file that migrates the This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. -## In this Topic +## In this Topic -- [Before You Begin](#BKMK_BeforeBegin) +- [Before You Begin](#bkmk-beforebegin) -- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#BKMK_Step1). +- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). -- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#BKMK_Step2). +- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). -- [Step 3: Identify how to apply the gathered settings](#BKMK_Step3). +- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). -- [Step 4: Create the migration XML component for the application](#BKMK_Step4). +- [Step 4: Create the migration XML component for the application](#bkmk-step4). -- [Step 5: Test the application settings migration](#BKMK_Step5). +- [Step 5: Test the application settings migration](#bkmk-step5). -## Before You Begin +## Before You Begin You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. -## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. +## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. @@ -54,12 +54,12 @@ Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWA You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. -## Step 2: Identify settings to collect and determine where each setting is stored on the computer. +## Step 2: Identify settings to collect and determine where each setting is stored on the computer. Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. -### +### **How To Determine Where Each Setting is Stored** @@ -83,7 +83,7 @@ Next, you should go through the user interface and make a list of all of the ava   -## Step 3: Identify how to apply the gathered settings. +## Step 3: Identify how to apply the gathered settings. If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: @@ -94,9 +94,9 @@ In this case, the newer version of the application may be able to read the setti - **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. - To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#BKMKDetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. + To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. -- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#BKMKDetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. +- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. ### Case 2: The destination computer already contains settings for the application. @@ -106,7 +106,7 @@ We recommend that you migrate the settings after you install the application, bu We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. -## Step 4: Create the migration XML component for the application +## Step 4: Create the migration XML component for the application After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](custom-xml-examples-usmt-win7-usmt-win8.md) for another sample .xml file. @@ -139,7 +139,7 @@ Your script should do the following: For information about the .xml elements and helper functions, see [XML Elements Library](xml-elements-library-usmt-win7-usmt-win8.md). -## Step 5: Test the application settings migration +## Step 5: Test the application settings migration On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. diff --git a/windows/deploy/migrate-user-accounts-usmt.md b/windows/deploy/migrate-user-accounts-usmt.md index 2d1651ea11..478cab9257 100644 --- a/windows/deploy/migrate-user-accounts-usmt.md +++ b/windows/deploy/migrate-user-accounts-usmt.md @@ -16,13 +16,13 @@ By default, all users are migrated. The only way to specify which users to inclu ## In this Topic -- [To migrate all user accounts and user settings](#BKMK_MigrateAll) +- [To migrate all user accounts and user settings](#bkmk-migrateall) -- [To migrate two domain accounts (User1 and User2)](#BKMK_MigrateTwo) +- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) -- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#BKMK_MigrateMoveUserOne) +- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) -## To migrate all user accounts and user settings +## To migrate all user accounts and user settings 1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: @@ -46,7 +46,7 @@ By default, all users are migrated. The only way to specify which users to inclu   -## To migrate two domain accounts (User1 and User2) +## To migrate two domain accounts (User1 and User2) 1. Log on to the source computer as an administrator, and specify: @@ -59,7 +59,7 @@ By default, all users are migrated. The only way to specify which users to inclu `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain 1. Log on to the source computer as an administrator, and type the following at the command-line prompt: diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md index d2a022979d..ec76f7eaee 100644 --- a/windows/deploy/migration-store-types-overview.md +++ b/windows/deploy/migration-store-types-overview.md @@ -16,13 +16,13 @@ When planning your migration, you should determine which migration store type be ## In This Topic -[Migration Store Types](#BKMK_Types) +[Migration Store Types](#bkmk-types) -[Local Store vs. Remote Store](#BKMK_LocalVRemote) +[Local Store vs. Remote Store](#bkmk-localvremote) -[The /localonly Command-Line Option](#BKMK_LocalOnly) +[The /localonly Command-Line Option](#bkmk-localonly) -## Migration Store Types +## Migration Store Types This section describes the three migration store types available in USMT. @@ -45,7 +45,7 @@ The following flowchart illustrates the procedural differences between a local m ![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) -## Local Store vs. Remote Store +## Local Store vs. Remote Store If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. @@ -57,7 +57,7 @@ If possible, have users store their data within their %UserProfile%\\My Document   -### The /localonly Command-Line Option +### The /localonly Command-Line Option You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](scanstate-syntax-usmt-win7-usmt-win8.md). diff --git a/windows/deploy/monitor-the-windows-81-deployment-with-configuration-manager.md b/windows/deploy/monitor-the-windows-81-deployment-with-configuration-manager.md index 6cc9eae12c..fc9f1fa1ba 100644 --- a/windows/deploy/monitor-the-windows-81-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-the-windows-81-deployment-with-configuration-manager.md @@ -19,7 +19,7 @@ author: CFaw **In this article** - [](#) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature. diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md index cbabd15764..5c0149bf07 100644 --- a/windows/deploy/offline-migration-reference.md +++ b/windows/deploy/offline-migration-reference.md @@ -28,19 +28,19 @@ When you use User State Migration Tool (USMT) 10.0 to gather and restore user s ## In This Topic -- [What Will Migrate Offline?](#BKMK_WhatWillMigrate) +- [What Will Migrate Offline?](#bkmk-whatwillmigrate) -- [What Offline Environments are Supported?](#BKMK_OfflineEnvironments) +- [What Offline Environments are Supported?](#bkmk-offlineenvironments) -- [User-Group Membership and Profile Control](#BKMK_UserGroupMembership) +- [User-Group Membership and Profile Control](#bkmk-usergroupmembership) -- [Command-Line Options](#BKMK_CommandLineOptions) +- [Command-Line Options](#bkmk-commandlineoptions) -- [Environment Variables](#BKMK_EnvironmentVariables) +- [Environment Variables](#bkmk-environmentvariables) -- [Offline.xml Elements](#BKMK_OfflineXML) +- [Offline.xml Elements](#bkmk-offlinexml) -## What Will Migrate Offline? +## What Will Migrate Offline? The following user data and settings migrate offline, similar to an online migration: @@ -59,7 +59,7 @@ The following user data and settings migrate offline, similar to an online migra For exceptions to what you can migrate offline, see [What Does USMT Migrate?](what-does-usmt-migrate-usmt-win7-usmt-win8.md) -## What Offline Environments are Supported? +## What Offline Environments are Supported? The following table defines the supported combination of online and offline operating systems in USMT. @@ -94,7 +94,7 @@ It is possible to run the ScanState tool while the drive remains encrypted by su   -## User-Group Membership and Profile Control +## User-Group Membership and Profile Control User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: @@ -117,7 +117,7 @@ User-group membership is not preserved during offline migrations. You must confi For information about the format of a Config.xml file, see [Config.xml File](configxml-file-usmt-win7-usmt-win8.md). -## Command-Line Options +## Command-Line Options An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options: @@ -158,7 +158,7 @@ An offline migration can either be enabled by using a configuration file on the You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together. -## Environment Variables +## Environment Variables The following system environment variables are necessary in the scenarios outlined below. @@ -194,24 +194,24 @@ The following system environment variables are necessary in the scenarios outlin   -## Offline.xml Elements +## Offline.xml Elements Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option. -### <offline> +### <offline> This element contains other elements that define how an offline migration is to be performed. Syntax: <offline> </offline> -### <winDir> +### <winDir> This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume. Syntax: < winDir > </ winDir > -### <path> +### <path> This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory. @@ -221,13 +221,13 @@ Syntax: <path> c:\\windows </path> Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path> -### <mappings> +### <mappings> This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder. Syntax: <mappings> </mappings> -### <failOnMultipleWinDir> +### <failOnMultipleWinDir> This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail. diff --git a/windows/deploy/prepare-for-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-deployment-with-mdt-2013.md index 0654421e74..99c5933f50 100644 --- a/windows/deploy/prepare-for-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-deployment-with-mdt-2013.md @@ -25,13 +25,13 @@ author: CFaw - [Create the MDT service account](#sec05) - [Create and share the logs folder](#sec06) - [Use CMTrace to read log files (optional)](#sec07) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 1. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory. For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof). -## System requirements +## System requirements MDT 2013 Update 1 requires the following components: @@ -58,7 +58,7 @@ MDT 2013 Update 1 requires the following components: - Microsoft .NET Framework -## Install Windows ADK for Windows 10 +## Install Windows ADK for Windows 10 These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder. @@ -75,7 +75,7 @@ These steps assume that you have the MDT01 member server installed and configure 3. User State Migration Tool (UMST) -## Install MDT 2013 Update 1 +## Install MDT 2013 Update 1 These steps assume that you have downloaded [MDT 2013 Update 1](http://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01. @@ -84,7 +84,7 @@ These steps assume that you have downloaded [MDT 2013 Update 1](http://go.micros 2. Install **MDT** (E:\\Downloads\\MDT 2013\\MicrosoftDeploymentToolkit2013\_x64.msi) with the default settings. -## Create the OU structure +## Create the OU structure If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 1. @@ -121,7 +121,7 @@ If you do not have an organizational unit (OU) structure in your Active Director Figure 6. A sample of how the OU structure will look after all the OUs are created. -## Create the MDT service account +## Create the MDT service account When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. @@ -142,7 +142,7 @@ When creating a reference image, you need an account for MDT. The MDT Build Acco 6. Password never expires: Selected -## Create and share the logs folder +## Create and share the logs folder By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md). @@ -161,7 +161,7 @@ By default MDT stores the log files locally on the client. In order to capture a Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell. -## Use CMTrace to read log files (optional) +## Use CMTrace to read log files (optional) The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read. diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md index b6f79c355d..3a26d0da3a 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md @@ -26,7 +26,7 @@ author: CFaw - [Configure the client settings](#sec06) - [Configure the Network Access account](#sec07) - [Enable PXE on the CM01 distribution point](#sec08) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 1, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE). @@ -51,7 +51,7 @@ In this topic, you will use an existing Configuration Manager server structure t For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). -## Create the Configuration Manager service accounts +## Create the Configuration Manager service accounts To configure permissions for the various service accounts needed for operating system deployment in Configuration Manager, you use a role-based model. To create the Configuration Manager Join Domain account as well as the Configuration Manager Network Access account, follow these steps: @@ -84,7 +84,7 @@ To configure permissions for the various service accounts needed for operating s Figure 6. The Configuration Manager service accounts used for operating system deployment. -## Configure Active Directory permissions +## Configure Active Directory permissions In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](http://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. @@ -128,7 +128,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach 12. Validated write to service principal name -## Review the Sources folder structure +## Review the Sources folder structure To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01): @@ -164,7 +164,7 @@ In most production environments, the packages are stored on a Distributed File S Figure 7. The E:\\Sources\\OSD folder structure. -## Integrate Configuration Manager with MDT +## Integrate Configuration Manager with MDT To extend the Configuration Manager console with MDT 2013 Update 1 wizards and templates, you install MDT 2013 Update 1 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 1 to the C:\\Setup\\MDT2013 folder on CM01. @@ -187,7 +187,7 @@ To extend the Configuration Manager console with MDT 2013 Update 1 wizards and t Figure 8. Set up the MDT 2013 Update 1 integration with Configuration Manager. -## Configure the client settings +## Configure the client settings Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name. @@ -206,7 +206,7 @@ Figure 9. Configure the organization name in client settings. Figure 10. The Contoso organization name displayed during deployment. -## Configure the Network Access account +## Configure the Network Access account Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution point(s). In this section, you configure the Network Access account. @@ -221,7 +221,7 @@ Configuration Manager uses the Network Access account during the Windows 10 depl Figure 11. Test the connection for the Network Access account. -## Enable PXE on the CM01 distribution point +## Enable PXE on the CM01 distribution point Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point. diff --git a/windows/deploy/recognized-environment-variables-usmt-win7-usmt-win8.md b/windows/deploy/recognized-environment-variables-usmt-win7-usmt-win8.md index 669d061d51..2984748171 100644 --- a/windows/deploy/recognized-environment-variables-usmt-win7-usmt-win8.md +++ b/windows/deploy/recognized-environment-variables-usmt-win7-usmt-win8.md @@ -16,11 +16,11 @@ When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use e ## In This Topic -- [Variables that are processed for the operating system and in the context of each user](#BKMK_1) +- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) -- [Variables that are recognized only in the user context](#BKMK_2) +- [Variables that are recognized only in the user context](#bkmk-2) -## Variables that are processed for the operating system and in the context of each user +## Variables that are processed for the operating system and in the context of each user You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. @@ -266,7 +266,7 @@ You can use these variables within sections in the .xml files with `context=User   -## Variables that are recognized only in the user context +## Variables that are recognized only in the user context You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-81.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-81.md index fed3f67c8a..3aae2f7064 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-81.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-81.md @@ -21,7 +21,7 @@ author: CFaw - [The computer refresh process](#sec01) - [Create a custom User State Migration Tool (USMT) template](#sec02) - [Refresh a Windows 7 SP1 client](#sec03) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will show you how to use MDT 2013 Update 1 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. @@ -31,7 +31,7 @@ For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0 Figure 1. The machines used in this topic. -## The computer refresh process +## The computer refresh process Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. @@ -70,7 +70,7 @@ You also can combine the preceding switches with the /uel switch, which excludes In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles -## Create a custom User State Migration Tool (USMT) template +## Create a custom User State Migration Tool (USMT) template In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will: @@ -101,7 +101,7 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it 3. Save the CustomSettings.ini file. -## Refresh a Windows 7 SP1 client +## Refresh a Windows 7 SP1 client After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10. diff --git a/windows/deploy/refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md index 3fcae5adee..98438e2940 100644 --- a/windows/deploy/refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md @@ -21,7 +21,7 @@ author: CFaw - [Create a device collection and add the PC0003 computer](#sec01) - [Create a new deployment](#sec02) - [Initiate a computer refresh](#sec03) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 1. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md). @@ -41,7 +41,7 @@ For the purposes of this topic, we will use three machines: DC01, CM01, and PC00 In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed. -## Create a device collection and add the PC0003 computer +## Create a device collection and add the PC0003 computer 1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: @@ -73,7 +73,7 @@ It may take a short while for the collection to refresh; you can view progress v   -## Create a new deployment +## Create a new deployment Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings: @@ -109,7 +109,7 @@ Using the Configuration Manager console, in the Software Library workspace, sele - <default> -## Initiate a computer refresh +## Initiate a computer refresh Now you can start the computer refresh on PC0003. diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-81-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-81-computer.md index 356686b495..ab75a44ad2 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-81-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-81-computer.md @@ -20,7 +20,7 @@ author: CFaw - [Prepare for the computer replace](#sec01) - [Perform the computer replace](#sec02) -- [Related topics](#related_topics) +- [Related topics](#related-topics) A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. @@ -30,7 +30,7 @@ For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, Figure 1. The machines used in this topic. -## Prepare for the computer replace +## Prepare for the computer replace When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer. @@ -74,7 +74,7 @@ When preparing for the computer replace, you need to create a folder in which to Figure 2. The Backup Only Task Sequence action list. -## Perform the computer replace +## Perform the computer replace During a computer replace, these are the high-level steps that occur: diff --git a/windows/deploy/replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md index 4dc93c3e2a..6c14b65cfa 100644 --- a/windows/deploy/replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md @@ -24,7 +24,7 @@ author: CFaw - [Create a new deployment](#sec04) - [Verify the backup](#sec05) - [Deploy the new computer](#sec06) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10. @@ -32,7 +32,7 @@ For the purposes of this topic, we will use three machines: DC01, CM01, and PC00 In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md). -## Create a replace task sequence +## Create a replace task sequence 1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. @@ -63,7 +63,7 @@ In this topic, you will create a backup-only task sequence that you run on PC000 Figure 34. The backup-only task sequence (named Replace Task Sequence). -## Associate the new machine with the old computer +## Associate the new machine with the old computer This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. @@ -100,7 +100,7 @@ This section walks you through the process of associating a blank machine, PC000 11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again. -## Create a device collection and add the PC0004 computer +## Create a device collection and add the PC0004 computer 1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings. @@ -127,7 +127,7 @@ This section walks you through the process of associating a blank machine, PC000 2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection. -## Create a new deployment +## Create a new deployment Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: @@ -158,7 +158,7 @@ Using the Configuration Manager console, in the Software Library workspace, sele - <default> -## Verify the backup +## Verify the backup This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed. @@ -187,7 +187,7 @@ It may take a few minutes for the user state store location to be populated.   -## Deploy the new computer +## Deploy the new computer 1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: diff --git a/windows/deploy/reroute-files-and-settings-usmt.md b/windows/deploy/reroute-files-and-settings-usmt.md index 8a6dc28a97..cc0699e990 100644 --- a/windows/deploy/reroute-files-and-settings-usmt.md +++ b/windows/deploy/reroute-files-and-settings-usmt.md @@ -15,13 +15,13 @@ To reroute files and settings, create a custom .xml file and specify this file n In this topic: -- [Reroute a Folder](#BKMK_RerouteFolder) +- [Reroute a Folder](#bkmk-reroutefolder) -- [Reroute a Specific File Type](#BKMK_RerouteSpecFileType) +- [Reroute a Specific File Type](#bkmk-reroutespecfiletype) -- [Reroute a Specific File](#BKMK_RerouteSpecificFile) +- [Reroute a Specific File](#bkmk-reroutespecificfile) -## Reroute a Folder +## Reroute a Folder The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. @@ -50,7 +50,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin ``` -## Reroute a Specific File Type +## Reroute a Specific File Type The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. @@ -78,7 +78,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o ``` -## Reroute a Specific File +## Reroute a Specific File The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. diff --git a/windows/deploy/return-codes-usmt-win8.md b/windows/deploy/return-codes-usmt-win8.md index 3e5a3bf445..967a8edf1d 100644 --- a/windows/deploy/return-codes-usmt-win8.md +++ b/windows/deploy/return-codes-usmt-win8.md @@ -18,13 +18,13 @@ Understanding the requirements for running USMT can help minimize errors in your ## In This Topic -[USMT Return Codes](#BKMK_ReturnCodes) +[USMT Return Codes](#bkmk-returncodes) -[USMT Error Messages](#BKMK_ErrorMessages) +[USMT Error Messages](#bkmk-errormessages) -[Troubleshooting Return Codes and Error Messages](#BKMK_TSCodesErrors) +[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) -## USMT Return Codes +## USMT Return Codes If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. @@ -43,14 +43,14 @@ Fatal Errors As a best practice, we recommend that you set verbosity level to 5, **/v***:5*, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. -## USMT Error Messages +## USMT Error Messages Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](http://go.microsoft.com/fwlink/p/?LinkId=147060). -## Troubleshooting Return Codes and Error Messages +## Troubleshooting Return Codes and Error Messages The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. diff --git a/windows/deploy/scanstate-syntax-usmt-win7-usmt-win8.md b/windows/deploy/scanstate-syntax-usmt-win7-usmt-win8.md index fbb4372415..9b5dd7f428 100644 --- a/windows/deploy/scanstate-syntax-usmt-win7-usmt-win8.md +++ b/windows/deploy/scanstate-syntax-usmt-win7-usmt-win8.md @@ -16,23 +16,23 @@ The ScanState command is used with the User State Migration Tool (USMT) 10.0 to ## In This Topic -[Before You Begin](#BKMK_BeforeYouBegin) +[Before You Begin](#bkmk-beforeyoubegin) -[Syntax](#BKMK_Syntax) +[Syntax](#bkmk-syntax) -[Storage Options](#BKMK_StorageOptions) +[Storage Options](#bkmk-storageoptions) -[Migration Rule Options](#BKMK_MigrationRuleOptions) +[Migration Rule Options](#bkmk-migrationruleoptions) -[Monitoring Options](#BKMK_MonitoringOptions) +[Monitoring Options](#bkmk-monitoringoptions) -[User Options](#BKMK_UserOptions) +[User Options](#bkmk-useroptions) -[Encrypted File Options](#BKMK_efs) +[Encrypted File Options](#bkmk-efs) -[Incompatible Command-Line Options](#BKMK_ICLO) +[Incompatible Command-Line Options](#bkmk-iclo) -## Before You Begin +## Before You Begin Before you run the **ScanState** command, note the following: @@ -47,11 +47,11 @@ Before you run the **ScanState** command, note the following: - You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. -- The [Incompatible Command-Line Options](#BKMK_ICLO) table lists which options you can use together and which command-line options are incompatible. +- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. - The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. -## Syntax +## Syntax This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. @@ -70,7 +70,7 @@ To create an encrypted store using the Config.xml file and the default migration `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` -## Storage Options +## Storage Options
@@ -136,7 +136,7 @@ To create an encrypted store using the Config.xml file and the default migration   -## Run the ScanState Command on an Offline Windows System +## Run the ScanState Command on an Offline Windows System You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. @@ -191,7 +191,7 @@ There are several benefits to running the **ScanState** command on an offline Wi   -## Migration Rule Options +## Migration Rule Options USMT provides the following options to specify what files you want to migrate. @@ -295,7 +295,7 @@ USMT provides the following options to specify what files you want to migrate.   -## Monitoring Options +## Monitoring Options USMT provides several options that you can use to analyze problems that occur during migration. @@ -422,7 +422,7 @@ The ScanState log is created by default, but you can specify the name and locati   -## User Options +## User Options By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](identify-users-usmt-win7-usmt-win8.md) and [Migrate User Accounts](migrate-user-accounts-usmt.md). @@ -599,7 +599,7 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg   -## Encrypted File Options +## Encrypted File Options You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. @@ -662,7 +662,7 @@ Take caution when migrating encrypted files. If you migrate an encrypted file wi   -## Incompatible Command-Line Options +## Incompatible Command-Line Options The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. diff --git a/windows/deploy/scenario-1-online-activation-vamt-30-win8.md b/windows/deploy/scenario-1-online-activation-vamt-30-win8.md index 6fcfe9b67a..6f71f429ed 100644 --- a/windows/deploy/scenario-1-online-activation-vamt-30-win8.md +++ b/windows/deploy/scenario-1-online-activation-vamt-30-win8.md @@ -30,32 +30,32 @@ The Secure Zone represents higher-security Core Network computers that have addi ## In This Topic -- [Install and start VAMT on a networked host computer](#BKMK_PartOne) +- [Install and start VAMT on a networked host computer](#bkmk-partone) -- [Configure the Windows Management Instrumentation firewall exception on target computers](#BKMK_PartTwo) +- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) -- [Connect to VAMT database](#BKMK_PartThree) +- [Connect to VAMT database](#bkmk-partthree) -- [Discover products](#BKMK_PartFour) +- [Discover products](#bkmk-partfour) -- [Sort and filter the list of computers](#BKMK_PartFive) +- [Sort and filter the list of computers](#bkmk-partfive) -- [Collect status information from the computers in the list](#BKMK_PartSix) +- [Collect status information from the computers in the list](#bkmk-partsix) -- [Add product keys and determine the remaining activation count](#BKMK_PartSeven) +- [Add product keys and determine the remaining activation count](#bkmk-partseven) -- [Install the product keys](#BKMK_PartEight) +- [Install the product keys](#bkmk-parteight) -- [Activate the client products](#BKMK_PartNine) +- [Activate the client products](#bkmk-partnine) -## Part 1: Install and Start VAMT on a Networked Host Computer +## Part 1: Install and Start VAMT on a Networked Host Computer 1. Install VAMT on the host computer. 2. Click the VAMT icon in the **Start** menu to open VAMT. -## Part 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers +## Part 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers - Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt-30-win8.md). @@ -65,7 +65,7 @@ To retrieve product license status, VAMT must have administrative permissions on   -## Part 3: Connect to a VAMT Database +## Part 3: Connect to a VAMT Database 1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. @@ -74,7 +74,7 @@ To retrieve product license status, VAMT must have administrative permissions on 3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data-vamt-30-win8.md) -## Part 4: Discover +## Part 4: Discover 1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. @@ -95,7 +95,7 @@ To retrieve product license status, VAMT must have administrative permissions on When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. -## Part 5: Sort and Filter the List of Computers +## Part 5: Sort and Filter the List of Computers You can sort the list of products so that it is easier to find the computers that require product keys to be activated: @@ -114,7 +114,7 @@ You can sort the list of products so that it is easier to find the computers tha 5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. -## Part 6: Collect Status Information from the Computers in the List +## Part 6: Collect Status Information from the Computers in the List To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: @@ -134,7 +134,7 @@ If a computer has more than one supported product installed, VAMT adds an entry   -## Part 7: Add Product Keys and Determine the Remaining Activation Count +## Part 7: Add Product Keys and Determine the Remaining Activation Count 1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. @@ -152,12 +152,12 @@ If you are activating many products with a MAK, refresh the activation count of   -## Part 8: Install the Product Keys +## Part 8: Install the Product Keys 1. In the left-side pane, click the product that you want to install keys on to. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Part 5: Sort and filter the list of computers](#BKMK_PartFive). +2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Part 5: Sort and filter the list of computers](#bkmk-partfive). 3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. @@ -174,7 +174,7 @@ Product key installation will fail if VAMT finds mismatched key types or edition   -## Part 9: Activate the Client Products +## Part 9: Activate the Client Products 1. Select the individual products that you want to activate in the list-view pane. diff --git a/windows/deploy/scenario-2-proxy-activation-vamt-30-win8.md b/windows/deploy/scenario-2-proxy-activation-vamt-30-win8.md index 999bef6ca7..84d42fe369 100644 --- a/windows/deploy/scenario-2-proxy-activation-vamt-30-win8.md +++ b/windows/deploy/scenario-2-proxy-activation-vamt-30-win8.md @@ -41,7 +41,7 @@ To retrieve the license status on the selected computers, VAMT must have adminis 3. If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data-vamt-30-win8.md) -## Part 4: Discover Products +## Part 4: Discover Products 1. In the left-side pane, in the **Products** node, click the product that you want to activate. @@ -64,7 +64,7 @@ The **Finding Computers** window appears and displays the search progress as the When the search is complete, the products that VAMT discovers appear in the list view in the center pane. -## Part 5: Sort and Filter the List of Computers +## Part 5: Sort and Filter the List of Computers You can sort the list of products so that it is easier to find the computers that require product keys to be activated: @@ -121,7 +121,7 @@ If a computer has more than one supported product installed, VAMT adds an entry 1. In the left-side pane, in the **Products** node click the product that you want to install keys onto. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort the list of computers](#BKMK_Step5). +2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort the list of computers](#bkmk-step5). 3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. @@ -212,7 +212,7 @@ VAMT displays the **Applying Confirmation Id** dialog box while it installs the The same status appears under the **Status of Last Action** column in the product list view in the center pane. -## Part 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab +## Part 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database. diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 2855dc53b2..71c80ec52f 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -17,7 +17,7 @@ author: CFaw - [Configure Active Directory for BitLocker](#sec01) - [Add BIOS configuration tools from Dell, HP, and Lenovo](#sec02) - [Configure the Windows 10 task sequence to enable BitLocker](#sec03) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: @@ -42,7 +42,7 @@ Even though it is not a BitLocker requirement, we recommend configuring BitLocke For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof). -## Configure Active Directory for BitLocker +## Configure Active Directory for BitLocker To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. @@ -135,7 +135,7 @@ In addition to the Group Policy created previously, you need to configure permis Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01. -## Add BIOS configuration tools from Dell, HP, and Lenovo +## Add BIOS configuration tools from Dell, HP, and Lenovo If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper. @@ -178,7 +178,7 @@ The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Set cscript.exe SetConfig.vbs SecurityChip Active ``` -## Configure the Windows 10 task sequence to enable BitLocker +## Configure the Windows 10 task sequence to enable BitLocker When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](http://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions: diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md index 156962e8d3..4b1d63c9dd 100644 --- a/windows/deploy/sideload-apps-in-windows-10.md +++ b/windows/deploy/sideload-apps-in-windows-10.md @@ -19,8 +19,8 @@ author: CFaw **In this article** - [Requirements](#requirements) -- [How do I sideload an app on desktop](#how_do_i_sideload_an_app_on_desktop) -- [How do I sideload an app on mobile](#how_do_i_sideload_an_app_on_mobile) +- [How do I sideload an app on desktop](#how-do-i-sideload-an-app-on-desktop) +- [How do I sideload an app on mobile](#how-do-i-sideload-an-app-on-mobile) Sideload line-of-business apps in Windows 10. diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md index 96a3f88687..a3e06e6d3c 100644 --- a/windows/deploy/understanding-migration-xml-files.md +++ b/windows/deploy/understanding-migration-xml-files.md @@ -18,31 +18,31 @@ This topic provides an overview of the default and custom migration XML files an ## In This Topic -[Overview of the Config.xml file](#BKMK_Config) +[Overview of the Config.xml file](#bkmk-config) -[Overview of the MigApp.xml file](#BKMK_MigApp) +[Overview of the MigApp.xml file](#bkmk-migapp) -[Overview of the MigDocs.xml file](#BKMK_MigDocs) +[Overview of the MigDocs.xml file](#bkmk-migdocs) -[Overview of the MigUser.xml file](#BKMK_MigUser) +[Overview of the MigUser.xml file](#bkmk-miguser) -[Using multiple XML files](#BKMK_Multiple) +[Using multiple XML files](#bkmk-multiple) -[XML rules for migrating user files](#BKMK_UserFiles) +[XML rules for migrating user files](#bkmk-userfiles) -[The GenerateDocPatterns function](#BKMK_Generate) +[The GenerateDocPatterns function](#bkmk-generate) -[Understanding the system and user context](#BKMK_Context) +[Understanding the system and user context](#bkmk-context) -[Sample migration rules for customized versions of XML files](#BKMK_Samples) +[Sample migration rules for customized versions of XML files](#bkmk-samples) -[Exclude rules usage examples](#BKMK_Exclude) +[Exclude rules usage examples](#bkmk-exclude) -[Include rules usage examples](#BKMK_Include) +[Include rules usage examples](#bkmk-include) -[Next Steps](#BKMK_Next) +[Next Steps](#bkmk-next) -## Overview of the Config.xml file +## Overview of the Config.xml file The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used in conjunction with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](customize-usmt-xml-files-usmt-win7-usmt-win8.md) and [Config.xml File](configxml-file-usmt-win7-usmt-win8.md). @@ -52,17 +52,17 @@ When modifying the XML elements in the Config.xml file, you should edit an eleme   -## Overview of the MigApp.xml file +## Overview of the MigApp.xml file The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](what-does-usmt-migrate-usmt-win7-usmt-win8.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](customize-usmt-xml-files-usmt-win7-usmt-win8.md). **Important**   -The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#BKMK_Samples) section of this document for more information about migrating .pst files that are not linked to Outlook. +The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#bkmk-samples) section of this document for more information about migrating .pst files that are not linked to Outlook.   -## Overview of the MigDocs.xml file +## Overview of the MigDocs.xml file The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. @@ -133,7 +133,7 @@ The default MigDocs.xml file will not migrate the following: You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated. -## Overview of the MigUser.xml file +## Overview of the MigUser.xml file The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, as well as any files on the computer with the specified file name extensions. @@ -175,11 +175,11 @@ The default MigUser.xml file does not migrate the following: You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. **Note**   -Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#BKMK_Multiple) section of this document. +Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.   -## Using multiple XML files +## Using multiple XML files You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules. @@ -224,7 +224,7 @@ For example, you can use all of the XML migration file types for a single migrat Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml ``` -### XML rules for migrating user files +### XML rules for migrating user files **Important**   You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer. @@ -233,9 +233,9 @@ You should not use the MigUser.xml and MigDocs.xml files together in the same co If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions. -If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#BKMK_CreateXML) section of this document. +If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document. -## Creating and editing a custom XML file +## Creating and editing a custom XML file You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary. @@ -265,7 +265,7 @@ To generate the XML migration rules file for a source computer: scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" ``` -### The GenerateDocPatterns function +### The GenerateDocPatterns function The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration. @@ -342,7 +342,7 @@ To create exclude data patterns: ``` -### Understanding the system and user context +### Understanding the system and user context The migration XML files contain two <component> elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user. @@ -399,14 +399,14 @@ Rules contained in a component that is assigned the user context will be run for   -### Sample migration rules for customized versions of XML files +### Sample migration rules for customized versions of XML files **Note**   For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](customize-usmt-xml-files-usmt-win7-usmt-win8.md) and [General Conventions](general-conventions-usmt-win7-usmt-win8.md).   -### Exclude rules usage examples +### Exclude rules usage examples In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are: @@ -477,7 +477,7 @@ If you want the <UnconditionalExclude> element to apply to both the system For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](exclude-files-and-settings-usmt.md). -### Include rules usage examples +### Include rules usage examples The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following: @@ -512,7 +512,7 @@ For more information about the order of precedence for XML migration rules, see   -## Next steps +## Next steps You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the <locationModify> element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer. diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md index 18c4c383d7..4c3c450570 100644 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md @@ -20,10 +20,10 @@ author: CFaw **In this article** - [Advantages](#advantages) -- [Create package](#create_package) -- [Add package to image](#add_package_to_image) -- [Learn more](#learn_more) -- [Related topics](#related_topics) +- [Create package](#create-package) +- [Add package to image](#add-package-to-image) +- [Learn more](#learn-more) +- [Related topics](#related-topics) Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index b7a577b8f8..0d7e867bba 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -17,14 +17,14 @@ author: CFaw **In this article** -- [Proof-of-concept environment](#proof-of-concept_environment) -- [Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager](#upgrade_to_windows_10_with_system_center_2012_r2_configuration_manager) -- [Create the task sequence](#create_the_task_sequence) -- [Create a device collection](#create_a_device_collection) -- [Deploy the Windows 10 upgrade](#deploy_the_windows_10_upgrade) -- [Start the Windows 10 upgrade](#start_the_windows_10_upgrade) -- [Upgrade to Windows 10 with the next version of System Center Configuration Manager](#upgrade_to_windows_10_with_the_next_version_of_system_center_configuration_manager) -- [Related topics](#related_topics) +- [Proof-of-concept environment](#proof-of-concept-environment) +- [Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager](#upgrade-to-windows-10-with-system-center-2012-r2-configuration-manager) +- [Create the task sequence](#create-the-task-sequence) +- [Create a device collection](#create-a-device-collection) +- [Deploy the Windows 10 upgrade](#deploy-the-windows-10-upgrade) +- [Start the Windows 10 upgrade](#start-the-windows-10-upgrade) +- [Upgrade to Windows 10 with the next version of System Center Configuration Manager](#upgrade-to-windows-10-with-the-next-version-of-system-center-configuration-manager) +- [Related topics](#related-topics) The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 8897dff324..b8c60bec0c 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -18,13 +18,13 @@ author: CFaw **In this article** -- [Proof-of-concept environment](#proof-of-concept_environment) -- [Set up the upgrade task sequence](#set_up_the_upgrade_task_sequence) -- [Create the MDT production deployment share](#create_the_mdt_production_deployment_share) -- [Add Windows 10 Enterprise x64 (full source)](#add_windows_10_enterprise_x64__full_source_) -- [Create a task sequence to upgrade to Windows 10 Enterprise](#create_a_task_sequence_to_upgrade_to_windows_10_enterprise) -- [Perform the Windows 10 upgrade](#perform_the_windows_10_upgrade) -- [Related topics](#related_topics) +- [Proof-of-concept environment](#proof-of-concept-environment) +- [Set up the upgrade task sequence](#set-up-the-upgrade-task-sequence) +- [Create the MDT production deployment share](#create-the-mdt-production-deployment-share) +- [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64--full-source-) +- [Create a task sequence to upgrade to Windows 10 Enterprise](#create-a-task-sequence-to-upgrade-to-windows-10-enterprise) +- [Perform the Windows 10 upgrade](#perform-the-windows-10-upgrade) +- [Related topics](#related-topics) The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 1 task sequence to completely automate the process. diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index a336728f47..142d8c1778 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -17,9 +17,9 @@ author: CFaw - [Orchestrator terminology](#sec01) - [Create a sample runbook](#sec02) - [Test the demo MDT runbook](#sec03) -- [Use the MDT demo runbook from MDT](#use_the_mdt_demo_runbook_from_mdt) -- [Run the orchestrator sample task sequence](#run_the_orchestrator_sample_task_sequence) -- [Related topics](#related_topics) +- [Use the MDT demo runbook from MDT](#use-the-mdt-demo-runbook-from-mdt) +- [Run the orchestrator sample task sequence](#run-the-orchestrator-sample-task-sequence) +- [Related topics](#related-topics) This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. @@ -30,7 +30,7 @@ If you are licensed to use Orchestrator, we highly recommend that you start usin   -## Orchestrator terminology +## Orchestrator terminology Before diving into the core details, here is a quick course in Orchestrator terminology: @@ -54,7 +54,7 @@ To find and download additional integration packs, see [Integration Packs for Sy   -## Create a sample runbook +## Create a sample runbook This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. @@ -134,7 +134,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O 19. On the **Append Line Properties** page, click **Finish**. -## Test the demo MDT runbook +## Test the demo MDT runbook After the runbook is created, you are ready to test it. diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-81-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-81-deployment-information.md index a4472e3804..c1091e33d2 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-81-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-81-deployment-information.md @@ -18,11 +18,11 @@ author: CFaw - [Create the deployment database](#sec02) - [Configure database permissions](#sec03) - [Create an entry in the database](#sec04) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. -## Database prerequisites +## Database prerequisites MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. @@ -32,7 +32,7 @@ Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express d   -## Create the deployment database +## Create the deployment database The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. @@ -62,7 +62,7 @@ Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXP Figure 8. The MDT database added to MDT01. -## Configure database permissions +## Configure database permissions After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. @@ -89,7 +89,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a Figure 10. Creating the login and settings permissions to the MDT database. -## Create an entry in the database +## Create an entry in the database To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 0532d7758c..35f644f9cd 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -19,13 +19,13 @@ author: CFaw - [Install the web service](#sec03) - [Test the web service in Internet Explorer](#sec04) - [Test the web service in the MDT simulation environment](#sec05) -- [Related topics](#related_topics) +- [Related topics](#related-topics) In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. -## Create a sample web service +## Create a sample web service In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](http://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects. @@ -50,7 +50,7 @@ In these steps we assume you have installed Microsoft Visual Studio Express 2013 Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. -## Create an application pool for the web service +## Create an application pool for the web service This section assumes that you have enabled the Web Server (IIS) role on MDT01. @@ -75,7 +75,7 @@ This section assumes that you have enabled the Web Server (IIS) role on MDT01. Figure 16. The new MDTSample application. -## Install the web service +## Install the web service 1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: @@ -100,7 +100,7 @@ Figure 16. The new MDTSample application. Figure 18. Configuring Authentication for the MDTSample web service. -## Test the web service in Internet Explorer +## Test the web service in Internet Explorer 1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**. @@ -121,7 +121,7 @@ Figure 18. Configuring Authentication for the MDTSample web service. Figure 20. The result from the MDT Sample web service. -## Test the web service in the MDT simulation environment +## Test the web service in the MDT simulation environment After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment. diff --git a/windows/deploy/usmt-best-practices-usmt-win7-usmt-win8.md b/windows/deploy/usmt-best-practices-usmt-win7-usmt-win8.md index 5d4ab8570c..806fbde67e 100644 --- a/windows/deploy/usmt-best-practices-usmt-win7-usmt-win8.md +++ b/windows/deploy/usmt-best-practices-usmt-win7-usmt-win8.md @@ -82,7 +82,7 @@ As the authorized administrator, it is your responsibility to protect the privac Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](identify-users-usmt-win7-usmt-win8.md) topic. -## XML File Best Practices +## XML File Best Practices - **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools** diff --git a/windows/deploy/usmt-requirements-usmt-win7-usmt-win8.md b/windows/deploy/usmt-requirements-usmt-win7-usmt-win8.md index 1fa6e63ac1..db2c363e71 100644 --- a/windows/deploy/usmt-requirements-usmt-win7-usmt-win8.md +++ b/windows/deploy/usmt-requirements-usmt-win7-usmt-win8.md @@ -14,15 +14,15 @@ author: CFaw ## In This Topic -- [Supported Operating Systems](#BKMK_1) +- [Supported Operating Systems](#bkmk-1) -- [Software Requirements](#BKMK_2) +- [Software Requirements](#bkmk-2) -- [Hard Disk Requirements](#BKMK_3) +- [Hard Disk Requirements](#bkmk-3) -- [User Prerequisites](#BKMK_UserPrereqs) +- [User Prerequisites](#bkmk-userprereqs) -## Supported Operating Systems +## Supported Operating Systems The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. @@ -105,10 +105,10 @@ USMT does not support any of the Windows Server® operating systems, Windows 20   -## Software Requirements +## Software Requirements -- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](../p_adk_online/whats-new-in-windows-pe-s14.md). +- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](http://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). - **Must run in Administrator Mode** When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. This is because User Access Control (UAC) is enabled by default. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. @@ -145,12 +145,12 @@ USMT does not support any of the Windows Server® operating systems, Windows 20 - **Install applications before running the LoadState command.** Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. -## Hard-Disk Requirements +## Hard-Disk Requirements Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](estimate-migration-store-size-usmt-win7-usmt-win8.md). -## User Prerequisites +## User Prerequisites This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: diff --git a/windows/deploy/usmtutils-syntax-usmt-win8.md b/windows/deploy/usmtutils-syntax-usmt-win8.md index 13364b73a3..ce45cd93e6 100644 --- a/windows/deploy/usmtutils-syntax-usmt-win8.md +++ b/windows/deploy/usmtutils-syntax-usmt-win8.md @@ -24,13 +24,13 @@ This topic describes the syntax for the utilities available in User State Migrat ## In This Topic -[Usmtutils.exe](#BKMK_Usmtutils_exe) +[Usmtutils.exe](#bkmk-usmtutils-exe) -[Verify Options](#BKMK_VerifyOptions) +[Verify Options](#bkmk-verifyoptions) -[Extract Options](#BKMK_ExtractOptions) +[Extract Options](#bkmk-extractoptions) -## Usmtutils.exe +## Usmtutils.exe The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. @@ -68,19 +68,19 @@ usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\ +

See [Verify Options](#bkmk-verifyoptions) for syntax and options to use with /verify.

+

See [Extract Options](#bkmk-extractoptions) for syntax and options to use with /extract.

/verify

Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

-

See [Verify Options](#BKMK_VerifyOptions) for syntax and options to use with /verify.

/extract

Recovers files from a compressed USMT migration store.

-

See [Extract Options](#BKMK_ExtractOptions) for syntax and options to use with /extract.
  -## Verify Options +## Verify Options Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). @@ -199,7 +199,7 @@ Some examples of **/verify** commands: - `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` -## Extract Options +## Extract Options Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](extract-files-from-a-compressed-usmt-migration-store.md). diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md index b965143fed..cda27f1780 100644 --- a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md @@ -34,17 +34,17 @@ When you use the **/verify** option, you can specify what type of information to The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. -- [The UsmtUtils syntax for the /verify option](#BKMK_verifySyntax) +- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) -- [To verify that the migration store is intact](#BKMK_verifyIntactStore) +- [To verify that the migration store is intact](#bkmk-verifyintactstore) -- [To verify the status of only the catalog file](#BKMK_verifyCatalog) +- [To verify the status of only the catalog file](#bkmk-verifycatalog) -- [To verify the status of all files](#BKMK_verifyAllFiles) +- [To verify the status of all files](#bkmk-verifyallfiles) -- [To verify the status of the files and return only the corrupted files](#BKMK_returnCorrupted) +- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) -### The UsmtUtils Syntax for the /verify Option +### The UsmtUtils Syntax for the /verify Option To verify the condition of a compressed migration store, use the following UsmtUtils syntax: @@ -66,7 +66,7 @@ Where the placeholders have the following values: - *<filename>* is the location and name of the text file that contains the encryption key. -### To Verify that the Migration Store is Intact +### To Verify that the Migration Store is Intact To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: @@ -76,7 +76,7 @@ usmtutils /verify D:\MyMigrationStore\store.mig Because no report type is specified, UsmtUtils displays the default summary report. -### To Verify the Status of Only the Catalog File +### To Verify the Status of Only the Catalog File To verify whether the catalog file is corrupted or intact, type: @@ -84,7 +84,7 @@ To verify whether the catalog file is corrupted or intact, type: usmtutils /verify:catalog D:\MyMigrationStore\store.mig ``` -### To Verify the Status of all Files +### To Verify the Status of all Files To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: @@ -92,7 +92,7 @@ To verify whether there are any corrupted files in the compressed migration stor In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. -### To Verify the Status of the Files and Return Only the Corrupted Files +### To Verify the Status of the Files and Return Only the Corrupted Files In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. diff --git a/windows/deploy/what-does-usmt-migrate-usmt-win7-usmt-win8.md b/windows/deploy/what-does-usmt-migrate-usmt-win7-usmt-win8.md index dc9597257c..43e8e9af7a 100644 --- a/windows/deploy/what-does-usmt-migrate-usmt-win7-usmt-win8.md +++ b/windows/deploy/what-does-usmt-migrate-usmt-win7-usmt-win8.md @@ -14,17 +14,17 @@ author: CFaw ## In This Topic -- [Default Migration Scripts](#BKMK_DefaultMigScripts) +- [Default Migration Scripts](#bkmk-defaultmigscripts) -- [User Data](#BKMK_3) +- [User Data](#bkmk-3) -- [Operating-System Components](#BKMK_4) +- [Operating-System Components](#bkmk-4) -- [Supported Applications](#BKMK_2) +- [Supported Applications](#bkmk-2) - [What USMT Does Not Migrate](#no) -## Default Migration Scripts +## Default Migration Scripts The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: @@ -43,7 +43,7 @@ The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer ca - Access control lists (ACLs) for folders outside the user profile. -## User Data +## User Data This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. @@ -84,7 +84,7 @@ To migrate ACLs, you must specify the directory to migrate in the MigUser.xml fi   -## Operating-System Components +## Operating-System Components USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 @@ -151,7 +151,7 @@ Some settings, such as fonts, are not applied by the LoadState tool until after   -## Supported Applications +## Supported Applications Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. @@ -361,7 +361,7 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi   -## What USMT Does Not Migrate +## What USMT Does Not Migrate The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](common-issues-usmt-win8.md). diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index a1f3a15be9..66b774892e 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -18,10 +18,10 @@ author: CFaw **In this article** -- [In-place upgrade](#in_place_upgrade) -- [Dynamic provisioning](#dynamic_provisioning) -- [Traditional deployment](#traditional_deployment) -- [Related topics](#related_topics) +- [In-place upgrade](#in-place-upgrade) +- [Dynamic provisioning](#dynamic-provisioning) +- [Traditional deployment](#traditional-deployment) +- [Related topics](#related-topics) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index d578681718..03cf627003 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -23,7 +23,7 @@ author: CFaw - [Internet Explorer Administration Kit 11](#sec12) - [Windows Server Update Services](#sec13) - [Unified Extensible Firmware Interface](#sec14) -- [Related topics](#related_topics) +- [Related topics](#related-topics) To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. @@ -31,7 +31,7 @@ Microsoft provides many tools, services, and solutions. These tools include Wind In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations -## Windows Assessment and Deployment Kit +## Windows Assessment and Deployment Kit Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526803 ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). @@ -159,7 +159,7 @@ Figure 7. A machine booted with the Windows ADK default Windows PE boot image. For more details on Windows PE, see [Windows PE (WinPE)](http://go.microsoft.com/fwlink/p/?LinkId=619233). -## Windows Recovery Environment +## Windows Recovery Environment Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. @@ -170,7 +170,7 @@ Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options. For more information on Windows RE, see [Windows Recovery Environment](http://go.microsoft.com/fwlink/p/?LinkId=619236). -## Windows Deployment Services +## Windows Deployment Services Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. @@ -197,7 +197,7 @@ Also, there are a few new features related to TFTP performance: Figure 10. TFTP changes are now easy to perform. -## Microsoft Deployment Toolkit 2013 Update 1 +## Microsoft Deployment Toolkit 2013 Update 1 MDT 2013 Update 1 is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. @@ -215,7 +215,7 @@ Figure 11. The Deployment Workbench in MDT 2013, showing a task sequence. For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117) resource center. -## Microsoft Security Compliance Manager 2013 +## Microsoft Security Compliance Manager 2013 [Microsoft SCM](http://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer. @@ -224,7 +224,7 @@ For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance. -## Microsoft Desktop Optimization Pack +## Microsoft Desktop Optimization Pack MDOP is a suite of technologies available to Software Assurance customers through an additional subscription. @@ -243,7 +243,7 @@ The following components are included in the MDOP suite: For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](http://go.microsoft.com/fwlink/p/?LinkId=619247). -## Internet Explorer Administration Kit 11 +## Internet Explorer Administration Kit 11 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file. @@ -254,7 +254,7 @@ Figure 13. The User Experience selection screen in IEAK 11. To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](http://go.microsoft.com/fwlink/p/?LinkId=619248) page. -## Windows Server Update Services +## Windows Server Update Services WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. @@ -265,7 +265,7 @@ Figure 14. The Windows Server Update Services console. For more information on WSUS, see the [Windows Server Update Services Overview](http://go.microsoft.com/fwlink/p/?LinkId=619249). -## Unified Extensible Firmware Interface +## Unified Extensible Firmware Interface For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. diff --git a/windows/deploy/xml-elements-library-usmt-win7-usmt-win8.md b/windows/deploy/xml-elements-library-usmt-win7-usmt-win8.md index a69178383b..2c2624cb51 100644 --- a/windows/deploy/xml-elements-library-usmt-win7-usmt-win8.md +++ b/windows/deploy/xml-elements-library-usmt-win7-usmt-win8.md @@ -21,17 +21,17 @@ This topic describes the XML elements and helper functions that you can employ t In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions. -- [Elements and helper functions](#Elements) +- [Elements and helper functions](#elements) -- [Appendix](#Appendix) +- [Appendix](#appendix) - [Specifying locations](#locations) - - [Internal USMT functions](#InternalUSMTFunctions) + - [Internal USMT functions](#internalusmtfunctions) - - [Valid version tags](#Allowed) + - [Valid version tags](#allowed) -## Elements and Helper Functions +## Elements and Helper Functions The following table describes the XML elements and helper functions you can use with USMT. @@ -51,40 +51,40 @@ The following table describes the XML elements and helper functions you can use -

[<addObjects>](#addObjects)

+

[<addObjects>](#addobjects)

[<attributes>](#attribute)

[<bytes>](#bytes)

-

[<commandLine>](#commandLine)

+

[<commandLine>](#commandline)

[<component>](#component)

[<condition>](#condition)

[<conditions>](#conditions)

[<content>](#content)

-

[<contentModify>](#contentModify)

+

[<contentModify>](#contentmodify)

[<description>](#description)

-

[<destinationCleanup>](#destinationCleanup)

+

[<destinationCleanup>](#destinationcleanup)

[<detect>](#detect)

[<detects>](#detects)

[<detection>](#detection)

-

[<displayName>](#displayName)

-

[<environment>](#BKMK_environment)

+

[<displayName>](#displayname)

+

[<environment>](#bkmk-environment)

[<exclude>](#exclude)

-

[<excludeAttributes>](#excludeAttributes)

+

[<excludeAttributes>](#excludeattributes)

[<extensions>](#extensions)

[<extension>](#extension)

-

[<externalProcess>](#externalProcess)

+

[<externalProcess>](#externalprocess)

[<icon>](#icon)

[<include>](#include)

-

[<includeAttribute>](#includeAttributes)

+

[<includeAttribute>](#includeattributes)

[<library>](#library)

[<location>](#location)

-

[<locationModify>](#locationModify)

-

[<_locDefinition>](#locDefinition)

+

[<locationModify>](#locationmodify)

+

[<_locDefinition>](#locdefinition)

[<manufacturer>](#manufacturer)

[<merge>](#merge)

[<migration>](#migration)

-

[<namedElements>](#namedElements)

+

[<namedElements>](#namedelements)

[<object>](#object)

-

[<objectSet>](#objectSet)

+

[<objectSet>](#objectset)

[<path>](#path)

[<paths>](#paths)

[<pattern>](#pattern)

@@ -94,25 +94,25 @@ The following table describes the XML elements and helper functions you can use

[<rules>](#rules)

[<script>](#script)

[<text>](#text)

-

[<unconditionalExclude>](#unconditionalExclude)

+

[<unconditionalExclude>](#unconditionalexclude)

[<variable>](#variable)

[<version>](#version)

-

[<windowsObjects>](#windowsObjects)

-

[<condition> functions](#ConditionFunctions)

-

[<content> functions](#ContentFunctions)

-

[<contentModify> functions](#ContentModifyFunctions)

-

[<include> and <exclude> filter functions](#PersistFilterFunctions)

-

[<locationModify> functions](#LocationModifyFunctions)

-

[<merge> functions](#MergeFunctions)

-

[<script> functions](#ScriptFunctions)

-

[Internal USMT functions](#InternalUSMTFunctions)

+

[<windowsObjects>](#windowsobjects)

+

[<condition> functions](#conditionfunctions)

+

[<content> functions](#contentfunctions)

+

[<contentModify> functions](#contentmodifyfunctions)

+

[<include> and <exclude> filter functions](#persistfilterfunctions)

+

[<locationModify> functions](#locationmodifyfunctions)

+

[<merge> functions](#mergefunctions)

+

[<script> functions](#scriptfunctions)

+

[Internal USMT functions](#internalusmtfunctions)

  -## <addObjects> +## <addObjects> The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects. @@ -148,7 +148,7 @@ The following example is from the MigApp.xml file: ``` -## <attributes> +## <attributes> The <attributes> element defines the attributes for a registry key or file. @@ -215,7 +215,7 @@ The following example is from the MigApp.xml file: ``` -## <bytes> +## <bytes> You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored. @@ -278,14 +278,14 @@ The following example is from the MigApp.xml file: ``` -## <commandLine> +## <commandLine> You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools. - **Number of occurrences:** unlimited -- **Parent elements:**[<externalProcess>](#externalProcess) +- **Parent elements:**[<externalProcess>](#externalprocess) - **Child elements:** none**** @@ -317,7 +317,7 @@ Syntax:   -## <component> +## <component> The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. @@ -328,9 +328,9 @@ A component can be nested inside another component; that is, the <component&g - **Parent elements:**[<migration>](#migration), [<role>](#role) -- **Required child elements:**[<role>](#role), [<displayName>](#displayName) +- **Required child elements:**[<role>](#role), [<displayName>](#displayname) -- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#BKMK_environment), [<extensions>](#extensions) +- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions) Syntax: @@ -397,10 +397,10 @@ hidden="Yes|No"> For an example, see any of the default migration .xml files. -## <condition> +## <condition> -Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](f#conditions) element, which allows you to formulate complex Boolean statements. +Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements. The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated. @@ -410,7 +410,7 @@ The <condition> element has a Boolean result. You can use this element to - **Child elements:** none -- **Helper functions:** You can use the following [<condition> functions](#ConditionFunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent. +- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent. Syntax: @@ -472,15 +472,15 @@ However, in the code sample below, the <condition> elements, A and B, are ``` -### <condition> functions +### <condition> functions The <condition> functions return a Boolean value. You can use these elements in <addObjects> conditions. -- [Operating system version functions](#OperatingSystemFunctions) +- [Operating system version functions](#operatingsystemfunctions) -- [Object content functions](#ObjectContentFunctions) +- [Object content functions](#objectcontentfunctions) -### Operating system version functions +### Operating system version functions - **DoesOSMatch** @@ -601,7 +601,7 @@ The <condition> functions return a Boolean value. You can use these elemen   -### Object content functions +### Object content functions - **DoesObjectExist** @@ -668,7 +668,7 @@ The <condition> functions return a Boolean value. You can use these elemen

VersionTag

Yes

-

The [version tag](#Allowed) value that will be checked.

+

The [version tag](#allowed) value that will be checked.

VersionValue

@@ -714,7 +714,7 @@ The <condition> functions return a Boolean value. You can use these elemen

VersionTag

Yes

-

The [version tag](#Allowed) value that will be checked.

+

The [version tag](#allowed) value that will be checked.

VersionValue

@@ -752,7 +752,7 @@ The <condition> functions return a Boolean value. You can use these elemen

VersionTag

Yes

-

The [version tag](#Allowed) value that will be checked.

+

The [version tag](#allowed) value that will be checked.

VersionValue

@@ -995,14 +995,14 @@ The <condition> functions return a Boolean value. You can use these elemen   -## <conditions> +## <conditions> The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter. -- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addObjects), and [<objectSet>](#objectSet) +- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) -- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#BKMK_environment), [<rules>](#rules), [<addObjects>](#addObjects), and [<objectSet>](#objectSet) +- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) - **Child elements:**[<conditions>](#conditions), [<condition>](#condition) @@ -1049,18 +1049,18 @@ The following example is from the MigApp.xml file: ``` -## <content> +## <content> You can use the <content> element to specify a list of object patterns to obtain an object set from the source computer. Each <objectSet> within a <content> element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the <content> element. The filter script returns an array of locations. The parent <objectSet> element can contain multiple child <content> elements. - **Number of occurrences:** unlimited -- **Parent elements:**[<objectSet>](#objectSet) +- **Parent elements:**[<objectSet>](#objectset) -- **Child elements:**[<objectSet>](#objectSet) +- **Child elements:**[<objectSet>](#objectset) -- **Helper functions:** You can use the following [<content> functions](#ContentFunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory. +- **Helper functions:** You can use the following [<content> functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory. Syntax: @@ -1093,7 +1093,7 @@ Syntax:   -### <content> functions +### <content> functions The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating. @@ -1233,7 +1233,7 @@ The following functions generate patterns out of the content of an object. These ``` -## <contentModify> +## <contentModify> The <contentModify> element modifies the content of an object before it is written to the destination computer. For each <contentModify> element there can be multiple <objectSet> elements. This element returns the new content of the object that is being processed. @@ -1242,9 +1242,9 @@ The <contentModify> element modifies the content of an object before it is - **Parent elements:**[<rules>](#rules) -- **Required child elements:**[<objectSet>](#objectSet) +- **Required child elements:**[<objectSet>](#objectset) -- **Helper functions**: You can use the following [<contentModify> functions](#ContentModifyFunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent. +- **Helper functions**: You can use the following [<contentModify> functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent. Syntax: @@ -1277,7 +1277,7 @@ Syntax:   -### <contentModify> functions +### <contentModify> functions The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating. @@ -1558,7 +1558,7 @@ The following functions change the content of objects as they are migrated. Thes   -## <description> +## <description> The <description> element defines a description for the component but does not affect the migration. @@ -1603,7 +1603,7 @@ The following code sample shows how the <description> element defines the My custom component ``` -## <destinationCleanup> +## <destinationCleanup> The <destinationCleanup> element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool. @@ -1619,7 +1619,7 @@ For each <destinationCleanup> element there can be multiple <objectSet& - **Parent elements:**[<rules>](#rules) -- **Child elements:**[<objectSet>](#objectSet) (Note that the destination computer will delete all child elements.) +- **Child elements:**[<objectSet>](#objectset) (Note that the destination computer will delete all child elements.) Syntax: @@ -1663,7 +1663,7 @@ For example: ``` -## <detect> +## <detect> Although the <detect> element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection)**element.** @@ -1674,11 +1674,11 @@ For each <detect> element there can be multiple child <condition> or - **Number of occurrences:** unlimited -- **Parent elements:** <detects>, [<namedElements>](#namedElements) +- **Parent elements:** <detects>, [<namedElements>](#namedelements) - **Required child elements:**[<condition>](#condition) -- **Optional child elements:**[<objectSet>](#objectSet) +- **Optional child elements:**[<objectSet>](#objectset) Syntax: @@ -1725,7 +1725,7 @@ Syntax: For examples, see the examples for [<detection>](#detection). -## <detects> +## <detects> Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements. @@ -1740,7 +1740,7 @@ Syntax: - **Number of occurrences:** Unlimited. -- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedElements) +- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) - **Required child elements:** <detect> @@ -1795,7 +1795,7 @@ The following example is from the MigApp.xml file. ``` -## <detection> +## <detection> The <detection> element is a container for one <conditions> element. The result of the child <condition> elements, located underneath the <conditions> element, determines the result of this element. For example, if all of the child <conditions> elements within the <detection> element resolve to TRUE, then the <detection> element resolves to TRUE. If any of the child <conditions> elements resolve to FALSE, then the <detection> element resolves to FALSE. @@ -1806,7 +1806,7 @@ Use the <detection> element under the <namedElements> element if you - **Number of occurrences:** Unlimited. -- **Parent elements:**[<role>](#role), [<namedElements>](#namedElements) +- **Parent elements:**[<role>](#role), [<namedElements>](#namedelements) - **Child elements:**[<conditions>](#conditions) @@ -1876,7 +1876,7 @@ and ``` -## <displayName> +## <displayName> The <displayName> element is a required field within each <component> element. @@ -1926,14 +1926,14 @@ For example: Command Prompt settings ``` -## <environment> +## <environment> -The <environment> element is a container for <variable> elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#EnvEx). +The <environment> element is a container for <variable> elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex). - **Number of occurrences:** unlimited -- **Parent elements:**[<role>](#role), [<component>](#component), [<namedElements>](#namedElements) +- **Parent elements:**[<role>](#role), [<component>](#component), [<namedElements>](#namedelements) - **Required child elements:**[<variable>](#variable) @@ -1982,7 +1982,7 @@ Syntax:   -## +## ### Example scenario 1 @@ -1997,7 +1997,7 @@ In this scenario, you want to generate the location of objects at run time depen ``` -Then you can use an include rule as follows. You can use any of the [<script> functions](#ScriptFunctions) to perform similar tasks. +Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. ``` syntax @@ -2063,7 +2063,7 @@ Then, you can specify the variable in an <include> rule as follows: ``` -## <exclude> +## <exclude> The <exclude> element determines what objects will not be migrated, unless there is a more specific <include> element that migrates an object. If there is an <include> and <exclude> element for the same object, the object will be included. For each <exclude> element there can be multiple child <objectSet> elements. @@ -2072,9 +2072,9 @@ The <exclude> element determines what objects will not be migrated, unless - **Parent elements:**[<rules>](#rules) -- **Child elements:**[<objectSet>](#objectSet) +- **Child elements:**[<objectSet>](#objectset) -- **Helper functions:** You can use the following [<exclude> filter functions](#PersistFilterFunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent. +- **Helper functions:** You can use the following [<exclude> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent. Syntax: @@ -2120,7 +2120,7 @@ For example, from the MigUser.xml file: ``` -## <excludeAttributes> +## <excludeAttributes> You can use the <excludeAttributes> element to determine which parameters associated with an object will not be migrated. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated. @@ -2129,7 +2129,7 @@ You can use the <excludeAttributes> element to determine which parameters - **Parent elements:**[<rules>](#rules) -- **Child elements:**[<objectSet>](#objectSet) +- **Child elements:**[<objectSet>](#objectset) Syntax: @@ -2216,7 +2216,7 @@ Example: ``` -## <extensions> +## <extensions> The <extensions> element is a container for one or more <extension> elements. @@ -2233,7 +2233,7 @@ Syntax: </extensions> -## <extension> +## <extension> You can use the <extension> element to specify documents of a specific extension. @@ -2290,9 +2290,9 @@ is the same as specifying the following code below the <rules> element: ``` -For another example of how to use the <extension> element, see the example for [<excludeAttributes>](#excludeAttributes). +For another example of how to use the <extension> element, see the example for [<excludeAttributes>](#excludeattributes). -## <externalProcess> +## <externalProcess> You can use the <externalProcess> element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes. @@ -2301,7 +2301,7 @@ You can use the <externalProcess> element to run a command line during the - **Parent elements:**[<rules>](#rules) -- **Required child elements:**[<commandLine>](#commandLine) +- **Required child elements:**[<commandLine>](#commandline) Syntax: @@ -2341,14 +2341,14 @@ Syntax:   -For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeAttributes). +For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes). -## <icon> +## <icon> This is an internal USMT element. Do not use this element. -## <include> +## <include> The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements. @@ -2357,9 +2357,9 @@ The <include> element determines what to migrate, unless there is a more s - **Parent elements:**[<rules>](#rules) -- **Required child element:**[<objectSet>](#objectSet) +- **Required child element:**[<objectSet>](#objectset) -- **Helper functions:** You can use the following [<include> filter functions](#PersistFilterFunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore. +- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore. Syntax: @@ -2423,7 +2423,7 @@ The following example is from the MigUser.xml file: ``` -### <include> and <exclude> filter functions +### <include> and <exclude> filter functions The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met. @@ -2502,7 +2502,7 @@ The following functions return a Boolean value. You can use them to migrate cert ``` -## <includeAttributes> +## <includeAttributes> You can use the <includeAttributes> element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated. @@ -2511,7 +2511,7 @@ You can use the <includeAttributes> element to determine whether certain p - **Parent elements:**[<rules>](#rules) -- **Child elements:**[<objectSet>](#objectSet) +- **Child elements:**[<objectSet>](#objectset) Syntax: @@ -2558,14 +2558,14 @@ Syntax:   -For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeAttributes). +For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes). -## <library> +## <library> This is an internal USMT element. Do not use this element. -## <location> +## <location> The <location> element defines the location of the <object> element. @@ -2626,7 +2626,7 @@ The following example is from the MigApp.xml file: ``` -## <locationModify> +## <locationModify> You can use the <locationModify> element to change the location and name of an object before it is migrated to the destination computer. The <locationModify> element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist. @@ -2635,9 +2635,9 @@ You can use the <locationModify> element to change the location and name o - **Parent elements:**[<rules>](#rules) -- **Required child element:**[<objectSet>](#objectSet) +- **Required child element:**[<objectSet>](#objectset) -- **Helper functions:** You can use the following [<locationModify> functions](#LocationModifyFunctions) with this element: ExactMove, RelativeMove, and Move. +- **Helper functions:** You can use the following [<locationModify> functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move. Syntax: @@ -2680,7 +2680,7 @@ The following example is from the MigApp.xml file: ``` -### <locationModify> functions +### <locationModify> functions The following functions change the location of objects as they are migrated when using the <locationModify> element. These functions are called for every object that the parent <ObjectSet> element is enumerating. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist. @@ -2804,12 +2804,12 @@ The following functions change the location of objects as they are migrated when ``` -## <\_locDefinition> +## <\_locDefinition> This is an internal USMT element. Do not use this element. -## <manufacturer> +## <manufacturer> The <manufacturer> element defines the manufacturer for the component, but does not affect the migration. @@ -2848,7 +2848,7 @@ Syntax:   -## <merge> +## <merge> The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific. @@ -2859,9 +2859,9 @@ For an example of this element, see [Conflicts and Precedence](conflicts-and-pre - **Parent elements:**[<rules>](#rules) -- **Required child element:**[<objectSet>](#objectSet) +- **Required child element:**[<objectSet>](#objectset) -- **Helper functions:** You can use the following [<merge> functions](#MergeFunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue(). +- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue(). Syntax: @@ -2911,7 +2911,7 @@ The following example is from the MigUser.xml file: ``` -### <merge> functions +### <merge> functions These functions control how collisions are resolved. @@ -3020,7 +3020,7 @@ These functions control how collisions are resolved. ``` -## <migration> +## <migration> The <migration> element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: <CustomFileName> is the name of the file; for example, "CustomApp". @@ -3031,7 +3031,7 @@ The <migration> element is the single root element of a migration .xml fil - **Required child elements:**[<component>](#component) -- **Optional child elements:**[<library>](#library), [<namedElements>](#namedElements) +- **Optional child elements:**[<library>](#library), [<namedElements>](#namedelements) Syntax: @@ -3127,7 +3127,7 @@ This filter helper function can be used to filter the migration of files based o ``` -## <namedElements> +## <namedElements> You can use the **<namedElements>** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file. @@ -3142,18 +3142,18 @@ Syntax: - **Parent elements:**[<migration>](#migration) -- **Child elements:**[<environment>](#BKMK_environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), <detects>, <detect> +- **Child elements:**[<environment>](#bkmk-environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), <detects>, <detect> For an example of this element, see the MigApp.xml file. -## <object> +## <object> The <object> element represents a file or registry key. - **Number of occurrences:** Unlimited -- **Parent elements:**[<addObjects>](#addObjects) +- **Parent elements:**[<addObjects>](#addobjects) - **Required child elements:**[<location>](#location), [<attributes>](#attribute) @@ -3182,14 +3182,14 @@ The following example is from the MigApp.xml file: ``` -## <objectSet> +## <objectSet> The <objectSet> element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child <conditions> elements will be evaluated first. If all child <conditions> elements return FALSE, the <objectSet> element will evaluate to an empty set. For each parent element, there can be only multiple <objectSet> elements. - **Number of occurrences:** Unlimited -- **Parent elements:**[<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentModify), [<locationModify>](#locationModify), [<destinationCleanup>](#destinationCleanup), [<includeAttributes>](#includeAttributes), [<excludeAttributes>](#excludeAttributes), [<unconditionalExclude>](#unconditionalExclude), <detect> +- **Parent elements:**[<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [<unconditionalExclude>](#unconditionalexclude), <detect> - **Required child elements:** either [<script>](#script) or [<pattern>](#pattern) @@ -3231,17 +3231,17 @@ The following example is from the MigUser.xml file: ``` -## <path> +## <path> This is an internal USMT element. Do not use this element. -## <paths> +## <paths> This is an internal USMT element. Do not use this element. -## <pattern> +## <pattern> You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: @@ -3253,7 +3253,7 @@ You can use this element to specify multiple objects. You can specify multiple & - **Number of occurrences:** Unlimited -- **Parent elements:**[<objectSet>](#objectSet) +- **Parent elements:**[<objectSet>](#objectset) - **Child elements:** none but *Path* \[*object*\] must be valid. @@ -3338,7 +3338,7 @@ For example: - For more examples of how to use this element, see [Exclude Files and Settings](exclude-files-and-settings-usmt.md), [Reroute Files and Settings](reroute-files-and-settings-usmt.md), [Include Files and Settings](include-files-and-settings-usmt.md), and [Custom XML Examples](custom-xml-examples-usmt-win7-usmt-win8.md). -## <processing> +## <processing> You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored. @@ -3387,12 +3387,12 @@ Syntax:   -## <plugin> +## <plugin> This is an internal USMT element. Do not use this element. -## <role> +## <role> The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here. @@ -3403,7 +3403,7 @@ The <role> element is required in a custom .xml file. By specifying the &l - **Required child elements:**[<rules>](#rules) -- **Optional child elements:**[<environment>](#BKMK_environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>, +- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>, Syntax: @@ -3487,18 +3487,18 @@ The following example is from the MigUser.xml file. For more examples, see the M ``` -## <rules> +## <rules> The <rules> element is required in a custom .xml file. This element contains rules that will run during the migration if the parent <component> element is selected, unless the child <conditions> element, if present, evaluates to FALSE. For each <rules> element there can be multiple child <rules> elements. - **Number of occurrences:** unlimited -- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedElements) +- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) - **Required child elements:**[<include>](#include) -- **Optional child elements:**[<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalExclude),[<merge>](#merge), [<contentModify>](#contentModify), [<locationModify>](#locationModify), [<destinationCleanup>](#destinationCleanup), [<addObjects>](#addObjects), [<externalProcess>](#externalProcess), [<processing>](#processing), [<includeAttributes>](#includeAttributes), [<excludeAttributes>](#excludeAttributes), [conditions](#conditions), <detects> +- **Optional child elements:**[<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalexclude),[<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<addObjects>](#addobjects), [<externalProcess>](#externalprocess), [<processing>](#processing), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [conditions](#conditions), <detects> Syntax: @@ -3573,14 +3573,14 @@ The following example is from the MigUser.xml file: ``` -## <script> +## <script> The return value that is required by <script> depends on the parent element. -**Number of occurrences:** Once for [<variable>](#variable), unlimited for [<objectSet>](#objectSet) and [<processing>](#processing) +**Number of occurrences:** Once for [<variable>](#variable), unlimited for [<objectSet>](#objectset) and [<processing>](#processing) -**Parent elements:**[<objectSet>](#objectSet), [<variable>](#variable), [<processing>](#processing) +**Parent elements:**[<objectSet>](#objectset), [<variable>](#variable), [<processing>](#processing) **Child elements:** none @@ -3588,25 +3588,25 @@ The return value that is required by <script> depends on the parent elemen - General Syntax: <script>*ScriptWithArguments*</script> -- You can use [GetStringContent](#ScriptFunctions) when <script> is within <variable>. +- You can use [GetStringContent](#scriptfunctions) when <script> is within <variable>. Syntax: <script>MigXmlHelper.GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")</script> Example:` ` -- You can use [GenerateUserPatterns](#ScriptFunctions) when <script> is within <objectSet>. +- You can use [GenerateUserPatterns](#scriptfunctions) when <script> is within <objectSet>. Syntax: <script>MigXmlHelper.GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")</script> Example: `` -- You can use [GenerateDrivePatterns](#ScriptFunctions) when <script> is within <objectSet>. +- You can use [GenerateDrivePatterns](#scriptfunctions) when <script> is within <objectSet>. Syntax: <script>MigXmlHelper.GenerateDrivePatterns("*PatternSegment*","*DriveType*")</script> Example: `` -- You can use the [Simple executing scripts](#ScriptFunctions) with <script> elements that are within <processing> elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM. +- You can use the [Simple executing scripts](#scriptfunctions) with <script> elements that are within <processing> elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM. Syntax: <script>MigXmlHelper.*ExecutingScript*</script> @@ -3660,15 +3660,15 @@ To migrate the Sample.doc file from any drive on the source computer, use <sc For more examples of how to use this element, see [Exclude Files and Settings](exclude-files-and-settings-usmt.md), [Reroute Files and Settings](reroute-files-and-settings-usmt.md), and [Custom XML Examples](custom-xml-examples-usmt-win7-usmt-win8.md). -### <script> functions +### <script> functions You can use the following functions with the <script> element -- [String and pattern generating functions](#StringGeneratingFunctions) +- [String and pattern generating functions](#stringgeneratingfunctions) -- [Simple executing scripts](#Simple) +- [Simple executing scripts](#simple) -### String and pattern generating functions +### String and pattern generating functions These functions return either a string or a pattern. @@ -3726,7 +3726,7 @@ These functions return either a string or a pattern. - **GenerateDrivePatterns** - The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectSet) that are within <include>/<exclude>. + The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>. Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*") @@ -3905,7 +3905,7 @@ This helper function invokes the document finder to scan the system for all file   ``` -### Simple executing scripts +### Simple executing scripts The following scripts have no return value. You can use the following errors with <script> elements that are within <processing> elements @@ -3951,7 +3951,7 @@ The following scripts have no return value. You can use the following errors wit - **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value. -## <text> +## <text> You can use the <text> element to set a value for any environment variables that are inside one of the migration .xml files. @@ -3995,7 +3995,7 @@ For example: ``` -## <unconditionalExclude> +## <unconditionalExclude> The <unconditionalExclude> element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit <include> rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated. @@ -4006,7 +4006,7 @@ Use this element if you want to exclude all .mp3 files from the source computer. - **Parent elements:**[<rules>](#rules) -- **Child elements:**[<objectSet>](#objectSet) +- **Child elements:**[<objectSet>](#objectset) Syntax: @@ -4031,7 +4031,7 @@ The following .xml file excludes all .mp3 files from migration. For additional e ``` -## <variable> +## <variable> The <variable> element is required in an <environment> element. For each <variable> element there must be one <objectSet>, <script>, or <text> element. The content of the <variable> element assigns a text value to the environment variable. This element has the following three options: @@ -4044,9 +4044,9 @@ The <variable> element is required in an <environment> element. For - **Number of occurrences:** Unlimited -- **Parent elements:**[<environment>](#BKMK_environment) +- **Parent elements:**[<environment>](#bkmk-environment) -- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectSet) +- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectset) Syntax: @@ -4096,7 +4096,7 @@ The following example is from the MigApp.xml file: ``` -## <version> +## <version> The <version> element defines the version for the component, but does not affect the migration. @@ -4141,7 +4141,7 @@ For example: 4.* ``` -## <windowsObjects> +## <windowsObjects> The <windowsObjects> element is for USMT internal use only. Do not use this element. @@ -4149,7 +4149,7 @@ The <windowsObjects> element is for USMT internal use only. Do not use thi ## Appendix -### Specifying locations +### Specifying locations - **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. @@ -4161,7 +4161,7 @@ The <windowsObjects> element is for USMT internal use only. Do not use thi For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`. -### Internal USMT functions +### Internal USMT functions The following functions are for internal USMT use only. Do not use them in an .xml file. @@ -4191,7 +4191,7 @@ The following functions are for internal USMT use only. Do not use them in an .x - SetPstPathInMapiStruc -### Valid version tags +### Valid version tags You can use the following version tags with various helper functions: diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index cdc1f32fc1..511d7736e5 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,4 +1,4 @@ -# [Keep Windows 10 secure](index.md) +# [Keep Windows 10 secure] ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-an-enterprise.md) ## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md index a9badbf0b3..a08cdbd7f2 100644 --- a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md +++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 76d64b555f..5949a109ca 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md index 270cbe5e40..173dbb051d 100644 --- a/windows/keep-secure/account-lockout-duration.md +++ b/windows/keep-secure/account-lockout-duration.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md index 7fbc7b7087..e045e25829 100644 --- a/windows/keep-secure/account-lockout-threshold.md +++ b/windows/keep-secure/account-lockout-threshold.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. @@ -42,14 +42,14 @@ It is possible to configure the following values for the **Account lockout thres - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#BKMK_Countermeasure) in this topic +Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic ### Best practices The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization. **Important**   -Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#BKMK_ImpleConsiderations) in this topic. +Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.   @@ -110,7 +110,7 @@ This section describes features and tools that are available to help you manage None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy. -### Implementation considerations +### Implementation considerations Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example: @@ -136,7 +136,7 @@ Offline password attacks are not countered by this policy setting.   -### Countermeasure +### Countermeasure Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md index 3a6c635e98..af54566272 100644 --- a/windows/keep-secure/accounts-administrator-account-status.md +++ b/windows/keep-secure/accounts-administrator-account-status.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting. diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md index bf85474e4d..038268f183 100644 --- a/windows/keep-secure/accounts-block-microsoft-accounts.md +++ b/windows/keep-secure/accounts-block-microsoft-accounts.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting. diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index f9f6e0cbec..a3ff8c451a 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting. diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md index 56a28f1a14..11090216e9 100644 --- a/windows/keep-secure/accounts-rename-administrator-account.md +++ b/windows/keep-secure/accounts-rename-administrator-account.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index 6d3d3224cd..5cf5dbabbc 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting. diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md index fd9d165415..1d5c561158 100644 --- a/windows/keep-secure/act-as-part-of-the-operating-system.md +++ b/windows/keep-secure/act-as-part-of-the-operating-system.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting. diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index 44bdff59e1..10b7e6e407 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting. diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index 88277b2975..69e6d57cdd 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting. diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index f44808d4fa..f2aa9aa68d 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -100,7 +100,7 @@ For more info about enhanced capabilities of AppLocker to control Windows apps,   -## Using the MMC snap-ins to administer AppLocker +## Using the MMC snap-ins to administer AppLocker You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 5ac2f19ae7..8bbd2771c1 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -17,13 +17,13 @@ author: brianlic-msft **In this article** -- [What’s changed in how settings are administered?](#what_s_changed_in_how_settings_are_administered_) -- [Using the Local Security Policy snap-in](#BKMK_SecPol) -- [Using the secedit command-line tool](#BKMK_Secedit) -- [Using the Security Compliance Manager](#BKMK_SCM) -- [Using the Security Configuration Wizard](#BKMK_SCW) -- [Working with the Security Configuration Manager](#BKMK_SCMtool) -- [Working with Group Policy tools](#BKMK_GroupPolicy) +- [What’s changed in how settings are administered?](#what-s-changed-in-how-settings-are-administered-) +- [Using the Local Security Policy snap-in](#bkmk-secpol) +- [Using the secedit command-line tool](#bkmk-secedit) +- [Using the Security Compliance Manager](#bkmk-scm) +- [Using the Security Configuration Wizard](#bkmk-scw) +- [Working with the Security Configuration Manager](#bkmk-scmtool) +- [Working with Group Policy tools](#bkmk-grouppolicy) This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. @@ -49,7 +49,7 @@ To manage security configurations for multiple computers, you can use one of the - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security. -## What’s changed in how settings are administered? +## What’s changed in how settings are administered? Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered. @@ -67,31 +67,31 @@ Over time, new ways to manage security policy settings have been introduced, whi -

[Security Policy snap-in](#BKMK_SecPol)

+

[Security Policy snap-in](#bkmk-secpol)

Secpol.msc

MMC snap-in designed to manage only security policy settings.

-

[Security editor command line tool](#BKMK_Secedit)

+

[Security editor command line tool](#bkmk-secedit)

Secedit.exe

Configures and analyzes system security by comparing your current configuration to specified security templates.

-

[Security Compliance Manager](#BKMK_SCM)

+

[Security Compliance Manager](#bkmk-scm)

Tool download

A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.

-

[Security Configuration Wizard](#BKMK_SCW)

+

[Security Configuration Wizard](#bkmk-scw)

Scw.exe

SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.

-

[Security Configuration Manager tool](#BKMK_SCMtool)

+

[Security Configuration Manager tool](#bkmk-scmtool)

This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.

-

[Group Policy](#BKMK_GroupPolicy)

+

[Group Policy](#bkmk-grouppolicy)

Gpmc.msc and Gpedit.msc

The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.

@@ -112,7 +112,7 @@ Over time, new ways to manage security policy settings have been introduced, whi   -## Using the Local Security Policy snap-in +## Using the Local Security Policy snap-in The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features: @@ -137,9 +137,9 @@ The Local Security Policy snap-in (Secpol.msc) restricts the view of local polic Policies set locally might be overwritten if the computer is joined to the domain. -The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#BKMK_SCMtool) in this topic. +The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic. -## Using the secedit command-line tool +## Using the secedit command-line tool The secedit command-line tool works with security templates and provides six primary functions: @@ -156,7 +156,7 @@ The secedit command-line tool works with security templates and provides six pri - The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. -## Using the Security Compliance Manager +## Using the Security Compliance Manager The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process. @@ -171,7 +171,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl 4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. -## Using the Security Configuration Wizard +## Using the Security Configuration Wizard The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. @@ -211,7 +211,7 @@ The Security Policy Wizard configures services and network security based on the For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx). -## Working with the Security Configuration Manager +## Working with the Security Configuration Manager The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. @@ -233,19 +233,19 @@ The following table lists the features of the Security Configuration Manager. -

[Security Configuration and Analysis](#BKMK_SecCfgAna)

+

[Security Configuration and Analysis](#bkmk-seccfgana)

Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.

-

[Security templates](#BKMK_SecTmpl)

+

[Security templates](#bkmk-sectmpl)

Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.

-

[Security Settings extension to Group Policy](#BKMK_SecExtensions)

+

[Security Settings extension to Group Policy](#bkmk-secextensions)

Edits individual security settings on a domain, site, or organizational unit.

-

[Local Security Policy](#BKMK_LocalSecPol)

+

[Local Security Policy](#bkmk-localsecpol)

Edits individual security settings on your local computer.

@@ -257,11 +257,11 @@ The following table lists the features of the Security Configuration Manager.   -### Security Configuration and Analysis +### Security Configuration and Analysis Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security. -### Security analysis +### Security analysis The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. @@ -269,11 +269,11 @@ Regular analysis enables you to track and ensure an adequate level of security o Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. -### Security configuration +### Security configuration Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. -### Security templates +### Security templates With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. @@ -311,7 +311,7 @@ Security templates can be used to define: Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. -### Security settings extension to Group Policy +### Security settings extension to Group Policy Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. @@ -331,7 +331,7 @@ You can change the security configuration on multiple computers in two ways: - Change a few select settings with security settings. -### Local Security Policy +### Local Security Policy A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device @@ -359,17 +359,17 @@ If you modify the security settings on your local device by using the local secu For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about: -- [Applying security settings](#BKMK_ApplySecSettings) +- [Applying security settings](#bkmk-applysecsettings) -- [Importing and exporting security templates](#BKMK_ImpExpSecTmpl) +- [Importing and exporting security templates](#bkmk-impexpsectmpl) -- [Analyzing security and viewing results](#BKMK_AnaSecViewResults) +- [Analyzing security and viewing results](#bkmk-anasecviewresults) -- [Resolving security discrepancies](#BKMK_ResolveSecDiffs) +- [Resolving security discrepancies](#bkmk-resolvesecdiffs) -- [Automating security configuration tasks](#BKMK_AutoSecCfgTasks) +- [Automating security configuration tasks](#bkmk-autoseccfgtasks) -### Applying security settings +### Applying security settings Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: @@ -418,13 +418,13 @@ Registry and file settings will maintain the values applied through policy until You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. -### Importing and exporting security templates +### Importing and exporting security templates Security Configuration and Analysis provides the ability to import and export security templates into or from a database. If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. -### Analyzing security and viewing results +### Analyzing security and viewing results Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence. @@ -472,7 +472,7 @@ If you choose to accept the current settings, the corresponding value in the bas To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. -### Resolving security discrepancies +### Resolving security discrepancies You can resolve discrepancies between analysis database and system settings by: @@ -486,13 +486,13 @@ Changes to the analysis database are made to the stored template in the database You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. -### Automating security configuration tasks +### Automating security configuration tasks By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours. -## Working with Group Policy tools +## Working with Group Policy tools Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index c7fc7a5645..ddf52cfa1a 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -115,7 +115,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. -Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#BKMK_GlobalObjectAccess). +Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess). This category includes the following subcategories: diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index 6f75734820..b63076029e 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -17,50 +17,50 @@ author: brianlic-msft This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. -- [What is Windows security auditing and why might I want to use it?](#BKMK_1) +- [What is Windows security auditing and why might I want to use it?](#bkmk-1) -- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#BKMK_2) +- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2) -- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#BKMK_3) +- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3) -- [How are audit settings merged by Group Policy?](#BKMK_4) +- [How are audit settings merged by Group Policy?](#bkmk-4) -- [What is the difference between an object DACL and an object SACL?](#BKMK_14) +- [What is the difference between an object DACL and an object SACL?](#bkmk-14) -- [Why are audit policies applied on a per-computer basis rather than per user?](#BKMK_13) +- [Why are audit policies applied on a per-computer basis rather than per user?](#bkmk-13) -- [What are the differences in auditing functionality between versions of Windows?](#BKMK_12) +- [What are the differences in auditing functionality between versions of Windows?](#bkmk-12) -- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#BKMK_15) +- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#bkmk-15) -- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#BKMK_5) +- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#bkmk-5) -- [How can I set an audit policy that affects all objects on a computer?](#BKMK_6) +- [How can I set an audit policy that affects all objects on a computer?](#bkmk-6) -- [How do I figure out why someone was able to access a resource?](#BKMK_7) +- [How do I figure out why someone was able to access a resource?](#bkmk-7) -- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#BKMK_8) +- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#bkmk-8) -- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#BKMK_19) +- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#bkmk-19) -- [How can I monitor if changes are made to audit policy settings?](#BKMK_10) +- [How can I monitor if changes are made to audit policy settings?](#bkmk-10) -- [How can I minimize the number of events that are generated?](#BKMK_16) +- [How can I minimize the number of events that are generated?](#bkmk-16) -- [What are the best tools to model and manage audit policy?](#BKMK_17) +- [What are the best tools to model and manage audit policy?](#bkmk-17) -- [Where can I find information about all the possible events that I might receive?](#BKMK_11) +- [Where can I find information about all the possible events that I might receive?](#bkmk-11) -- [Where can I find more detailed information?](#BKMK_18) +- [Where can I find more detailed information?](#bkmk-18) -## What is Windows security auditing and why might I want to use it? +## What is Windows security auditing and why might I want to use it? Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. -## What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? +## What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. @@ -73,7 +73,7 @@ In addition, if you enable success auditing for the basic **Audit account logon The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. -## What is the interaction between basic audit policy settings and advanced audit policy settings? +## What is the interaction between basic audit policy settings and advanced audit policy settings? Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. @@ -87,7 +87,7 @@ If you use Advanced Audit Policy Configuration settings or use logon scripts to   -## How are audit settings merged by Group Policy? +## How are audit settings merged by Group Policy? By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. @@ -135,7 +135,7 @@ The rules that govern how Group Policy settings are applied propagate to the sub   -## What is the difference between an object DACL and an object SACL? +## What is the difference between an object DACL and an object SACL? All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: @@ -148,7 +148,7 @@ The access control model that is used in Windows is administered at the object l If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. -## Why are audit policies applied on a per-computer basis rather than per user? +## Why are audit policies applied on a per-computer basis rather than per user? In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. @@ -157,17 +157,17 @@ In addition, because audit policy capabilities can vary between computers runnin However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. -## What are the differences in auditing functionality between versions of Windows? +## What are the differences in auditing functionality between versions of Windows? Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. -## Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? +## Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. -## What is the difference between success and failure events? Is something wrong if I get a failure audit? +## What is the difference between success and failure events? Is something wrong if I get a failure audit? A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. @@ -176,19 +176,19 @@ A failure audit event is triggered when a defined action, such as a user logon, The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password. -## How can I set an audit policy that affects all objects on a computer? +## How can I set an audit policy that affects all objects on a computer? System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. -## How do I figure out why someone was able to access a resource? +## How do I figure out why someone was able to access a resource? Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. -## How do I know when changes are made to access control settings, by whom, and what the changes were? +## How do I know when changes are made to access control settings, by whom, and what the changes were? To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: @@ -201,7 +201,7 @@ To track access control changes on computers running Windows Server 2016 Techni In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. -## How can I roll back security audit policies from the advanced audit policy to the basic audit policy? +## How can I roll back security audit policies from the advanced audit policy to the basic audit policy? Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: @@ -214,7 +214,7 @@ Applying advanced audit policy settings replaces any comparable basic security a Unless you complete all of these steps, the basic audit policy settings will not be restored. -## How can I monitor if changes are made to audit policy settings? +## How can I monitor if changes are made to audit policy settings? Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: @@ -233,12 +233,12 @@ Changes to security audit policies are critical security events. You can use the - A Special Groups list is changed -## How can I minimize the number of events that are generated? +## How can I minimize the number of events that are generated? Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). -## What are the best tools to model and manage audit policies? +## What are the best tools to model and manage audit policies? The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. @@ -247,7 +247,7 @@ On an individual computer, the Auditpol command-line tool can be used to complet In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. -## Where can I find information about all the possible events that I might receive? +## Where can I find information about all the possible events that I might receive? Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: @@ -260,7 +260,7 @@ Users who examine the security event log for the first time can be a bit overwhe - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) -## Where can I find more detailed information? +## Where can I find more detailed information? To learn more about security audit policies, see the following resources: diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index 1f0c5c9915..4c01928dd3 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting. diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index 237cc528bb..fe7ef33124 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting. diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index 6143ab96e7..a19b4b7e87 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting. diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index 3c8cd8dea4..3a0db486c3 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting. diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index 3fc67036ed..488b81fc4d 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 4791b78621..55fa18cbc7 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 3a807b61ab..492f0516cb 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. diff --git a/windows/keep-secure/backup-thetpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-thetpm-recovery-information-to-ad-ds.md index d7e7a1b653..83250faee4 100644 --- a/windows/keep-secure/backup-thetpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-thetpm-recovery-information-to-ad-ds.md @@ -35,17 +35,17 @@ This topic contains procedures, some of which are dependent on Visual Basic scri In this topic: -1. [Check status of prerequisites](#BKMK_PreReqs) +1. [Check status of prerequisites](#bkmk-prereqs) -2. [Set permissions to back up password information](#BKMK_SetPerms) +2. [Set permissions to back up password information](#bkmk-setperms) -3. [Configure Group Policy to back up TPM recovery information in AD DS](#BKMK_ConfigureGP) +3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp) -4. [Use AD DS to recover TPM information](#BKMK_UseIt) +4. [Use AD DS to recover TPM information](#bkmk-useit) -5. [Sample scripts](#BKMK_adds_tpm_scripts) +5. [Sample scripts](#bkmk-adds-tpm-scripts) -## Check status of prerequisites +## Check status of prerequisites Before you begin your backup, ensure that the following prerequisites are met: @@ -59,10 +59,10 @@ Before you begin your backup, ensure that the following prerequisites are met: 2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions. -## Set permissions to back up password information +## Set permissions to back up password information -This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#BKMK_Add-TPMSelfWriteACE) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added. +This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added. This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions: @@ -117,10 +117,10 @@ Complete the following procedure to check that the correct permissions are set a With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain. -## Configure Group Policy to back up TPM recovery information in AD DS +## Configure Group Policy to back up TPM recovery information in AD DS -Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#BKMK_tpmgp_addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain. +Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain. **To enable local policy setting to back up TPM recovery information to AD DS** @@ -139,7 +139,7 @@ When this setting is enabled, the TPM owner password cannot be set or changed un   -## Use AD DS to recover TPM information +## Use AD DS to recover TPM information When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required. @@ -148,7 +148,7 @@ When you need to recover the TPM owner information from AD DS and use it to man 1. Sign in to a domain controller by using domain administrator credentials. -2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-TPM-OwnerInformation), to a location on your computer. +2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer. 3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step. @@ -184,18 +184,18 @@ When you need to recover the TPM owner information from AD DS and use it to man 6. Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file. -## Sample scripts +## Sample scripts You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured. -- [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#BKMK_Add-TPMSelfWriteACE) +- [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace) -- [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#BKMK_List-ACEs) +- [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces) -- [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#BKMK_Get-TPMOwnerInfo) +- [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo) -### Add-TPMSelfWriteACE.vbs +### Add-TPMSelfWriteACE.vbs This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS. @@ -326,7 +326,7 @@ objDomain.SetInfo WScript.Echo "SUCCESS!" ``` -### List-ACEs.vbs +### List-ACEs.vbs This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary. @@ -571,7 +571,7 @@ else end if ``` -### Get-TPMOwnerInfo.vbs +### Get-TPMOwnerInfo.vbs This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly. diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index 8d60f57dc6..66830c7a84 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -19,15 +19,15 @@ This topic for the IT professional explains how BitLocker features can be used t The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization: -- [Using BitLocker to encrypt volumes](#BKMK_dep1) +- [Using BitLocker to encrypt volumes](#bkmk-dep1) -- [Down-level compatibility](#BKMK_dep2) +- [Down-level compatibility](#bkmk-dep2) -- [Using manage-bde to encrypt volumes with BitLocker](#BKMK_dep3) +- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3) -- [Using PowerShell to encrypt volumes with BitLocker](#BKMK_dep4) +- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4) -## Using BitLocker to encrypt volumes +## Using BitLocker to encrypt volumes BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. @@ -146,7 +146,7 @@ With an encryption method chosen, a final confirmation screen displays before be Encryption status displays in the notification area or within the BitLocker control panel. -### OneDrive option +### OneDrive option There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain. @@ -156,7 +156,7 @@ Users can verify the recovery key was saved properly by checking their OneDrive Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. -## Down-level compatibility +## Down-level compatibility The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows. @@ -274,7 +274,7 @@ manage-bde -protectors -add -pw C: manage-bde -on C: ``` -## Using manage-bde to encrypt volumes with BitLocker +## Using manage-bde to encrypt volumes with BitLocker ### Encrypting volumes using the BitLocker Windows PowerShell cmdlets @@ -515,7 +515,7 @@ Active Directory-based protectors are normally used to unlock Failover Cluster e   -## Using PowerShell to encrypt volumes with BitLocker +## Using PowerShell to encrypt volumes with BitLocker ### Checking BitLocker status diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions--faq-.md b/windows/keep-secure/bitlocker-frequently-asked-questions--faq-.md index a389626957..ce094d3d47 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions--faq-.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions--faq-.md @@ -19,28 +19,28 @@ This topic for the IT professional answers frequently asked questions concerning BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. -- [Overview and requirements](#BKMK_Overview) +- [Overview and requirements](#bkmk-overview) -- [Upgrading](#BKMK_Upgrading) +- [Upgrading](#bkmk-upgrading) -- [Deployment and administration](#BKMK_Deploy) +- [Deployment and administration](#bkmk-deploy) -- [Key management](#BKMK_KeyManagement) +- [Key management](#bkmk-keymanagement) -- [BitLocker To Go](#BKMK_BTGsect) +- [BitLocker To Go](#bkmk-btgsect) -- [Active Directory Domain Services (AD DS)](#BKMK_ADDS) +- [Active Directory Domain Services (AD DS)](#bkmk-adds) -- [Security](#BKMK_Security) +- [Security](#bkmk-security) -- [BitLocker Network Unlock](#BKMK_BNUsect) +- [BitLocker Network Unlock](#bkmk-bnusect) -- [Other questions](#BKMK_Other) +- [Other questions](#bkmk-other) -## Overview and requirements +## Overview and requirements -### How does BitLocker work? +### How does BitLocker work? **How BitLocker works with operating system drives** @@ -50,36 +50,36 @@ You can use BitLocker to mitigate unauthorized data access on lost or stolen com You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. -### Does BitLocker support multifactor authentication? +### Does BitLocker support multifactor authentication? Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. -### What are the BitLocker hardware and software requirements? +### What are the BitLocker hardware and software requirements? **Note**   Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.   -### Why are two partitions required? Why does the system drive have to be so large? +### Why are two partitions required? Why does the system drive have to be so large? Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. -### Which Trusted Platform Modules (TPMs) does BitLocker support? +### Which Trusted Platform Modules (TPMs) does BitLocker support? BitLocker supports TPM version 1.2 or higher. -### How can I tell if a TPM is on my computer? +### How can I tell if a TPM is on my computer? Open the TPM MMC console (tpm.msc) and look under the **Status** heading. -### Can I use BitLocker on an operating system drive without a TPM? +### Can I use BitLocker on an operating system drive without a TPM? Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. -### How do I obtain BIOS support for the TPM on my computer? +### How do I obtain BIOS support for the TPM on my computer? Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: @@ -87,28 +87,28 @@ Contact the computer manufacturer to request a Trusted Computing Group (TCG)-com - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. -### What credentials are required to use BitLocker? +### What credentials are required to use BitLocker? To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. -### What is the recommended boot order for computers that are going to be BitLocker-protected? +### What is the recommended boot order for computers that are going to be BitLocker-protected? You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  -## Upgrading +## Upgrading -### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled? +### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled? Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key. -### What is the difference between suspending and decrypting BitLocker? +### What is the difference between suspending and decrypting BitLocker? **Decrypt** completely removes BitLocker protection and fully decrypts the drive. **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. -### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? +### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? The following table lists what action you need to take before you perform an upgrade or update installation. @@ -155,42 +155,42 @@ If you have suspended BitLocker, you can resume BitLocker protection after you h   -## Deployment and administration +## Deployment and administration -### Can BitLocker deployment be automated in an enterprise environment? +### Can BitLocker deployment be automated in an enterprise environment? Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx). -### Can BitLocker encrypt more than just the operating system drive? +### Can BitLocker encrypt more than just the operating system drive? Yes. -### Is there a noticeable performance impact when BitLocker is enabled on a computer? +### Is there a noticeable performance impact when BitLocker is enabled on a computer? Generally it imposes a single-digit percentage performance overhead. -### How long will initial encryption take when BitLocker is turned on? +### How long will initial encryption take when BitLocker is turned on? Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. -### What happens if the computer is turned off during encryption or decryption? +### What happens if the computer is turned off during encryption or decryption? If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. -### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? +### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. -### How can I prevent users on a network from storing data on an unencrypted drive? +### How can I prevent users on a network from storing data on an unencrypted drive? You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. -### What system changes would cause the integrity check on my operating system drive to fail? +### What system changes would cause the integrity check on my operating system drive to fail? The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: @@ -204,34 +204,34 @@ The following types of system changes can cause an integrity check failure and p - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. -### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? +### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. -### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? +### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. -### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? +### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. -### Why is "Turn BitLocker on" not available when I right-click a drive? +### Why is "Turn BitLocker on" not available when I right-click a drive? Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. -### What type of disk configurations are supported by BitLocker? +### What type of disk configurations are supported by BitLocker? Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. -## Key management +## Key management -### What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key? +### What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key? There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require. -### How can the recovery password and recovery key be stored? +### How can the recovery password and recovery key be stored? The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. @@ -239,7 +239,7 @@ For removable data drives, the recovery password and recovery key can be saved t A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. -### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? +### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: @@ -247,7 +247,7 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen **manage-bde –protectors –add %systemdrive% -tpmandpin** *<4-20 digit numeric PIN>* -### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? +### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. @@ -256,43 +256,43 @@ Store the recovery information in AD DS, along with your Microsoft Account, or   -### Can the USB flash drive that is used as the startup key also be used to store the recovery key? +### Can the USB flash drive that is used as the startup key also be used to store the recovery key? While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. -### Can I save the startup key on multiple USB flash drives? +### Can I save the startup key on multiple USB flash drives? Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. -### Can I save multiple (different) startup keys on the same USB flash drive? +### Can I save multiple (different) startup keys on the same USB flash drive? Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. -### Can I generate multiple (different) startup keys for the same computer? +### Can I generate multiple (different) startup keys for the same computer? You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. -### Can I generate multiple PIN combinations? +### Can I generate multiple PIN combinations? You cannot generate multiple PIN combinations. -### What encryption keys are used in BitLocker? How do they work together? +### What encryption keys are used in BitLocker? How do they work together? Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. -### Where are the encryption keys stored? +### Where are the encryption keys stored? The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. -### Why do I have to use the function keys to enter the PIN or the 48-character recovery password? +### Why do I have to use the function keys to enter the PIN or the 48-character recovery password? The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. -### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? +### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. @@ -300,11 +300,11 @@ The TPM has the built-in ability to detect and react to these types of attacks. After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. -### How can I determine the manufacturer of my TPM? +### How can I determine the manufacturer of my TPM? You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading. -### How can I evaluate a TPM's dictionary attack mitigation mechanism? +### How can I evaluate a TPM's dictionary attack mitigation mechanism? The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: @@ -314,18 +314,18 @@ The following questions can assist you when asking a TPM manufacturer about the - What actions can cause the failure count and lockout duration to be decreased or reset? -### Can PIN length and complexity be managed with Group Policy? +### Can PIN length and complexity be managed with Group Policy? Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -## BitLocker To Go +## BitLocker To Go BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. -## Active Directory Domain Services (AD DS) +## Active Directory Domain Services (AD DS) ### What if BitLocker is enabled on a computer before the computer has joined the domain? @@ -341,17 +341,17 @@ Joining a computer to the domain should be the first step for new computers with   -### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? +### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. -### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? +### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. -### What happens if the backup initially fails? Will BitLocker retry the backup? +### What happens if the backup initially fails? Will BitLocker retry the backup? If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. @@ -359,24 +359,24 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#BKMK_ADRetro) to capture the information after connectivity is restored. +When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored. -## Security +## Security -### What form of encryption does BitLocker use? Is it configurable? +### What form of encryption does BitLocker use? Is it configurable? BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. -### What is the best practice for using BitLocker on an operating system drive? +### What is the best practice for using BitLocker on an operating system drive? The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. -### What are the implications of using the sleep or hibernate power management options? +### What are the implications of using the sleep or hibernate power management options? BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. -### What are the advantages of a TPM? +### What are the advantages of a TPM? Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. @@ -385,7 +385,7 @@ Configuring BitLocker with an additional factor of authentication provides even   -## BitLocker Network Unlock +## BitLocker Network Unlock BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. @@ -398,30 +398,30 @@ Network Unlock uses two protectors, the TPM protector and the one provided by th For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). -## Other questions +## Other questions -### Can I run a kernel debugger with BitLocker? +### Can I run a kernel debugger with BitLocker? Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. -### How does BitLocker handle memory dumps? +### How does BitLocker handle memory dumps? BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. -### Can BitLocker support smart cards for pre-boot authentication? +### Can BitLocker support smart cards for pre-boot authentication? BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. -### Can I use a non-Microsoft TPM driver? +### Can I use a non-Microsoft TPM driver? Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. -### Can other tools that manage or modify the master boot record work with BitLocker? +### Can other tools that manage or modify the master boot record work with BitLocker? We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. -### Why is the system check failing when I am encrypting my operating system drive? +### Why is the system check failing when I am encrypting my operating system drive? The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: @@ -439,23 +439,23 @@ The system check is designed to ensure your computer's BIOS or UEFI firmware is - The TPM has malfunctioned and fails to unseal the keys. -### What can I do if the recovery key on my USB flash drive cannot be read? +### What can I do if the recovery key on my USB flash drive cannot be read? Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. -### Why am I unable to save my recovery key to my USB flash drive? +### Why am I unable to save my recovery key to my USB flash drive? The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. -### Why am I unable to automatically unlock my drive? +### Why am I unable to automatically unlock my drive? Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. -### Can I use BitLocker in Safe Mode? +### Can I use BitLocker in Safe Mode? Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. -### How do I "lock" a data drive? +### How do I "lock" a data drive? Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. @@ -470,11 +470,11 @@ The syntax of this command is: Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. -### Can I use BitLocker with the Volume Shadow Copy Service? +### Can I use BitLocker with the Volume Shadow Copy Service? Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. -### Does BitLocker support virtual hard disks (VHDs)? +### Does BitLocker support virtual hard disks (VHDs)? BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index b43b3985be..f7957e0739 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -30,102 +30,102 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. -## BitLocker Group Policy settings +## BitLocker Group Policy settings The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. -- [Allow network unlock at startup](#BKMK_netunlock) +- [Allow network unlock at startup](#bkmk-netunlock) -- [Require additional authentication at startup](#BKMK_unlockpol1) +- [Require additional authentication at startup](#bkmk-unlockpol1) -- [Allow enhanced PINs for startup](#BKMK_unlockpol2) +- [Allow enhanced PINs for startup](#bkmk-unlockpol2) -- [Configure minimum PIN length for startup](#BKMK_unlockpol3) +- [Configure minimum PIN length for startup](#bkmk-unlockpol3) -- [Disallow standard users from changing the PIN or password](#BKMK_dpinchange) +- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange) -- [Configure use of passwords for operating system drives](#BKMK_ospw) +- [Configure use of passwords for operating system drives](#bkmk-ospw) -- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#BKMK_unlockpol4) +- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4) -- [Configure use of smart cards on fixed data drives](#BKMK_unlockpol5) +- [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5) -- [Configure use of passwords on fixed data drives](#BKMK_unlockpol6) +- [Configure use of passwords on fixed data drives](#bkmk-unlockpol6) -- [Configure use of smart cards on removable data drives](#BKMK_unlockpol7) +- [Configure use of smart cards on removable data drives](#bkmk-unlockpol7) -- [Configure use of passwords on removable data drives](#BKMK_unlockpol8) +- [Configure use of passwords on removable data drives](#bkmk-unlockpol8) -- [Validate smart card certificate usage rule compliance](#BKMK_unlockpol9) +- [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9) -- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#BKMK_slates) +- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates) The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. -- [Deny write access to fixed drives not protected by BitLocker](#BKMK_driveaccess1) +- [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1) -- [Deny write access to removable drives not protected by BitLocker](#BKMK_driveaccess2) +- [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2) -- [Control use of BitLocker on removable drives](#BKMK_driveaccess3) +- [Control use of BitLocker on removable drives](#bkmk-driveaccess3) The following policy settings determine the encryption methods and encryption types that are used with BitLocker. -- [Choose drive encryption method and cipher strength](#BKMK_encryptmeth) +- [Choose drive encryption method and cipher strength](#bkmk-encryptmeth) -- [Configure use of hardware-based encryption for fixed data drives](#BKMK_hdefxd) +- [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd) -- [Configure use of hardware-based encryption for operating system drives](#BKMK_hdeosd) +- [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd) -- [Configure use of hardware-based encryption for removable data drives](#BKMK_hderdd) +- [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd) -- [Enforce drive encryption type on fixed data drives](#BKMK_detypefdd) +- [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd) -- [Enforce drive encryption type on operating system drives](#BKMK_detypeosd) +- [Enforce drive encryption type on operating system drives](#bkmk-detypeosd) -- [Enforce drive encryption type on removable data drives](#BKMK_detyperdd) +- [Enforce drive encryption type on removable data drives](#bkmk-detyperdd) The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -- [Choose how BitLocker-protected operating system drives can be recovered](#BKMK_rec1) +- [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1) -- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#BKMK_rec2) +- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2) -- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#BKMK_rec3) +- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3) -- [Choose default folder for recovery password](#BKMK_rec4) +- [Choose default folder for recovery password](#bkmk-rec4) -- [Choose how BitLocker-protected fixed drives can be recovered](#BKMK_rec6) +- [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6) -- [Choose how BitLocker-protected removable drives can be recovered](#BKMK_rec7) +- [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7) -- [Configure the pre-boot recovery message and URL](#BKMK_configurepreboot) +- [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot) The following policies are used to support customized deployment scenarios in your organization. -- [Allow Secure Boot for integrity validation](#BKMK_secboot) +- [Allow Secure Boot for integrity validation](#bkmk-secboot) -- [Provide the unique identifiers for your organization](#BKMK_depopt1) +- [Provide the unique identifiers for your organization](#bkmk-depopt1) -- [Prevent memory overwrite on restart](#BKMK_depopt2) +- [Prevent memory overwrite on restart](#bkmk-depopt2) -- [Configure TPM platform validation profile for BIOS-based firmware configurations](#BKMK_tpmbios) +- [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios) -- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#BKMK_depopt3) +- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3) -- [Configure TPM platform validation profile for native UEFI firmware configurations](#BKMK_tpmvaluefi) +- [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi) -- [Reset platform validation data after BitLocker recovery](#BKMK_resetrec) +- [Reset platform validation data after BitLocker recovery](#bkmk-resetrec) -- [Use enhanced Boot Configuration Data validation profile](#BKMK_enbcd) +- [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd) -- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#BKMK_depopt4) +- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) -- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#BKMK_depopt5) +- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) -### Allow network unlock at startup +### Allow network unlock at startup This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. @@ -179,7 +179,7 @@ For reliability and security, computers should also have a TPM startup PIN that For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). -### Require additional authentication at startup +### Require additional authentication at startup This policy setting is used to control which unlock options are available for operating system drives. @@ -272,7 +272,7 @@ There are four options for TPM-enabled computers or devices: - Do not allow TPM startup key with PIN -### Allow enhanced PINs for startup +### Allow enhanced PINs for startup This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. @@ -324,7 +324,7 @@ Not all computers support enhanced PIN characters in the preboot environment. It   -### Configure minimum PIN length for startup +### Configure minimum PIN length for startup This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. @@ -371,7 +371,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. -### Disallow standard users from changing the PIN or password +### Disallow standard users from changing the PIN or password This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. @@ -418,7 +418,7 @@ This policy setting allows you to configure whether standard users are allowed t To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. -### Configure use of passwords for operating system drives +### Configure use of passwords for operating system drives This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. @@ -489,7 +489,7 @@ When this policy setting is enabled, you can set the option **Configure password - Require password complexity -### Require additional authentication at startup (Windows Server 2008 and Windows Vista) +### Require additional authentication at startup (Windows Server 2008 and Windows Vista) This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. @@ -560,7 +560,7 @@ These options are mutually exclusive. If you require the startup key, you must n To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN. -### Configure use of smart cards on fixed data drives +### Configure use of smart cards on fixed data drives This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. @@ -614,7 +614,7 @@ These settings are enforced when turning on BitLocker, not when unlocking a driv   -### Configure use of passwords on fixed data drives +### Configure use of passwords on fixed data drives This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. @@ -687,7 +687,7 @@ Passwords cannot be used if FIPS compliance is enabled. The **System cryptograph   -### Configure use of smart cards on removable data drives +### Configure use of smart cards on removable data drives This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. @@ -741,7 +741,7 @@ These settings are enforced when turning on BitLocker, not when unlocking a driv   -### Configure use of passwords on removable data drives +### Configure use of passwords on removable data drives This policy setting is used to require, allow, or deny the use of passwords with removable data drives. @@ -812,7 +812,7 @@ Passwords cannot be used if FIPS compliance is enabled. The **System cryptograph For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852211.aspx). -### Validate smart card certificate usage rule compliance +### Validate smart card certificate usage rule compliance This policy setting is used to determine what certificate to use with BitLocker. @@ -868,7 +868,7 @@ BitLocker does not require that a certificate have an EKU attribute; however, if   -### Enable use of BitLocker authentication requiring preboot keyboard input on slates +### Enable use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. @@ -927,7 +927,7 @@ If you do not enable this policy setting, the following options in the **Require - Configure use of passwords for operating system drives -### Deny write access to fixed drives not protected by BitLocker +### Deny write access to fixed drives not protected by BitLocker This policy setting is used to require encryption of fixed drives prior to granting Write access. @@ -988,7 +988,7 @@ Conflict considerations include: 3. If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. -### Deny write access to removable drives not protected by BitLocker +### Deny write access to removable drives not protected by BitLocker This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. @@ -1048,7 +1048,7 @@ Conflict considerations include: 3. You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization. -### Control use of BitLocker on removable drives +### Control use of BitLocker on removable drives This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. @@ -1107,7 +1107,7 @@ The options for choosing property settings that control how users can configure - **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. -### Choose drive encryption method and cipher strength +### Choose drive encryption method and cipher strength This policy setting is used to control the encryption method and cipher strength. @@ -1163,7 +1163,7 @@ This policy does not apply to encrypted drives. Encrypted drives utilize their o When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script. -### Configure use of hardware-based encryption for fixed data drives +### Configure use of hardware-based encryption for fixed data drives This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. @@ -1223,7 +1223,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for operating system drives +### Configure use of hardware-based encryption for operating system drives This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. @@ -1285,7 +1285,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for removable data drives +### Configure use of hardware-based encryption for removable data drives This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. @@ -1347,7 +1347,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Enforce drive encryption type on fixed data drives +### Enforce drive encryption type on fixed data drives This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. @@ -1401,7 +1401,7 @@ This policy is ignored when you are shrinking or expanding a volume and the BitL For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). -### Enforce drive encryption type on operating system drives +### Enforce drive encryption type on operating system drives This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. @@ -1455,7 +1455,7 @@ This policy is ignored when shrinking or expanding a volume, and the BitLocker d For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). -### Enforce drive encryption type on removable data drives +### Enforce drive encryption type on removable data drives This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. @@ -1509,7 +1509,7 @@ This policy is ignored when shrinking or expanding a volume, and the BitLocker d For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). -### Choose how BitLocker-protected operating system drives can be recovered +### Choose how BitLocker-protected operating system drives can be recovered This policy setting is used to configure recovery methods for operating system drives. @@ -1574,7 +1574,7 @@ If the **Do not enable BitLocker until recovery information is stored in AD DS   -### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) +### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. @@ -1637,7 +1637,7 @@ To prevent data loss, you must have a way to recover BitLocker encryption keys.   -### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) +### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. @@ -1700,7 +1700,7 @@ For more information about this setting, see [TPM Group Policy settings](trusted If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-thetpm-recovery-information-to-ad-ds.md). -### Choose default folder for recovery password +### Choose default folder for recovery password This policy setting is used to configure the default folder for recovery passwords. @@ -1752,7 +1752,7 @@ This policy setting does not prevent the user from saving the recovery password   -### Choose how BitLocker-protected fixed drives can be recovered +### Choose how BitLocker-protected fixed drives can be recovered This policy setting is used to configure recovery methods for fixed data drives. @@ -1808,7 +1808,7 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. -For more information about the BitLocker repair tool, see [Repair-bde](534dca1a-05f7-4ea8-ac24-4fe5f14f988a). +For more information about the BitLocker repair tool, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx). Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. @@ -1817,7 +1817,7 @@ If the **Do not enable BitLocker until recovery information is stored in AD DS   -### Choose how BitLocker-protected removable drives can be recovered +### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. @@ -1880,7 +1880,7 @@ If the **Do not enable BitLocker until recovery information is stored in AD DS   -### Configure the pre-boot recovery message and URL +### Configure the pre-boot recovery message and URL This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. @@ -1945,7 +1945,7 @@ Because you can alter the BCDEdit commands manually before you have set Group Po   -### Allow Secure Boot for integrity validation +### Allow Secure Boot for integrity validation This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. @@ -1974,7 +1974,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc

Conflicts

If the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is enabled and PCR 7 is omitted, BitLocker is prevented from using Secure Boot for platform or BCD integrity validation.

-

For more information about PCR 7, see [Platform Configuration Register (PCR)](#BKMK_PCR) in this topic.

+

For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.

When enabled or not configured

@@ -2000,7 +2000,7 @@ Enabling this policy might result in BitLocker recovery when manufacturer-specif   -### Provide the unique identifiers for your organization +### Provide the unique identifiers for your organization This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. @@ -2059,7 +2059,7 @@ When a BitLocker-protected drive is mounted on another BitLocker-enabled compute Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. -### Prevent memory overwrite on restart +### Prevent memory overwrite on restart This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. @@ -2106,7 +2106,7 @@ This policy setting is used to control whether the computer's memory will be ove This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. -### Configure TPM platform validation profile for BIOS-based firmware configurations +### Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. @@ -2207,7 +2207,7 @@ The following list identifies all of the PCRs available: - PCR 12-23: Reserved for future use -### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) +### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. @@ -2308,7 +2308,7 @@ Changing from the default platform validation profile affects the security and m   -### Configure TPM platform validation profile for native UEFI firmware configurations +### Configure TPM platform validation profile for native UEFI firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. @@ -2338,7 +2338,7 @@ This policy setting determines what values the TPM measures when it validates ea

Conflicts

Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.

-

For more information about PCR 7, see [Platform Configuration Register (PCR)](#BKMK_PCR) in this topic.

+

For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.

When enabled

@@ -2382,7 +2382,7 @@ The following list identifies all of the PCRs available: - PCR 7: Secure Boot State - For more information about this PCR, see [Platform Configuration Register (PCR)](#BKMK_PCR) in this topic. + For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic. - PCR 8: Initialized to 0 with no Extends (reserved for future use) @@ -2405,7 +2405,7 @@ Changing from the default platform validation profile affects the security and m   -### Reset platform validation data after BitLocker recovery +### Reset platform validation data after BitLocker recovery This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. @@ -2456,7 +2456,7 @@ This policy setting determines if you want platform validation data to refresh w For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). -### Use enhanced Boot Configuration Data validation profile +### Use enhanced Boot Configuration Data validation profile This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. @@ -2510,7 +2510,7 @@ The setting that controls boot debugging (0x16000010) is always validated, and i   -### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows +### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive. @@ -2562,7 +2562,7 @@ This policy setting does not apply to drives that are formatted with the NTFS fi When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. -### Allow access to BitLocker-protected removable data drives from earlier versions of Windows +### Allow access to BitLocker-protected removable data drives from earlier versions of Windows This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. @@ -2681,7 +2681,7 @@ You can use disable the following Group Policy settings, which are located in ** - Allow Standby States (S1-S3) When Sleeping (Battery) -## About the Platform Configuration Register (PCR) +## About the Platform Configuration Register (PCR) A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system. diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server-2012.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server-2012.md index 93c25efc21..cb131c18d0 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server-2012.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server-2012.md @@ -19,7 +19,7 @@ This topic for the IT professional explains how to deploy BitLocker and Windows For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. -## Installing BitLocker +## Installing BitLocker BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets. @@ -28,7 +28,7 @@ BitLocker requires administrator privileges on the server to install. You can in - To install BitLocker using Windows PowerShell -### To install BitLocker using Server Manager +### To install BitLocker using Server Manager 1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. @@ -53,7 +53,7 @@ BitLocker requires administrator privileges on the server to install. You can in 9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. -### To install BitLocker using Windows PowerShell +### To install BitLocker using Windows PowerShell Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation. diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index a4e88ed7b3..474590f953 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -25,23 +25,23 @@ Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the h This topic contains: -- [Network Unlock core requirements](#BKMK_NUnlockCoreReqs) +- [Network Unlock core requirements](#bkmk-nunlockcorereqs) -- [Network Unlock sequence](#BKMK_NetworkUnLockSeq) +- [Network Unlock sequence](#bkmk-networkunlockseq) -- [Configure Network Unlock](#BKMK_ConfiguringNetworkUnlock) +- [Configure Network Unlock](#bkmk-configuringnetworkunlock) -- [Create the certificate template for Network Unlock](#BKMK_CreateCertTmpl) +- [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) -- [Turning off Network Unlock](#BKMK_TurnOffNetworkUnlock) +- [Turning off Network Unlock](#bkmk-turnoffnetworkunlock) -- [Update Network Unlock certificates](#BKMK_UpdateCerts) +- [Update Network Unlock certificates](#bkmk-updatecerts) -- [Troubleshoot Network Unlock](#BKMK_Troubleshoot) +- [Troubleshoot Network Unlock](#bkmk-troubleshoot) -- [Configure Network Unlock on unsupported systems](#BKMK_UnsupportedSystems) +- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems) -## Network Unlock core requirements +## Network Unlock core requirements Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include: @@ -75,7 +75,7 @@ Network Unlock requires Windows Deployment Services (WDS) in the environment whe The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. -## Network Unlock sequence +## Network Unlock sequence The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. @@ -106,12 +106,12 @@ The server side configuration to enable Network Unlock also requires provisionin 9. Windows continues the boot sequence. -## Configure Network Unlock +## Configure Network Unlock The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. -### Step One: Install the WDS Server role +### Step One: Install the WDS Server role The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. @@ -123,7 +123,7 @@ Install-WindowsFeature WDS-Deployment You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. -### Step Two: Confirm the WDS Service is running +### Step Two: Confirm the WDS Service is running To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. @@ -133,7 +133,7 @@ To confirm the service is running using Windows PowerShell, use the following co Get-Service WDSServer ``` -### Step Three: Install the Network Unlock feature +### Step Three: Install the Network Unlock feature To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. @@ -143,7 +143,7 @@ To install the feature using Windows PowerShell, use the following command: Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Step Four: Create the Network Unlock certificate +### Step Four: Create the Network Unlock certificate Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. @@ -218,7 +218,7 @@ To create a self-signed certificate, do the following: 6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. -### Step Five: Deploy the private key and certificate to the WDS server +### Step Five: Deploy the private key and certificate to the WDS server With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: @@ -268,7 +268,7 @@ Only one network unlock certificate can be available at a time. If a new certifi   -### Step Seven: Require TPM+PIN protectors at startup +### Step Seven: Require TPM+PIN protectors at startup An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: @@ -278,7 +278,7 @@ An additional step is for enterprises to use TPM+PIN protectors for an extra lev 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. @@ -362,7 +362,7 @@ SUBNET3 To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". -### Turning off Network Unlock +### Turning off Network Unlock To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. @@ -371,11 +371,11 @@ Removing the FVENKP certificate store that contains the Network Unlock certifica   -### Update Network Unlock certificates +### Update Network Unlock certificates To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. -## Troubleshoot Network Unlock +## Troubleshoot Network Unlock Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include: @@ -425,7 +425,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include: 4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address -## Configure Network Unlock Group Policy settings on earlier versions +## Configure Network Unlock Group Policy settings on earlier versions Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008. @@ -438,15 +438,15 @@ Network Unlock and the accompanying Group Policy settings were introduced in Win The following steps can be used to configure Network Unlock on these older systems. -1. [Step One: Install the WDS Server role](#BKMK_StepOne) +1. [Step One: Install the WDS Server role](#bkmk-stepone) -2. [Step Two: Confirm the WDS Service is running](#BKMK_StepTwo) +2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo) -3. [Step Three: Install the Network Unlock feature](#BKMK_StepThree) +3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree) -4. [Step Four: Create the Network Unlock certificate](#BKMK_StepFour) +4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour) -5. [Step Five: Deploy the private key and certificate to the WDS server](#BKMK_StepFive) +5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive) 6. **Step Six: Configure registry settings for Network Unlock** @@ -464,13 +464,13 @@ The following steps can be used to configure Network Unlock on these older syste reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f ``` -7. [Create the Network Unlock certificate](#BKMK_StepFour) +7. [Create the Network Unlock certificate](#bkmk-stepfour) -8. [Deploy the private key and certificate to the WDS server](#BKMK_StepFive) +8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive) -9. [Create the certificate template for Network Unlock](#BKMK_CreateCertTmpl) +9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) -10. [Require TPM+PIN protectors at startup](#BKMK_StepSeven) +10. [Require TPM+PIN protectors at startup](#bkmk-stepseven) ## See also diff --git a/windows/keep-secure/bitlocker-overview-roletech-overview.md b/windows/keep-secure/bitlocker-overview-roletech-overview.md index 8a317f3e7e..7f2991b171 100644 --- a/windows/keep-secure/bitlocker-overview-roletech-overview.md +++ b/windows/keep-secure/bitlocker-overview-roletech-overview.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -## +## BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. @@ -28,7 +28,7 @@ On computers that do not have a TPM version 1.2 or later, you can still use BitL In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. -## Practical applications +## Practical applications Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. @@ -41,7 +41,7 @@ There are two additional tools in the Remote Server Administration Tools, which - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. -## New and changed functionality +## New and changed functionality To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md) diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index 6d03bf066c..cbea802779 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -25,19 +25,19 @@ This article does not detail how to configure AD DS to store the BitLocker reco This article contains the following topics: -- [What Is BitLocker Recovery?](#BKMK_WhatIsRecovery) +- [What Is BitLocker Recovery?](#bkmk-whatisrecovery) -- [Testing Recovery](#BKMK_TestingRecovery) +- [Testing Recovery](#bkmk-testingrecovery) -- [Planning Your Recovery Process](#BKMK_PlanningRecovery) +- [Planning Your Recovery Process](#bkmk-planningrecovery) -- [Using Additional Recovery Information](#BKMK_UsingAddRecovery) +- [Using Additional Recovery Information](#bkmk-usingaddrecovery) -- [Resetting Recovery Passwords](#BKMK_AppendixB) +- [Resetting Recovery Passwords](#bkmk-appendixb) -- [Retrieving the BitLocker Key Package](#BKMK_AppendixC) +- [Retrieving the BitLocker Key Package](#bkmk-appendixc) -## What is BitLocker recovery? +## What is BitLocker recovery? BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: @@ -138,7 +138,7 @@ If software maintenance requires the computer be restarted and you are using two Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. -## Testing recovery +## Testing recovery Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. @@ -164,7 +164,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t   -## Planning your recovery process +## Planning your recovery process When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. @@ -177,19 +177,19 @@ When you determine your recovery process, you should: - Become familiar with how you can retrieve the recovery password. See: - - [Self-recovery](#BKMK_SelfRecovery) + - [Self-recovery](#bkmk-selfrecovery) - - [Recovery password retrieval](#BKMK_RecoveryRetrieval) + - [Recovery password retrieval](#bkmk-recoveryretrieval) - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: - - [Post-recovery analysis](#BKMK_PlanningPostRecovery) + - [Post-recovery analysis](#bkmk-planningpostrecovery) -### Self-recovery +### Self-recovery In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. -### Recovery password retrieval +### Recovery password retrieval If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. @@ -210,25 +210,25 @@ The BitLocker Recovery Password Viewer for Active Directory Users and Computers You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. -- [Record the name of the user's computer](#BKMK_RecordComputerName) +- [Record the name of the user's computer](#bkmk-recordcomputername) -- [Verify the user's identity](#BKMK_VerifyIdentity) +- [Verify the user's identity](#bkmk-verifyidentity) -- [Locate the recovery password in AD DS](#BKMK_LocatePassword) +- [Locate the recovery password in AD DS](#bkmk-locatepassword) -- [Gather information to determine why recovery occurred](#BKMK_GatherInfo) +- [Gather information to determine why recovery occurred](#bkmk-gatherinfo) -- [Give the user the recovery password](#BKMK_GivePassword) +- [Give the user the recovery password](#bkmk-givepassword) -### Record the name of the user's computer +### Record the name of the user's computer You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. -### Verify the user's identity +### Verify the user's identity You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. -### Locate the recovery password in AD DS +### Locate the recovery password in AD DS Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. @@ -240,11 +240,11 @@ If at any time you are unsure what password to provide, or if you think you migh Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. -### Gather information to determine why recovery occurred +### Gather information to determine why recovery occurred -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#BKMK_PlanningPostRecovery). +Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). -### Give the user the recovery password +### Give the user the recovery password Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. @@ -253,17 +253,17 @@ Because the 48-digit recovery password is long and contains a combination of dig   -### Post-recovery analysis +### Post-recovery analysis When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: -- [Determine the root cause of the recovery](#BKMK_DetermineCause) +- [Determine the root cause of the recovery](#bkmk-determinecause) -- [Refresh BitLocker protection](#BKMK_RefreshProtection) +- [Refresh BitLocker protection](#bkmk-refreshprotection) -### Determine the root cause of the recovery +### Determine the root cause of the recovery If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. @@ -285,7 +285,7 @@ Review and answer the following questions for your organization: To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. -### Resolve the root cause +### Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. @@ -296,13 +296,13 @@ You can perform a BitLocker validation profile reset by suspending and resuming   -- [Unknown PIN](#BKMK_UnknownPIN) +- [Unknown PIN](#bkmk-unknownpin) -- [Lost startup key](#BKMK_LostStartup) +- [Lost startup key](#bkmk-loststartup) -- [Changes to boot files](#BKMK_ChangeBootKnown) +- [Changes to boot files](#bkmk-changebootknown) -### Unknown PIN +### Unknown PIN If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. @@ -322,7 +322,7 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 3. You will use the new PIN the next time you unlock the drive. -### Lost startup key +### Lost startup key If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key. @@ -334,7 +334,7 @@ If you have lost the USB flash drive that contains the startup key, then you mus 3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. -### Changes to boot files +### Changes to boot files This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. @@ -343,7 +343,7 @@ This error might occur if you updated the firmware. As a best practice you shoul Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. -## Using additional recovery information +## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. @@ -357,9 +357,9 @@ You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key p   -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#BKMK_AppendixC). +The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). -## Resetting recovery passwords +## Resetting recovery passwords You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. @@ -524,10 +524,10 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re 'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` -## Retrieving the BitLocker key package +## Retrieving the BitLocker key package -You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#BKMK_UsingAddRecovery): +You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): - **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index de7f07551f..4878243ac6 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -23,13 +23,13 @@ Both manage-bde and the BitLocker cmdlets can be used to perform any task that c Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console. -1. [Manage-bde](#BKMK_managebde) +1. [Manage-bde](#bkmk-managebde) -2. [Repair-bde](#BKMK_repairbde) +2. [Repair-bde](#bkmk-repairbde) -3. [BitLocker cmdlets for Windows PowerShell](#BKMK_blcmdlets) +3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets) -## Manage-bde +## Manage-bde Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference. @@ -91,7 +91,7 @@ manage-bde -protectors -add -pw C: manage-bde -on C: ``` -## Repair-bde +## Repair-bde You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly. @@ -124,7 +124,7 @@ The following limitations exist for Repair-bde: For more information about using repair-bde see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx) -## BitLocker cmdlets for Windows PowerShell +## BitLocker cmdlets for Windows PowerShell Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. diff --git a/windows/keep-secure/block-untrusted-fonts-in-an-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-an-enterprise.md index aa81aafd05..4f147b8dcf 100644 --- a/windows/keep-secure/block-untrusted-fonts-in-an-enterprise.md +++ b/windows/keep-secure/block-untrusted-fonts-in-an-enterprise.md @@ -32,7 +32,7 @@ There are 3 ways to use this feature:   -- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#Fix_apps_having_problems_because_of_blocked_fonts). +- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality @@ -69,7 +69,7 @@ To turn this feature on, off, or to use audit mode: 4. Restart your computer. -## View the event log +## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -139,7 +139,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa 1. On each computer with the app installed, open regedit.exe and go to **HKEY\_LOCAL\_MACHINE\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*<Process\_Image\_Name>***. Like, if you want to exclude Microsoft Word processes, you’d use **HKEY\_LOCAL\_MACHINE\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Winword.exe**. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#Turn_on_and_use_the_Blocking_untrusted_fonts_feature) +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#turn-on-and-use-the-blocking-untrusted-fonts-feature)   diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md index dc96789f59..09bb59496d 100644 --- a/windows/keep-secure/bypass-traverse-checking.md +++ b/windows/keep-secure/bypass-traverse-checking.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 37a3d57ee4..89fd240ecf 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -11,7 +11,7 @@ author: brianlic-msft # Change history for Keep Windows 10 secure -This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Keep Windows 10 secure] documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## February 2016 diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index 1c68469880..ec168f4178 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Change the system time** security policy setting. diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index a995e1fe65..6c41e4d823 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Change the time zone** security policy setting. diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index c225be6392..7fbc740264 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -## About the TPM owner password +## About the TPM owner password The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. @@ -32,14 +32,14 @@ As with any password, you should change your TPM owner password if you suspect t Instead of changing your owner password, you can also use the following options to manage your TPM: -- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#BKMK_clear1). +- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-clear1). **Important**   Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.   -- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#BKMK_onoff). +- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). ## Change the TPM owner password @@ -73,7 +73,7 @@ The following procedure provides the steps that are necessary to change the TPM 6. Click **Change password** to apply the new owner password to the TPM. -## Use the TPM cmdlets +## Use the TPM cmdlets If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: @@ -85,7 +85,7 @@ For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell ## Additional resources -For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-technology-overview.md#BKMK_AdditionalResources). +For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-technology-overview.md#bkmk-additionalresources).   diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md index dce4cfdf7d..f554bbf9cb 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md @@ -26,7 +26,7 @@ There is no audit mode for the DLL rule collection. DLL rules affect specific ap   -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To audit rule collections** diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md index 087068db1a..acea4f15df 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md @@ -24,7 +24,7 @@ When AppLocker policy enforcement is set to **Enforce rules**, rules are enforce For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To enable the Enforce rules enforcement setting** diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md index 6cca40bfdf..126647dac7 100644 --- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md +++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md @@ -19,7 +19,7 @@ This topic for IT professionals describes the steps to specify which apps can or Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To configure exceptions for a rule** diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md index 6d2168f8b4..96455bb992 100644 --- a/windows/keep-secure/configure-s-mime.md +++ b/windows/keep-secure/configure-s-mime.md @@ -19,13 +19,13 @@ author: brianlic-msft **In this article** -- [About message encryption](#about_message_encryption) -- [About digital signatures](#about_digital_signatures) +- [About message encryption](#about-message-encryption) +- [About digital signatures](#about-digital-signatures) - [Prerequisites](#prerequisites) -- [Choose S/MIME settings](#choose_s_mime_settings) -- [Encrypt or sign individual messages](#encrypt_or_sign_individual_messages) -- [Read signed or encrypted messages](#read_signed_or_encrypted_messages) -- [Install certificates from a received message](#install_certificates_from_a_received_message) +- [Choose S/MIME settings](#choose-s-mime-settings) +- [Encrypt or sign individual messages](#encrypt-or-sign-individual-messages) +- [Read signed or encrypted messages](#read-signed-or-encrypted-messages) +- [Install certificates from a received message](#install-certificates-from-a-received-message) S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. diff --git a/windows/keep-secure/configure-windows-defender-for-windows-10.md b/windows/keep-secure/configure-windows-defender-for-windows-10.md index b72e41d429..63820c0f01 100644 --- a/windows/keep-secure/configure-windows-defender-for-windows-10.md +++ b/windows/keep-secure/configure-windows-defender-for-windows-10.md @@ -17,13 +17,13 @@ author: brianlic-msft **In this article** -- [Configure definition updates](#configure_definition_updates) -- [Definition update logic](#definition_update_logic) -- [Update Windows Defender definitions through Active Directory and WSUS](#update_windows_defender_definitions_through_active_directory_and_wsus) -- [Manage cloud-based protection](#manage_cloud-based_protection) -- [Opt-in to Microsoft Update](#opt-in_to_microsoft_update) -- [Schedule updates for Microsoft Update](#schedule_updates_for_microsoft_update) -- [Related topics](#related_topics) +- [Configure definition updates](#configure-definition-updates) +- [Definition update logic](#definition-update-logic) +- [Update Windows Defender definitions through Active Directory and WSUS](#update-windows-defender-definitions-through-active-directory-and-wsus) +- [Manage cloud-based protection](#manage-cloud-based-protection) +- [Opt-in to Microsoft Update](#opt-in-to-microsoft-update) +- [Schedule updates for Microsoft Update](#schedule-updates-for-microsoft-update) +- [Related topics](#related-topics) IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). @@ -214,7 +214,7 @@ You can manually opt-in each individual computer on your network to receive Micr Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road. -For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure_definition_updates). +For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates). ## Related topics diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index 9caba940bf..241412372b 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Create a pagefile** security policy setting. diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md index 1ace14b7b6..f16c4fcee9 100644 --- a/windows/keep-secure/create-a-rule-for-packaged-apps.md +++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md @@ -29,7 +29,7 @@ All the files within a package as well as the package installer share these attr For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create a packaged app rule** diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md index bef619f30f..19f8350862 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md @@ -21,7 +21,7 @@ File hash rules use a system-computed cryptographic hash of the identified file. For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create a new rule with a file hash condition** diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md index 86982d20e4..59f864fa6e 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md @@ -26,7 +26,7 @@ When creating a rule that uses a deny action, path conditions are less secure fo For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create a new rule with a path condition** diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md index c8e9ab4e5e..cbbec57db2 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md @@ -23,7 +23,7 @@ Packaged app rules are by definition rules that use publisher conditions. For in For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create a new rule with a publisher condition** diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md index 9709865962..3bdaddebaa 100644 --- a/windows/keep-secure/create-a-token-object.md +++ b/windows/keep-secure/create-a-token-object.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Create a token object** security policy setting. diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 8eb6dc7c94..d701502116 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -24,7 +24,7 @@ You can use the default rules as a template when creating your own rules to allo   -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create default rules** diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md index cdcc8e7221..448ca2c48e 100644 --- a/windows/keep-secure/create-global-objects.md +++ b/windows/keep-secure/create-global-objects.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Create global objects** security policy setting. diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md index 0011487a83..467ff27d4f 100644 --- a/windows/keep-secure/create-permanent-shared-objects.md +++ b/windows/keep-secure/create-permanent-shared-objects.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Create permanent shared objects** security policy setting. diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md index aacda94dbe..5724c2532c 100644 --- a/windows/keep-secure/create-symbolic-links.md +++ b/windows/keep-secure/create-symbolic-links.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Create symbolic links** security policy setting. diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index 9d6c2feac6..9028d0b0c4 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -17,7 +17,7 @@ author: brianlic-msft To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. -## Create a Device Guard code integrity policy based on a reference device +## Create a Device Guard code integrity policy based on a reference device To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md). diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index fbe2f2083d..23fb6bef14 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -16,7 +16,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 Technical Preview -Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. +Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. Credential Guard offers the following features and solutions: @@ -69,7 +69,7 @@ The PC must meet the following hardware and software requirements to use Credent

UEFI firmware version 2.3.1 or higher and Secure Boot

-

To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) Windows Hardware Compatibility Program requirement.

+

To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.

Virtualization extensions

@@ -99,7 +99,7 @@ The PC must meet the following hardware and software requirements to use Credent

Secure firmware update process

-

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.

+

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.

The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)

@@ -298,7 +298,7 @@ You can use System Information to ensure that Credential Guard is running on a P - If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections. -- Starting with Windows 10, Version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: +- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. @@ -401,7 +401,7 @@ You must restart the device after enrolling the machine authentication certifica By using an authentication policy, you can ensure that users only sign into devices that are running Credential Guard. Before you deploy the authentication policy though, you must first run a couple of scripts that set up your environment. -- The [get-IssuancePolicy.ps1](#BKMK_GetScript) shows all of the issuance policies that are available on the certificate authority. +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: @@ -409,7 +409,7 @@ By using an authentication policy, you can ensure that users only sign into devi .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` -- The [set-IssuancePolicyToGroupLink.ps1](#BKMK_SetScript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: @@ -464,7 +464,7 @@ When authentication policies in enforcement mode are deployed with Credential Gu Here is a list of scripts that are mentioned in this topic. -### Get the available issuance policies on the certificate authority +### Get the available issuance policies on the certificate authority Save this script file as get-IssuancePolicy.ps1. @@ -686,7 +686,7 @@ If you're having trouble running this script, try replacing the single quote aft   -### Link an issuance policy to a group +### Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md index e331918ef2..e3635f1d18 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md index 90670ace9d..5ef38e48d1 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index ae53fe4a58..fde20d3384 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting. diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index 951386d9b7..bed27aa9de 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -21,7 +21,7 @@ As older apps are retired and new apps are deployed in your organization, it wil For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To delete a rule in an AppLocker policy** diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index dcf1c73311..7a894142bd 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index 3c4878cc82..d9ac166d78 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index 63cefacbc8..44201c1023 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index b02e7b1906..95f7276570 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting. diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 32a985ba04..359085b10c 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting. diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 51825caacc..69678c49bb 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -86,8 +86,8 @@ The following table shows the hardware and software you need to install and conf

UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot

UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:

    -

  • [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot)

    • -

  • [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)

    • +

  • [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    • +

  • [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)

@@ -117,7 +117,7 @@ The following table shows the hardware and software you need to install and conf

Secure firmware update process

-

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.

+

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.

Signed processor microcode updates

diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 6246363a37..5881759b28 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -17,19 +17,19 @@ author: brianlic-msft **In this article** -- [Introduction to Device Guard](#introduction_to_device_guard) -- [Device Guard overview](#device_guard_overview) -- [Plan for Device Guard](#plan_for_device_guard) -- [Approach enterprise code integrity deployment](#approach_enterprise) -- [Device Guard deployment scenarios](#device_guard_deployment) -- [Code signing adoption](#code_signing_adoption) +- [Introduction to Device Guard](#introduction-to-device-guard) +- [Device Guard overview](#device-guard-overview) +- [Plan for Device Guard](#plan-for-device-guard) +- [Approach enterprise code integrity deployment](#approach-enterprise) +- [Device Guard deployment scenarios](#device-guard-deployment) +- [Code signing adoption](#code-signing-adoption) - [Hardware considerations](#hardware) -- [Device Guard deployment](#DG_deployment) -- [Configure hardware-based security features](#configure_hardware) -- [Catalog files](#Catalog_files) -- [Code integrity policies](#code_integrity_policies) -- [Create a Device Guard code signing certificate](#create_DG_code) -- [Related topics](#related_topics) +- [Device Guard deployment](#dg-deployment) +- [Configure hardware-based security features](#configure-hardware) +- [Catalog files](#catalog-files) +- [Code integrity policies](#code-integrity-policies) +- [Create a Device Guard code signing certificate](#create-dg-code) +- [Related topics](#related-topics) Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. @@ -55,7 +55,7 @@ Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SL Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them. -### +### **Configurable code integrity** @@ -63,15 +63,15 @@ The Windows operating system consists of two operating modes: user mode and kern Code integrity is the component of the Windows operating system that verifies that the code Windows is running is trusted and safe. Like the operating system, Windows code integrity also contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from running unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the standard for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI standards. Beginning with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware. In Windows 10, these same successful UMCI standards are available. -Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks. By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run. This feature alone fundamentally changes the security in an enterprise. This additional security is not limited to Windows apps and does not require that an application be rewritten to be compatible with your existing, unsigned applications. You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the [Code integrity policies](#code_integrity_policies) section. +Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks. By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run. This feature alone fundamentally changes the security in an enterprise. This additional security is not limited to Windows apps and does not require that an application be rewritten to be compatible with your existing, unsigned applications. You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the [Code integrity policies](#code-integrity-policies) section. **Hardware security features and virtualization-based security** The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service. -Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#DG_with_CG) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable_CG) section. +Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dg-with-cg) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. -### +### **Device Guard with AppLocker** @@ -83,61 +83,61 @@ Although AppLocker is not considered a new Device Guard feature, it complements AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -### +### **Device Guard with Credential Guard** -Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable_CG) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future. +Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future. **Unified manageability** You can easily manage Device Guard features by using the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard: -- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simple to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. For more information about catalog files, see the [Catalog files](#catalog_files) section. +- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simple to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. For more information about catalog files, see the [Catalog files](#catalog-files) section. -- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information about how to deploy catalog files by using System Center Configuration Manager, see the [Deploy catalog files with System Center Configuration Manager](#deploy_cat_SCCM) section. +- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information about how to deploy catalog files by using System Center Configuration Manager, see the [Deploy catalog files with System Center Configuration Manager](#deploy-cat-sccm) section. - **Microsoft Intune**. In a future release of Microsoft Intune, organizations will be able to leverage Intune for deployment and management of code integrity policies and catalog files. -- **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code_integrity_policies) section. +- **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section. -These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#DG_deployment) section. +These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section. ## Plan for Device Guard In this section, you will learn about the following topics: -- [Approach enterprise code integrity deployment](#approach_enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization. +- [Approach enterprise code integrity deployment](#approach-enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization. -- [Device Guard deployment scenarios](#device_guard_deployment). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment. +- [Device Guard deployment scenarios](#device-guard-deployment). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment. -- [Code signing adoption](#code_signing_adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method. +- [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method. - [Hardware considerations](#hardware). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh. -## Approach enterprise code integrity deployment +## Approach enterprise code integrity deployment Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise: -1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device_guard_deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs. +1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs. - To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code_integrity_policies) section. + To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section. -2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create_code_golden) section. +2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-golden) section. -3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit_code_integrity) section. +3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section. -4. **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog_files) section. +4. **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section. -5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device_guard_deployment) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure_hardware) section. +5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware) section. -6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy_cat_GP) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy_manage_code_GP) section. +6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-cat-gp) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-manage-code-gp) section. -## Device Guard deployment scenarios +## Device Guard deployment scenarios -To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach_enterprise) section. +To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-enterprise) section. **Fixed-workload devices** @@ -182,29 +182,29 @@ Device Guard is not a good way to manage devices in a Bring Your Own Device (BYO Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy. -For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing_LOB) section. +For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-lob) section. -### +### **Existing line-of-business applications** -Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog_files) section. +Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section. **Note**   Catalog files are lists of individual binaries’ hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.   -When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog_files) section. +When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section. **Application development** Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies. -## Hardware considerations +## Hardware considerations -Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach_enterprise) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation. +Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation. Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table. @@ -228,8 +228,8 @@ Different hardware features are required to implement the various features of De

UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot

UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:

    -

  • [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot)

    • -

  • [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)

    • +

  • [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    • +

  • [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)

@@ -259,7 +259,7 @@ Different hardware features are required to implement the various features of De

Secure firmware update process

-

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.

+

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.

Signed processor microcode updates

@@ -270,29 +270,29 @@ Different hardware features are required to implement the various features of De   -## Device Guard deployment +## Device Guard deployment In this section, you learn about the following topics: -- [Configure hardware-based security features](#configure_hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe. +- [Configure hardware-based security features](#configure-hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe. -- [Catalog files](#catalog_files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes. +- [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes. -- [Code integrity policies](#code_integrity_policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies. +- [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies. -## Configure hardware-based security features +## Configure hardware-based security features Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard: 1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware) section. -2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#vb_security) section. +2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#vb-security) section. -3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable_secureboot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable_virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable_CG) section. +3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-secureboot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. -### +### **Windows feature requirements for virtualization-based security** @@ -307,9 +307,9 @@ You can configure these features manually by using Windows PowerShell or Deploym Figure 1. Enable operating system features for VBS -After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable_virtualbased) section. For information about how to enable UEFI Secure Boot, see the [Enable Unified Extensible Firmware Interface Secure Boot](#enable_secureboot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable_CG) section. +After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualbased) section. For information about how to enable UEFI Secure Boot, see the [Enable Unified Extensible Firmware Interface Secure Boot](#enable-secureboot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. -### +### **Enable Unified Extensible Firmware Interface Secure Boot** @@ -341,7 +341,7 @@ Microsoft recommends that you test-enable this feature on a group of test machin **Use Group Policy to deploy Secure Boot** - + 1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**. ![figure 2](images/dg-fig2-createou.png) @@ -375,11 +375,11 @@ Microsoft recommends that you test-enable this feature on a group of test machin Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. -### +### **Enable virtualization-based security of kernel-mode code integrity** -Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#vb_security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment. +Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment. **Note**   All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines. @@ -433,13 +433,13 @@ To use Group Policy to configure VBS of KMCI: Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. -### +### **Enable Credential Guard** Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future. -Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#vb_security) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment. +Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment. To configure VBS of Credential Guard manually: @@ -610,20 +610,20 @@ The Enterprise edition of Windows 10 or Windows Server 2016 is required to crea   -### +### **Create catalog files** The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps: **Note**   -When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory_cat_SCCM) section. +When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-cat-sccm) section.   1. Be sure that a code integrity policy is currently running in audit mode. - Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create_code_golden) and [Audit code integrity policies](#audit_code_integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector. + Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector. **Note**   This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application. @@ -667,21 +667,21 @@ This scan catalogs the hash values for each discovered binary file. If the appli   -When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign_signtool) section. +When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section. -### +### **Catalog signing with SignTool.exe** -Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create_catalog_files) section. In this example, you need the following: +Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following: - SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later) -- The catalog file that you generated in the [Create catalog files](#create_catalog_files) section, or another catalog file that you have created +- The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created - Internal certification authority (CA) code signing certificate or purchased code signing certificate -If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create_DG_code) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create_catalog_files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session: +If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-dg-code) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: @@ -710,11 +710,11 @@ If you do not have a code signing certificate, please see the [Create a Device G **Note**   - In this example, you use the catalog file you created in the [Create catalog files](#create_catalog_files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information. + In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.   -2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create_DG_code) section. +2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section. 3. Sign the catalog file with Signtool.exe: @@ -750,14 +750,14 @@ If you do not have a code signing certificate, please see the [Create a Device G For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, Microsoft recommends that you use Group Policy File Preferences to copy the appropriate catalog files to all desired machines or an enterprise systems management product such as System Center Configuration Manager. Doing this simplifies the management of catalog versions, as well. -### +### **Deploy catalog files with Group Policy** To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate PCs in your organization. The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**. **Note**   -This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog_files) section. +This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section.   @@ -768,7 +768,7 @@ To deploy a catalog file with Group Policy: 2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13. **Note**   - The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach_enterprise) section. + The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.   @@ -803,7 +803,7 @@ To deploy a catalog file with Group Policy: 9. In the **Destination File** box, type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat**. **Note**   - LOBApp-Contoso.cat is not a required catalog name: This name was used in the [Create catalog files](#create_catalog_files) section, and so it was used here, as well. + LOBApp-Contoso.cat is not a required catalog name: This name was used in the [Create catalog files](#create-catalog-files) section, and so it was used here, as well.   @@ -813,7 +813,7 @@ To deploy a catalog file with Group Policy: 12. Close the Group Policy Management Editor, and then update the policy on the test Windows 10 machine by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the Windows 10 machine. -### +### **Deploy catalog files with System Center Configuration Manager** @@ -890,7 +890,7 @@ After you create the deployment package, deploy it to a collection so that the c 11. Close the wizard. -### +### **Inventory catalog files with System Center Configuration Manager** @@ -954,7 +954,7 @@ If nothing is displayed in this view, navigate to Software\\Last Software Scan i ## Code integrity policies -Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config_code) section. +Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config-code) section. A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. @@ -970,7 +970,7 @@ The following section assumes that you will deploy code integrity policies as pa   -### +### **Code integrity policy rules** @@ -1031,7 +1031,7 @@ When you create code integrity policies with the **New-CIPolicy** cmdlet, you ca   -### +### **Create code integrity policies from golden PCs** @@ -1064,7 +1064,7 @@ To create a code integrity policy, copy each of the following commands into an e   **Note**   - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code_integrity_policy_rules) section. + You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.   @@ -1080,33 +1080,33 @@ To create a code integrity policy, copy each of the following commands into an e After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. **Note**   -Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge_code_integrity) section. +Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity) section.   -Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit_code_integrity) section. +Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity) section. -### +### **Audit code integrity policies** When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies. **Note**   -Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create_code_golden) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. +Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-code-golden) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.   To audit a code integrity policy with local policy: -1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create_code_golden) section to C:\\Windows\\System32\\CodeIntegrity. +1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section to C:\\Windows\\System32\\CodeIntegrity. 2. On the system you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. 3. Navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard, and then select **Deploy Code Integrity Policy**. Enable this setting by using the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 22. **Note**   - *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create_code_golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access. + *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access.   @@ -1134,18 +1134,18 @@ To audit a code integrity policy with local policy: 6. Validate any code integrity policy exceptions. - After you run a code integrity policy in audit mode, Microsoft recommends that each logged exception be researched and validated. In addition to discovering which application is causing the exception and ensuring that it should be added to the code integrity policy, be sure to check which file level should be used to trust each application. Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of the exceptions. For information about file rule levels and their purpose, see the [Code integrity policy rules](#code_integrity_policy_rules) section. + After you run a code integrity policy in audit mode, Microsoft recommends that each logged exception be researched and validated. In addition to discovering which application is causing the exception and ensuring that it should be added to the code integrity policy, be sure to check which file level should be used to trust each application. Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of the exceptions. For information about file rule levels and their purpose, see the [Code integrity policy rules](#code-integrity-policy-rules) section. 7. Create code integrity policy from audit events. - For information about how to create code integrity policies from audit events, see the [Create code integrity policies from golden PCs](#create_code_golden) section. + For information about how to create code integrity policies from audit events, see the [Create code integrity policies from golden PCs](#create-code-golden) section. **Note**   An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it with the local machine policy.   -### +### **Create an audit code integrity policy** @@ -1159,7 +1159,7 @@ When you run code integrity policies in audit mode, validate any exceptions and 2. Analyze audit results. - Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit_code_integrity) section. + Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity) section. 3. Generate a new code integrity policy from logged audit events: @@ -1170,21 +1170,21 @@ When you create policies from audit events, you should carefully consider the fi   -After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge_code_integrity) section. +After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity) section. **Note**   -You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create_code_golden) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-golden) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.   -### +### **Merge code integrity policies** When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden PCs. Because each Windows 10 machine can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. **Note**   -The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create_code_golden) and [Audit code integrity policies](#audit_code_integrity) sections. You can follow this process, however, with any two code integrity policies you would like to combine. +The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections. You can follow this process, however, with any two code integrity policies you would like to combine.   @@ -1215,14 +1215,14 @@ To merge two code integrity policies, complete the following steps in an elevate ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` -Now that you have created a new code integrity policy called NewDeviceGuardPolicy.bin, you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy_manage_code_GP) section. +Now that you have created a new code integrity policy called NewDeviceGuardPolicy.bin, you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section. **Enforce code integrity policies** Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session: **Note**   -Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit_code_integrity) section. +Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.   @@ -1237,7 +1237,7 @@ Every code integrity policy should be tested in audit mode first. For informatio `$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` **Note**   - The initial code integrity policy that this section referenced was created in the [Create code integrity polices from golden PCs](#create_code_golden) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + The initial code integrity policy that this section referenced was created in the [Create code integrity polices from golden PCs](#create-code-golden) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.   @@ -1263,13 +1263,13 @@ Every code integrity policy should be tested in audit mode first. For informatio   -Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy_manage_code_GP) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.” +Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.” **Signing code integrity policies with SignTool.exe** -Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit_code_integrity) section. +Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section. -Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create_DG_code) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code_integrity_policy_rules) section. +Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-dg-code) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section. **Note**   Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of machines. @@ -1278,24 +1278,24 @@ To sign a code integrity policy with SignTool.exe, you need the following compon - SignTool.exe, found in the Windows SDK (Windows 7 or later) -- The binary format of the code integrity policy that you generated in the [Create code integrity policies from golden PCs](#create_code_golden) section or another code integrity policy that you have created +- The binary format of the code integrity policy that you generated in the [Create code integrity policies from golden PCs](#create-code-golden) section or another code integrity policy that you have created - An internal CA code signing certificate or a purchased code signing certificate   -If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create_DG_code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session: +If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create-dg-code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: `$CIPolicyPath=$env:userprofile+"\Desktop\" $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` **Note**   - This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create_code_golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.   -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create_DG_code) section. +2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create-dg-code) section. 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. @@ -1313,7 +1313,7 @@ If you do not have a code signing certificate, see the [Create a Device Guard co   **Note**   - Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable_signed_code) section. + Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.   @@ -1334,9 +1334,9 @@ If you do not have a code signing certificate, see the [Create a Device Guard co   -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy_manage_code_GP) section. +9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section. -### +### **Disable unsigned code integrity policies** @@ -1348,7 +1348,7 @@ There may come a time when an administrator wants to disable a code integrity po If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart. -### +### **Disable signed code integrity policies within Windows** @@ -1407,7 +1407,7 @@ If the signed code integrity policy has been deployed using by using Group Polic 6. Restart the client computer. -### +### **Disable signed code integrity policies within the BIOS** @@ -1417,14 +1417,14 @@ There may be a time when signed code integrity policies cause a boot failure. Be - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ -### +### **Deploy and manage code integrity policies with Group Policy** Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. **Note**   -This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create_code_golden) section. +This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-golden) section.   @@ -1440,7 +1440,7 @@ To deploy and manage a code integrity policy with Group Policy: 2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 24. **Note**   - The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach_enterprise) section. + The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.   @@ -1463,7 +1463,7 @@ To deploy and manage a code integrity policy with Group Policy: In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. This example copied the DeviceGuardPolicy.bin file onto the test machine and will enable this setting and use the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 26. **Note**   - *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create_code_golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.   @@ -1476,9 +1476,9 @@ To deploy and manage a code integrity policy with Group Policy:   -7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit_code_integrity)section. +7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity)section. -## Create a Device Guard code signing certificate +## Create a Device Guard code signing certificate To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate: diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index cb443361f2..49843788e3 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index c2e8bd4249..bbbba7b1a9 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index 2851b853ca..d889cd9862 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index fa515fc94a..19d46590a7 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index d2ec599915..d735ea91f0 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index f8af633efd..7b1fd9e1e2 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index a0ba29b738..c738022dc9 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index cccb5c1260..73a3ae3e12 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting. diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md index b391e3e9d5..868b665784 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data--when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data--when-possible.md index b209b3562a..fbba924e28 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data--when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data--when-possible.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data--when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data--when-possible.md index 0d5c3a2332..e8bd830e73 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data--when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data--when-possible.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index 578578e4c8..8b84d0fc1e 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index e0b22b778c..0801f31f06 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. diff --git a/windows/keep-secure/domain-member-require-strong--windows-2000-or-later--session-key.md b/windows/keep-secure/domain-member-require-strong--windows-2000-or-later--session-key.md index 8da88af6de..2b89ada53e 100644 --- a/windows/keep-secure/domain-member-require-strong--windows-2000-or-later--session-key.md +++ b/windows/keep-secure/domain-member-require-strong--windows-2000-or-later--session-key.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md index f0bcd16f5a..b878d37679 100644 --- a/windows/keep-secure/edit-an-applocker-policy.md +++ b/windows/keep-secure/edit-an-applocker-policy.md @@ -21,11 +21,11 @@ You can edit an AppLocker policy by adding, changing, or removing rules. However There are two methods you can use to edit an AppLocker policy: -- [Editing an AppLocker policy by using Group Policy](#BKMK_EditAppPolinGPO) +- [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo) -- [Editing an AppLocker policy by using the Local Security Policy snap-in](#BKMK_EditAppLolNotinGPO) +- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) -## Editing an AppLocker policy by using Group Policy +## Editing an AppLocker policy by using Group Policy The steps to edit an AppLocker policy distributed by Group Policy include the following: @@ -79,7 +79,7 @@ If you are performing these steps by using Microsoft Advanced Group Policy Manag   -## Editing an AppLocker policy by using the Local Security Policy snap-in +## Editing an AppLocker policy by using the Local Security Policy snap-in The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks. diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md index 12ac2bb42d..e5b8372c9d 100644 --- a/windows/keep-secure/edit-applocker-rules.md +++ b/windows/keep-secure/edit-applocker-rules.md @@ -19,7 +19,7 @@ This topic for IT professionals describes the steps to edit a publisher rule, pa For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To edit a publisher rule** diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 6cefff341a..8090dfa54f 100644 --- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Enable computer and user accounts to be trusted for delegation** security policy setting. diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md index 5f82db0de2..903c1b67bf 100644 --- a/windows/keep-secure/enable-the-dll-rule-collection.md +++ b/windows/keep-secure/enable-the-dll-rule-collection.md @@ -21,7 +21,7 @@ The DLL rule collection includes the .dll and .ocx file formats. For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To enable the DLL rule collection** diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md index 82553b7f9e..d90d752a2e 100644 --- a/windows/keep-secure/enforce-password-history.md +++ b/windows/keep-secure/enforce-password-history.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md index 2b45042b13..8a1e9597e0 100644 --- a/windows/keep-secure/enforce-user-logon-restrictions.md +++ b/windows/keep-secure/enforce-user-logon-restrictions.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting. diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md index d32a5e1385..c201c10080 100644 --- a/windows/keep-secure/force-shutdown-from-a-remote-system.md +++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Force shutdown from a remote system** security policy setting. diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md index 514c108690..b9bebd4989 100644 --- a/windows/keep-secure/generate-security-audits.md +++ b/windows/keep-secure/generate-security-audits.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Generate security audits** security policy setting. diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md index 33a0ae5169..ab5f005d1c 100644 --- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md +++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md @@ -17,9 +17,9 @@ author: brianlic-msft **In this article** -- [Manage Windows Defender endpoints through Active Directory and WSUS](#manage_windows_defender_endpoints_through_active_directory_and_wsus) -- [Apply updates to Windows Defender endpoints](#apply_updates_to_windows_defender_endpoints) -- [Related topics](#related_topics) +- [Manage Windows Defender endpoints through Active Directory and WSUS](#manage-windows-defender-endpoints-through-active-directory-and-wsus) +- [Apply updates to Windows Defender endpoints](#apply-updates-to-windows-defender-endpoints) +- [Related topics](#related-topics) IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), and apply updates to endpoints. diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index e70f3f209d..ba3bee945a 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -18,11 +18,11 @@ author: brianlic-msft **In this article** -- [What you need to run your apps on Device-Guard protected devices](#what_you_need_to_run_your_apps_on_device-guard_protected_devices) -- [Create a catalog file for unsigned apps](#create_a_catalog_file_for_unsigned_apps) -- [Sign your catalog file using Sign Tool](#sign_your_catalog_file_using_sign_tool) -- [Troubleshooting the Package Inspector](#troubleshooting_the_package_inspector) -- [Related topics](#related_topics) +- [What you need to run your apps on Device-Guard protected devices](#what-you-need-to-run-your-apps-on-device-guard-protected-devices) +- [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) +- [Sign your catalog file using Sign Tool](#sign-your-catalog-file-using-sign-tool) +- [Troubleshooting the Package Inspector](#troubleshooting-the-package-inspector) +- [Related topics](#related-topics) Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. Device Guard can help to protect your enterprise devices against the accidental running of malicious apps by requiring all of your apps to be signed by a trusted entity. @@ -314,7 +314,7 @@ You must make sure that you clear the cache by creating and setting a new tempor cp .\DenyPackageInspector.bin C:\Windows\System32\SIPolicy.p7b ``` -3. Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create_a_catalog_file_for_unsigned_apps) section. +3. Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) section. ## Related topics diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 65dd987ced..b8f0b7c5c0 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -17,10 +17,10 @@ author: brianlic-msft **In this article** -- [To configure a setting using the Local Security Policy console](#BKMK_Local) -- [To configure a security policy setting using the Local Group Policy Editor console](#BKMK_Domain) -- [To configure a setting for a domain controller](#BKMK_DC) -- [Related topics](#related_topics) +- [To configure a setting using the Local Security Policy console](#bkmk-local) +- [To configure a security policy setting using the Local Group Policy Editor console](#bkmk-domain) +- [To configure a setting for a domain controller](#bkmk-dc) +- [Related topics](#related-topics) Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. @@ -28,7 +28,7 @@ You must have Administrators rights on the local device, or you must have the ap When a local setting is inaccessible, it indicates that a GPO currently controls that setting. -## To configure a setting using the Local Security Policy console +## To configure a setting using the Local Security Policy console 1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER. @@ -50,7 +50,7 @@ When a local setting is inaccessible, it indicates that a GPO currently controls   -## To configure a security policy setting using the Local Group Policy Editor console +## To configure a security policy setting using the Local Group Policy Editor console You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures. @@ -78,7 +78,7 @@ You must have the appropriate permissions to install and use the Microsoft Manag   -## To configure a setting for a domain controller +## To configure a setting for a domain controller The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller). diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md index eb3e4dfefb..8b1483c9fa 100644 --- a/windows/keep-secure/impersonate-a-client-after-authentication.md +++ b/windows/keep-secure/impersonate-a-client-after-authentication.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Impersonate a client after authentication** security policy setting. diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 2175dcb0ae..62e8486943 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -19,11 +19,11 @@ author: brianlic-msft **In this article** -- [Group Policy settings for Passport](#group_policy_settings_for_passport) -- [MDM policy settings for Passport](#mdm_policy_settings_for_passport) +- [Group Policy settings for Passport](#group-policy-settings-for-passport) +- [MDM policy settings for Passport](#mdm-policy-settings-for-passport) - [Prerequisites](#prerequisites) -- [Passport for BYOD](#passport_for_byod) -- [Related topics](#related_topics) +- [Passport for BYOD](#passport-for-byod) +- [Related topics](#related-topics) You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. @@ -121,7 +121,7 @@ Require uppercase letters **Disabled**: Users cannot include an uppercase letter in their PIN. -[Remote Passport](prepare-people-to-use-microsoft-passport.md#BMK_remote) +[Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) Use Remote Passport **Note**  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. @@ -242,9 +242,9 @@ UseRemotePassport Device or user False -True: [Remote Passport](prepare-people-to-use-microsoft-passport.md#BMK_remote) is enabled. +True: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is enabled. -False: [Remote Passport](prepare-people-to-use-microsoft-passport.md#BMK_remote) is disabled. +False: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is disabled.   diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md index 8571c8e851..b89d544572 100644 --- a/windows/keep-secure/increase-a-process-working-set.md +++ b/windows/keep-secure/increase-a-process-working-set.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Increase a process working set** security policy setting. diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md index 6b95be4eff..2c04849e21 100644 --- a/windows/keep-secure/increase-scheduling-priority.md +++ b/windows/keep-secure/increase-scheduling-priority.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting. diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index df645b3995..e2d29ec8bd 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -58,7 +58,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.

[Protect derived domain credentials with Credential Guard](credential-guard.md)

-

Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

+

Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)

diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 6820750d6f..741bc28561 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures. -## About TPM initialization and ownership +## About TPM initialization and ownership The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process. @@ -26,17 +26,17 @@ When you start the TPM Initialization Wizard, which is accessed through the TPM This topic contains procedures for the following tasks: -- [Initialize the TPM and set ownership](#BKMK_InitializeTPM) +- [Initialize the TPM and set ownership](#bkmk-initializetpm) -- [Troubleshoot TPM initialization](#BKMK_TroubleshootInit) +- [Troubleshoot TPM initialization](#bkmk-troubleshootinit) -- [Turn on or turn off the TPM](#BKMK_onoff) +- [Turn on or turn off the TPM](#bkmk-onoff) -- [Clear all the keys from the TPM](#BKMK_clear1) +- [Clear all the keys from the TPM](#bkmk-clear1) -- [Use the TPM cmdlets](#BKMK_TPMcmdlets) +- [Use the TPM cmdlets](#bkmk-tpmcmdlets) -## Initialize the TPM and set ownership +## Initialize the TPM and set ownership Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS. @@ -50,7 +50,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard. **Note**   - If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#BKMK_SetOwnership) procedure. + If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.   @@ -78,7 +78,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p **To set ownership of the TPM** -1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#BKMK_StartTPMinitWizard). +1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard). 2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**. @@ -112,7 +112,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p   -## Troubleshoot TPM initialization +## Troubleshoot TPM initialization Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information: @@ -150,7 +150,7 @@ Managing the Trusted Platform Module (TPM) is usually a straightforward procedur   -- If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#BKMK_clear1). +- If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#bkmk-clear1). **Caution**   Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM. @@ -173,12 +173,12 @@ In either case, an error message appears, and you cannot complete the initializa Some systems may have multiple TPMs and the active TPM may be toggled in the BIOS. Windows 10 does not support this behavior. If you switch TPMs, functionality that depends on the TPM will not work with the new TPM unless it is cleared and put through provisioning. Performing this clear may cause data loss, in particular of keys and certificates associated with the previous TPM. For example, toggling TPMs will cause Bitlocker to enter recovery mode. It is strongly recommended that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. -## Turn on or turn off the TPM +## Turn on or turn off the TPM Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. -### Turn on the TPM +### Turn on the TPM If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. @@ -192,7 +192,7 @@ If the TPM has been initialized but has never been used, or if you want to use t After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM. -### Turn off the TPM +### Turn off the TPM If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM. @@ -210,7 +210,7 @@ If you want to stop using the services that are provided by the TPM, you can use - If you do not know your TPM owner password, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password. -## Clear all the keys from the TPM +## Clear all the keys from the TPM Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption. By default, the TPM is initialized automatically. @@ -256,7 +256,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ The status of your TPM is displayed under **Status** in TPM MMC. -## Use the TPM cmdlets +## Use the TPM cmdlets If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: @@ -268,7 +268,7 @@ For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell ## Additional resources -For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-technology-overview.md#BKMK_AdditionalResources). +For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-technology-overview.md#bkmk-additionalresources).   diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index fa9a207f95..76b8b703ea 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -18,10 +18,10 @@ author: brianlic-msft **In this article** -- [Install certificates using Internet Explorer](#install_certificates_using_internet_explorer) -- [Install certificates using email](#install_certificates_using_email) -- [Install certificates using mobile device management (MDM)](#install_certificates_using_mobile_device_management__mdm_) -- [Related topics](#related_topics) +- [Install certificates using Internet Explorer](#install-certificates-using-internet-explorer) +- [Install certificates using email](#install-certificates-using-email) +- [Install certificates using mobile device management (MDM)](#install-certificates-using-mobile-device-management--mdm-) +- [Related topics](#related-topics) Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index fb6820cfbe..d7a596056b 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index a56171b97b..0f56b85970 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting. diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index 71380ed60c..ace634e3cc 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md index db067c7d3c..760a19fd48 100644 --- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting. @@ -37,7 +37,7 @@ Failed password attempts on workstations or member servers that have been locked You can set the **invalid logon attempts** value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting. -### Best practices +### Best practices Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md index 7a59fe20bd..2fcef3d8e2 100644 --- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md +++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting. diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md index e1c12b8959..587ca5a72e 100644 --- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md index a15627e5fa..85aa67ffbf 100644 --- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md index e732280971..b1223a95a3 100644 --- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md +++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index 555f1f9fb8..afaf12f2f1 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 82694f484f..5686105d6e 100644 --- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index 79e788892e..28f82c0eff 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting. diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md index 45a2ccc82b..a92e17a6ea 100644 --- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md +++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md index c6fdb2f8bb..8a28296a0f 100644 --- a/windows/keep-secure/load-and-unload-device-drivers.md +++ b/windows/keep-secure/load-and-unload-device-drivers.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Load and unload device drivers** security policy setting. diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md index c50b635bbb..ed755f625f 100644 --- a/windows/keep-secure/lock-pages-in-memory.md +++ b/windows/keep-secure/lock-pages-in-memory.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Lock pages in memory** security policy setting. diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md index 4dc6a414dc..d3ae984616 100644 --- a/windows/keep-secure/log-on-as-a-batch-job.md +++ b/windows/keep-secure/log-on-as-a-batch-job.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting. diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md index 7e59e654fb..dda592fd8a 100644 --- a/windows/keep-secure/log-on-as-a-service.md +++ b/windows/keep-secure/log-on-as-a-service.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting. diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md index 414005ff42..edc7834283 100644 --- a/windows/keep-secure/maintain-applocker-policies.md +++ b/windows/keep-secure/maintain-applocker-policies.md @@ -33,9 +33,9 @@ Common AppLocker maintenance scenarios include: There are two methods you can use to maintain AppLocker policies: -- [Maintaining AppLocker policies by using Group Policy](#BKMK_AppLkr_Use_GP) +- [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp) -- [Maintaining AppLocker policies on the local computer](#BKMK_AppLkr_Use_LocSnapin) +- [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin) As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. @@ -46,7 +46,7 @@ You should not edit an AppLocker rule collection while it is being enforced in G   -## Maintaining AppLocker policies by using Group Policy +## Maintaining AppLocker policies by using Group Policy For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks. @@ -85,7 +85,7 @@ After testing, import the AppLocker policy back into the GPO for implementation. After deploying a policy, evaluate the policy's effectiveness. -## Maintaining AppLocker policies by using the Local Security Policy snap-in +## Maintaining AppLocker policies by using the Local Security Policy snap-in For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks. diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md index 790b808273..7b520ae9d3 100644 --- a/windows/keep-secure/manage-auditing-and-security-log.md +++ b/windows/keep-secure/manage-auditing-and-security-log.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Manage auditing and security log** security policy setting. diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 4cf37232e2..982188c6e2 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -19,11 +19,11 @@ author: brianlic-msft **In this article** -- [Benefits of Microsoft Passport](#benefits_of_microsoft_passport) -- [How Microsoft Passport works: key points](#how_microsoft_passport_works__key_points) -- [Comparing key-based and certificate-based authentication](#comparing_key-based_and_certificate-based_authentication) -- [Learn more](#learn_more) -- [Related topics](#related_topics) +- [Benefits of Microsoft Passport](#benefits-of-microsoft-passport) +- [How Microsoft Passport works: key points](#how-microsoft-passport-works--key-points) +- [Comparing key-based and certificate-based authentication](#comparing-key-based-and-certificate-based-authentication) +- [Learn more](#learn-more) +- [Related topics](#related-topics) In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. @@ -66,7 +66,7 @@ Imagine that someone is looking over your shoulder as you get money from an ATM Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs. -Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#BMK_remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. +Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. **Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md index e22d3f55e4..0db2b96b96 100644 --- a/windows/keep-secure/manage-packaged-apps-with-applocker.md +++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md @@ -29,7 +29,7 @@ AppLocker supports only publisher rules for packaged apps. All packaged apps mus Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. -### Comparing classic Windows apps and packaged apps +### Comparing classic Windows apps and packaged apps AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index d7ea8add94..d833568317 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -17,16 +17,16 @@ author: brianlic-msft This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -## +## After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. -Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#BKMK_tpmgp_clbtc). +Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-clbtc). Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings. -Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#BKMK_tpmgp_idlb). +Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-idlb). The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. @@ -82,7 +82,7 @@ The following procedures describe how to manage the TPM command lists. You must 4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. -## Use the TPM cmdlets +## Use the TPM cmdlets If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: @@ -94,7 +94,7 @@ For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell ## Additional resources -For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-technology-overview.md#BKMK_AdditionalResources). +For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-technology-overview.md#bkmk-additionalresources).   diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index fcce268307..cd4748f94d 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -## About TPM lockout +## About TPM lockout The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. @@ -59,21 +59,21 @@ The TPM Group Policy settings in the following list are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#BKMK_Individual) +- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual) This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. -- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#BKMK_tpmgp_suld) +- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld) This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. -- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#BKMK_Total) +- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total) This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. -For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals-windows-8.md#BKMK_HowTPMmitigates). +For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals-windows-8.md#bkmk-howtpmmitigates). -## Use the TPM cmdlets +## Use the TPM cmdlets If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: @@ -85,7 +85,7 @@ For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell ## Additional resources -For more info about TPM, see [TPM technology overview](trusted-platform-module-technology-overview.md#BKMK_AdditionalResources). +For more info about TPM, see [TPM technology overview](trusted-platform-module-technology-overview.md#bkmk-additionalresources).   diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md index 468220e102..f10a2388a0 100644 --- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting. diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md index 997636766b..02b454e1be 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md index c2fa9dcfe8..5369012f1e 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md index 7637387b0b..c27fdd455f 100644 --- a/windows/keep-secure/maximum-password-age.md +++ b/windows/keep-secure/maximum-password-age.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md index a514fe5f0a..f8f79f84bf 100644 --- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security policy setting. diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications--always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications--always.md index e3b2a88584..64163e2632 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications--always.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications--always.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications--if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications--if-server-agrees.md index 2aa0518b53..8d35639bcc 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications--if-server-agrees.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications--if-server-agrees.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 779903570f..10c2b01f17 100644 --- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 3eab4db737..2ef6e8aff2 100644 --- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index b3eb315014..52f56df697 100644 --- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications--always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications--always.md index f72ee069f2..1958cb3d0d 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications--always.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications--always.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications--if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications--if-client-agrees.md index 7bb55132a9..b1175da29e 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications--if-client-agrees.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications--if-client-agrees.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index e85fdefc6e..5645bc96b5 100644 --- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md index 5ee2152c28..7f3351eca4 100644 --- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index 3442d53d2e..8116bf4c11 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -19,10 +19,10 @@ author: brianlic-msft **In this article** -- [Where is the error code?](#where_is_the_error_code_) -- [Error mitigations](#error_mitigations) -- [Errors with unknown mitigation](#errors_with_unknown_mitigation) -- [Related topics](#related_topics) +- [Where is the error code?](#where-is-the-error-code-) +- [Error mitigations](#error-mitigations) +- [Errors with unknown mitigation](#errors-with-unknown-mitigation) +- [Related topics](#related-topics) When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. @@ -44,9 +44,9 @@ When a user encounters an error when creating the work PIN, advise the user to t 3. Reboot the device and then try to create the PIN again. -4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. +4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](http://go.microsoft.com/fwlink/p/?LinkId=715697). -5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](http://go.microsoft.com/fwlink/p/?LinkId=715697) +5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](http://go.microsoft.com/fwlink/p/?LinkId=715697). If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. @@ -151,17 +151,17 @@ If the error occurs again, check the error code against the following table to s 0x801C0016 The federation provider configuration is empty -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml" class="uri) and verify that the file is not empty. +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty. 0x801C0017 ​The federation provider domain is empty -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml" class="uri) and verify that the FPDOMAINNAME element is not empty. +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty. 0x801C0018 The federation provider client configuration URL is empty -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml" class="uri) and verify that the CLIENTCONFIG element contains a valid URL. +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL. 0x801C03E9 diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 275089764a..c1d916fa4e 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -18,13 +18,13 @@ author: brianlic-msft **In this article** -- [Problems with traditional credentials](#problems_with_traditional_credentials) -- [Solve credential problems](#solve_credential_problems) -- [What is Windows Hello?](#what_is_windows_hello_) -- [What is Microsoft Passport?](#what_is_microsoft_passport_) -- [How Microsoft Passport works](#how_microsoft_passport_works) +- [Problems with traditional credentials](#problems-with-traditional-credentials) +- [Solve credential problems](#solve-credential-problems) +- [What is Windows Hello?](#what-is-windows-hello-) +- [What is Microsoft Passport?](#what-is-microsoft-passport-) +- [How Microsoft Passport works](#how-microsoft-passport-works) - [Design a Microsoft Passport for Work deployment](#design) -- [Implement Microsoft Passport](#implement_microsoft_passport) +- [Implement Microsoft Passport](#implement-microsoft-passport) - [Roadmap](#roadmap) This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout. @@ -50,7 +50,7 @@ Another, related risk is that of credential replay, in which an attacker capture The common approach of using an email address as the user name makes a bad problem worse. An attacker who successfully recovers a user name–password pair from a compromised system can then try that same pair on other systems. Surprisingly often, this tactic works to allow attackers to springboard from a compromised system into other systems. The use of email addresses as user names leads to other problems, too, which we’ll explore later in this guide. -### +### **Trading convenience for complexity** @@ -64,11 +64,11 @@ If the major risk to passwords is that an attacker might guess them through brut Because a reusable password is the only authentication factor in password-based systems, designers have attempted to reduce the risk of credential theft and reuse. One common method for doing so is the use of limited-lifetime passwords. Some systems allow for passwords that can be used only once, but by far the more common approach is to make passwords expire after a certain period. Limiting the useful lifetime of a password puts a cap on how long a stolen password will be useful to an attacker. This practice helps protect against cases where a long-lived password is stolen, held, and used for a long time, but it also harkens back to the time when password cracking was impractical for everyone except nation state-level attackers. A smart attacker would attempt to steal passwords rather than crack them because of the time penalty associated with password cracking. -The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password_reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost. +The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password-reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost. Finally, overly short timelines for password expiration can tempt users to make small changes in their passwords at each expiration period — for example, moving from password123 to password456 to password789. This approach reduces the work necessary to crack the password, especially if the attacker knows any of the old passwords. -### +### **Password-reset mechanisms** @@ -287,7 +287,7 @@ Microsoft Passport depends on having compatible IDPs available to it. As of this In addition to the IDP, Microsoft Passport requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the [Deployment requirements](#deployreq) section of this document. -## Design a Microsoft Passport for Work deployment +## Design a Microsoft Passport for Work deployment Microsoft Passport for Work is designed for integration with your existing and future directory infrastructure and device deployments, but this flexibility means there are many considerations to think about when you design your deployment. Some of these decisions are technical, while others are organizational or even political. In this section, we examine the key points where you have to make decisions about how to implement Microsoft Passport for Work. Remember, individual devices can use the individual version of Microsoft Passport without any infrastructure changes on your part. Microsoft Passport for Work allows you to control and centrally manage user authentication and device registration. To use the initial version of Microsoft Passport for Work, each device must have an Azure AD identity, so automatic registration of devices provides a means both to register new devices and to apply optional policies to manage Microsoft Passport for Work. @@ -349,7 +349,7 @@ Which rollout method you choose depends on several factors: - **Your plans for the cloud.** If you’re already planning a move to the cloud, Azure AD eases the process of Microsoft Passport for Work deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Microsoft Passport for Work will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Microsoft Passport for Work from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Microsoft Passport for Work services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make. -### +### **Deployment requirements** diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md index 31f648e955..7e0541d58e 100644 --- a/windows/keep-secure/minimum-password-age.md +++ b/windows/keep-secure/minimum-password-age.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md index eee3fe77bf..bb282ece97 100644 --- a/windows/keep-secure/minimum-password-length.md +++ b/windows/keep-secure/minimum-password-length.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md index 626effa684..88f42193af 100644 --- a/windows/keep-secure/modify-an-object-label.md +++ b/windows/keep-secure/modify-an-object-label.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Modify an object label** security policy setting. diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md index ed9f95cd86..fcbc1062c5 100644 --- a/windows/keep-secure/modify-firmware-environment-values.md +++ b/windows/keep-secure/modify-firmware-environment-values.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Modify firmware environment values** security policy setting. diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md index 9f9eeac0e0..f1dfd53488 100644 --- a/windows/keep-secure/monitor-application-usage-with-applocker.md +++ b/windows/keep-secure/monitor-application-usage-with-applocker.md @@ -19,7 +19,7 @@ This topic for IT professionals describes how to monitor app usage when AppLocke Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected. -### Discover the effect of an AppLocker policy +### Discover the effect of an AppLocker policy You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules. @@ -27,7 +27,7 @@ You can evaluate how the AppLocker policy is currently implemented for documenta When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. - For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#BKMK_AppLkr_View_Log). + For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). - **Enable the Audit only AppLocker enforcement setting** @@ -39,7 +39,7 @@ You can evaluate how the AppLocker policy is currently implemented for documenta For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file. - For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#BKMK_AppLkr_Review_Events). + For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). - **Review AppLocker events with Test-AppLockerPolicy** @@ -47,7 +47,7 @@ You can evaluate how the AppLocker policy is currently implemented for documenta For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -### Review AppLocker events with Get-AppLockerFileInformation +### Review AppLocker events with Get-AppLockerFileInformation For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file. @@ -70,7 +70,7 @@ If the AppLocker logs are not on your local device, you will need permission to `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics` -### View the AppLocker Log in Event Viewer +### View the AppLocker Log in Event Viewer When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index 57504662e0..dbef22ed99 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting. diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 0456c5a27e..e5eb757d25 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 6b45c2e554..e07642a154 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 0873ee0926..f7a1a688f2 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 5b7d7fd8c2..b28e5ae65c 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index eafac07e13..b2992d4455 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index 1a37a2ff3d..abb34f1f05 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index e1f91db54f..0987705b78 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting. diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index a0bb0be3ea..d43a81ddf8 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index 6acc461ccc..6f7108c36a 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index 5adfd27765..605afc8e34 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 6ce76e750f..495a944451 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 283434a90b..fe4880704a 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting. diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 6135445577..e801efd1af 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index af8f09206b..d94e9f606c 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index d57e9d035a..34b4602835 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index 0dbcdafcf2..6afa4c577f 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 3b76c609ad..ea9365e356 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting. diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index ee2e2a5a76..912a606ca5 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md index 1fb1010795..347d87392b 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md index 94a7abf07d..f6ccf49cf5 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 46f94bc0b4..9a9bab7854 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 6490a428f8..07a39848bd 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 17dc167233..bf74af1eee 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 482c56e052..4cfde5f34d 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 8bcb81142d..5b2a894d21 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. @@ -107,7 +107,7 @@ This section describes different features and tools available to help you manage None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. -### Group Policy +### Group Policy Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 2ce163e549..39589de882 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index c706147781..bc9e9c55c6 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. @@ -34,7 +34,7 @@ Modifying this policy setting may affect compatibility with client computers, se   -### Possible values +### Possible values - **Allow all** diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md index eaa4625fd7..37e53c2106 100644 --- a/windows/keep-secure/password-must-meet-complexity-requirements.md +++ b/windows/keep-secure/password-must-meet-complexity-requirements.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md index 1010a60895..276e8181c2 100644 --- a/windows/keep-secure/perform-volume-maintenance-tasks.md +++ b/windows/keep-secure/perform-volume-maintenance-tasks.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting. diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md index 81c566d5e8..72f0ddaca7 100644 --- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md @@ -73,27 +73,27 @@ By carefully planning, designing, testing, and deploying a solution based on you The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document: -- [Identifying your Windows security audit policy deployment goals](#BKMK_1) +- [Identifying your Windows security audit policy deployment goals](#bkmk-1) This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing. -- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#BKMK_2) +- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings. -- [Mapping your security auditing goals to a security audit policy configuration](#BKMK_3) +- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3) This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios. -- [Planning for security audit monitoring and management](#BKMK_4) +- [Planning for security audit monitoring and management](#bkmk-4) This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored. -- [Deploying the security audit policy](#BKMK_5) +- [Deploying the security audit policy](#bkmk-5) This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs. -## Identifying your Windows security audit policy deployment goals +## Identifying your Windows security audit policy deployment goals A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework. @@ -110,7 +110,7 @@ To create your Windows security audit plan, begin by identifying: ### Network environment -An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#BKMK_2) later in this document. +An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document. In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats. @@ -298,7 +298,7 @@ Many industries and locales have strict and specific requirements for network op For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx). -## Mapping the security audit policy to groups of users, computers, and resources in your organization +## Mapping the security audit policy to groups of users, computers, and resources in your organization By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings: @@ -332,7 +332,7 @@ The following are examples of how audit policies can be applied to an organizati - Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers. -## Mapping your security auditing goals to a security audit policy configuration +## Mapping your security auditing goals to a security audit policy configuration After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data. @@ -396,7 +396,7 @@ For many organizations, compromising the organization's data resources can cause - **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented. **Important**   - The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. For more information about using the **Global Object Access Auditing** policy settings, see the [Advanced security auditing walkthrough](../keep-secure/advanced-security-auditing-walkthrough.md). + The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.   @@ -497,7 +497,7 @@ For example, on a file server that is accessed frequently by legitimate users, y On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource. -## Planning for security audit monitoring and management +## Planning for security audit monitoring and management Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data. @@ -526,7 +526,7 @@ You can also configure the audit log size and other key management options by us In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](http://go.microsoft.com/fwlink/p/?LinkId=163435). -## Deploying the security audit policy +## Deploying the security audit policy Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 20af4910a7..cca33b7828 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -19,11 +19,11 @@ author: brianlic-msft **In this article** -- [On devices owned by the organization](#on_devices_owned_by_the_organization) -- [On personal devices](#on_personal_devices) -- [Using Windows Hello and biometrics](#using_windows_hello_and_biometrics) -- [Use a phone to sign in to a PC](#BMK_remote) -- [Related topics](#related_topics) +- [On devices owned by the organization](#on-devices-owned-by-the-organization) +- [On personal devices](#on-personal-devices) +- [Using Windows Hello and biometrics](#using-windows-hello-and-biometrics) +- [Use a phone to sign in to a PC](#bmk-remote) +- [Related topics](#related-topics) When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport. @@ -64,7 +64,7 @@ If your policy allows it, people can add Windows Hello to their Passport. Window ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) -## Use a phone to sign in to a PC +## Use a phone to sign in to a PC If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials. diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index e4f18d7b67..136f485e58 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -19,27 +19,27 @@ This topic for the IT professional explains how can you plan your BitLocker depl When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. -- [Audit your environment](#BKMK_audit) +- [Audit your environment](#bkmk-audit) -- [Encryption keys and authentication](#BKK_encrypt) +- [Encryption keys and authentication](#bkk-encrypt) -- [TPM hardware configurations](#BKMK_TPMConfigurations) +- [TPM hardware configurations](#bkmk-tpmconfigurations) -- [Non-TPM hardware configurations](#BKMK_NonTPM) +- [Non-TPM hardware configurations](#bkmk-nontpm) -- [Disk configuration considerations](#BKMK_disk) +- [Disk configuration considerations](#bkmk-disk) -- [BitLocker provisioning](#BKMK_prov) +- [BitLocker provisioning](#bkmk-prov) -- [Used Disk Space Only encryption](#BKK_used) +- [Used Disk Space Only encryption](#bkk-used) -- [Active Directory Domain Services considerations](#BKMK_addscons) +- [Active Directory Domain Services considerations](#bkmk-addscons) -- [FIPS support for recovery password protector](#BKMK_FIPSsupport) +- [FIPS support for recovery password protector](#bkmk-fipssupport) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) -## Audit your environment +## Audit your environment To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. @@ -56,7 +56,7 @@ Use the following questions to help you document your organization's current dis 5. What policies exist to control computer decommissioning or retirement? -## Encryption keys and authentication +## Encryption keys and authentication BitLocker helps prevent unauthorized access to data on lost or stolen computers by: @@ -178,7 +178,7 @@ If there are areas of your organization where data residing on user computers is The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes. -## TPM hardware configurations +## TPM hardware configurations In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. @@ -245,7 +245,7 @@ An endorsement key can be created at various points in the TPM’s lifecycle, bu For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). -## Non-TPM hardware configurations +## Non-TPM hardware configurations Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. @@ -260,7 +260,7 @@ Use the following questions to identify issues that might affect your deployment Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. -## Disk configuration considerations +## Disk configuration considerations To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: @@ -275,7 +275,7 @@ Windows Recovery Environment (Windows RE) is an extensible recovery platform tha Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery. -## BitLocker provisioning +## BitLocker provisioning In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. @@ -286,7 +286,7 @@ When using the control panel options, administrators can choose to **Turn on Bit Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. -## Used Disk Space Only encryption +## Used Disk Space Only encryption The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. @@ -297,7 +297,7 @@ Used Disk Space Only means that only the portion of the drive that contains data Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. -## Active Directory Domain Services considerations +## Active Directory Domain Services considerations BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup. @@ -401,7 +401,7 @@ To initialize the TPM successfully so that you can turn on BitLocker requires th 9. Click **Finish** to apply the permissions settings. -## FIPS support for recovery password protector +## FIPS support for recovery password protector Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md index 37c1b9e8e5..fb95d5f9ae 100644 --- a/windows/keep-secure/profile-single-process.md +++ b/windows/keep-secure/profile-single-process.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting. diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md index 07db3b430c..9ef47136fd 100644 --- a/windows/keep-secure/profile-system-performance.md +++ b/windows/keep-secure/profile-system-performance.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting. diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index eb90bcb17c..421a638767 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -19,12 +19,12 @@ author: brianlic-msft **In this article** - [Introduction](#introduction) -- [Description of a robust end-to-end security solution](#description_of_a_robust_end-to-end_security_solution) -- [Protect devices and enterprise credentials against threats](#protect_devices_and_enterprise_credentials_against_threats) -- [Detect an unhealthy Windows 10-based device](#detect_unhealthy) -- [Control the security of a Windows 10-based device before access is granted](#control_the_security_of_a_windows_10-based_device_before_access_is_granted) -- [Takeaways and summary](#takeaways_and_summary) -- [Related topics](#related_topics) +- [Description of a robust end-to-end security solution](#description-of-a-robust-end-to-end-security-solution) +- [Protect devices and enterprise credentials against threats](#protect-devices-and-enterprise-credentials-against-threats) +- [Detect an unhealthy Windows 10-based device](#detect-unhealthy) +- [Control the security of a Windows 10-based device before access is granted](#control-the-security-of-a-windows-10-based-device-before-access-is-granted) +- [Takeaways and summary](#takeaways-and-summary) +- [Related topics](#related-topics) This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. @@ -88,7 +88,7 @@ Access to content is then authorized to the appropriate level of trust for whate Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted. -### Microsoft’s security investments in Windows 10 +### Microsoft’s security investments in Windows 10 In Windows 10, there are three pillars of investments: @@ -164,7 +164,7 @@ This section describes what Windows 10 offers in terms of security defenses and The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. -Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware_req) section. +Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. ![figure 4](images/hva-fig4-hardware.png) @@ -279,7 +279,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets. -### Virtualization-based security +### Virtualization-based security Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data. @@ -404,9 +404,9 @@ Device health attestation leverages the TPM 2.0 to provide cryptographically str For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. -For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect_unhealthy) section. +For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section. -### Hardware requirements +### Hardware requirements The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733951). @@ -459,7 +459,7 @@ The following table details the hardware requirements for both virtualization-ba This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. -## Detect an unhealthy Windows 10-based device +## Detect an unhealthy Windows 10-based device As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. @@ -560,7 +560,7 @@ The following process describes how health boot measurements are sent to the hea The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section. -### Trusted Platform Module +### Trusted Platform Module *It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting. @@ -840,7 +840,7 @@ MDM servers do not need to create or download a client to manage Windows 10. Fo The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. -### Management of Windows Defender by third-party MDM +### Management of Windows Defender by third-party MDM This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. @@ -856,7 +856,7 @@ If the device is not registered, the user will get a message with instructions o ![figure 11](images/hva-fig10-conditionalaccesscontrol.png) -### Office 365 conditional access control +### Office 365 conditional access control Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups. @@ -898,7 +898,7 @@ At the present time, conditional access policies are selectively enforced on use   -### Cloud and on-premises apps conditional access control +### Cloud and on-premises apps conditional access control Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access. diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 43fab99127..5ed8ed7a78 100644 --- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -19,7 +19,7 @@ This topic for IT pros describes how to protect CSVs and SANs with BitLocker. BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. -## Configuring BitLocker on Cluster Shared Volumes +## Configuring BitLocker on Cluster Shared Volumes ### Using BitLocker with Clustered Volumes diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md index de6c6d0b7b..493930dd1c 100644 --- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 0edecd985a..33f265753a 100644 --- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index f2c6cb952e..70b9ea2193 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting. diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md index 5dee858dbc..4e2f7e1f4a 100644 --- a/windows/keep-secure/replace-a-process-level-token.md +++ b/windows/keep-secure/replace-a-process-level-token.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting. diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index 8858ca5e67..278b2c3be5 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -19,15 +19,15 @@ This deployment topic for the IT professional lists the requirements that you ne The following requirements must be met or addressed before you deploy your AppLocker policies: -- [Deployment plan](#BKMK_ReqDepPlan) +- [Deployment plan](#bkmk-reqdepplan) -- [Supported operating systems](#BKMK_ReqSupportedOS) +- [Supported operating systems](#bkmk-reqsupportedos) -- [Policy distribution mechanism](#BKMK_ReqPolicyDistMech) +- [Policy distribution mechanism](#bkmk-reqpolicydistmech) -- [Event collection and analysis system](#BKMK_ReqEventCollectionSystem) +- [Event collection and analysis system](#bkmk-reqeventcollectionsystem) -### Deployment plan +### Deployment plan An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). @@ -213,15 +213,15 @@ An AppLocker policy deployment plan is the result of investigating which applica   -### Supported operating systems +### Supported operating systems AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -### Policy distribution mechanism +### Policy distribution mechanism You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. -### Event collection and analysis system +### Event collection and analysis system Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see: diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md index 19d8233464..ab14d9719e 100644 --- a/windows/keep-secure/reset-account-lockout-counter-after.md +++ b/windows/keep-secure/reset-account-lockout-counter-after.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index 6f7242f354..d5250de181 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting. diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md index 8b15b5dc9e..63611e7155 100644 --- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md +++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md @@ -19,7 +19,7 @@ This topic for IT professionals describes steps to run the wizard to create AppL AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder. -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#BKMK_Using_Snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To automatically generate rules** diff --git a/windows/keep-secure/schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md b/windows/keep-secure/schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md index 28b58cd634..6916504ad6 100644 --- a/windows/keep-secure/schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md +++ b/windows/keep-secure/schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md @@ -22,7 +22,7 @@ This topic provides more details about this change and provides template schema The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012: -### TpmSchemaExtension.ldf +### TpmSchemaExtension.ldf This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object. diff --git a/windows/keep-secure/security-auditing-overview-glbl.md b/windows/keep-secure/security-auditing-overview-glbl.md index ac7d5b52ac..bc9ff675c5 100644 --- a/windows/keep-secure/security-auditing-overview-glbl.md +++ b/windows/keep-secure/security-auditing-overview-glbl.md @@ -17,7 +17,7 @@ author: brianlic-msft Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. -## +## Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md index 6030d5c6d6..2e9a21f118 100644 --- a/windows/keep-secure/security-policy-settings.md +++ b/windows/keep-secure/security-policy-settings.md @@ -17,9 +17,9 @@ author: brianlic-msft **In this article** -- [Policy-based security settings management](#policy-based_security_settings_management) -- [Security Settings extension architecture](#w2k3tr_gpssp_how_ebls) -- [Security settings policy processes and interactions](#w2k3tr_gpssp_how_hjxe) +- [Policy-based security settings management](#policy-based-security-settings-management) +- [Security Settings extension architecture](#w2k3tr-gpssp-how-ebls) +- [Security settings policy processes and interactions](#w2k3tr-gpssp-how-hjxe) This reference topic describes the common scenarios, architecture, and processes for security settings. @@ -190,7 +190,7 @@ The following diagram shows Security Settings and related features. The Local Group Policy Editor MMC snap-in. -## Security Settings extension architecture +## Security Settings extension architecture The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tools, as shown in the following diagram. @@ -261,12 +261,12 @@ The following list describes these primary features of the security configuratio These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. -## Security settings policy processes and interactions +## Security settings policy processes and interactions For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable. -### Group Policy processing +### Group Policy processing When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: @@ -344,7 +344,7 @@ This order means that the local Group Policy Object is processed first, and Grou This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. -### Security settings policy processing +### Security settings policy processing In the context of Group Policy processing, security settings policy is processed in the following order. diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index d64fc679b9..deb9e43320 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting. diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index ab99fc2af8..4c8396b29e 100644 --- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index e75a66f68b..a124c9e8c0 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting. diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md index 29bb2a8f86..61e849687e 100644 --- a/windows/keep-secure/store-passwords-using-reversible-encryption.md +++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md @@ -18,8 +18,8 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md index 40749ccea3..3da96de40b 100644 --- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md @@ -23,7 +23,7 @@ PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend ) The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR. -The [TCG PC Client Specific Platform TPM Profile for TPM 2.0](http://www.trustedcomputinggroup.org/files/static_page_files/DA21120F-1A4B-B294-D0B41C9F9432A352/PC Client Specific Platform TPM Profile for TPM 2.0 v43.pdf) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation. +The [TCG PC Client Specific Platform TPM Profile for TPM 2.0](http://go.microsoft.com/fwlink/p/?LinkId=746577) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation. Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md index 5bb771bde9..77f19667e5 100644 --- a/windows/keep-secure/synchronize-directory-service-data.md +++ b/windows/keep-secure/synchronize-directory-service-data.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting. diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index a318f73f06..993839b430 100644 --- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index e9398bcd3e..85f47a89f5 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 308e1ece5a..7f7d90f0aa 100644 --- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md index 5907c887d8..8dc21bd5fe 100644 --- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md +++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md index 1985fb95a8..7bf1048052 100644 --- a/windows/keep-secure/system-settings-optional-subsystems.md +++ b/windows/keep-secure/system-settings-optional-subsystems.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting. diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 7e470c5ed7..f0069ae2b3 100644 --- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md index fa033978ce..cc03a734c5 100644 --- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md +++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting. diff --git a/windows/keep-secure/tpm-fundamentals-windows-8.md b/windows/keep-secure/tpm-fundamentals-windows-8.md index 557cb026d3..3c8b119c13 100644 --- a/windows/keep-secure/tpm-fundamentals-windows-8.md +++ b/windows/keep-secure/tpm-fundamentals-windows-8.md @@ -31,59 +31,59 @@ For info about which versions of Windows support which versions of the TPM, see The following sections provide an overview of the technologies that support the TPM: -- [TPM-based Virtual Smart Card](#BKMK_VSC) +- [TPM-based Virtual Smart Card](#bkmk-vsc) -- [Measured Boot with support for attestation](#BKMK_MeasuredBoot) +- [Measured Boot with support for attestation](#bkmk-measuredboot) -- [Automated provisioning and management of the TPM](#BKMK_AutoProv) +- [Automated provisioning and management of the TPM](#bkmk-autoprov) -- [TPM-based certificate storage](#BKMK_TPMCS) +- [TPM-based certificate storage](#bkmk-tpmcs) -- [Physical presence interface](#BKMK_PhysicalPresenceInterface) +- [Physical presence interface](#bkmk-physicalpresenceinterface) -- [TPM Cmdlets](#BKMK_TPMcmdlets) +- [TPM Cmdlets](#bkmk-tpmcmdlets) -- [TPM Owner Authorization Value](#BKMK_AuthValue) +- [TPM Owner Authorization Value](#bkmk-authvalue) -- [States of existence in a TPM](#BKMK_stateex) +- [States of existence in a TPM](#bkmk-stateex) -- [Endorsement keys](#BKMK_EndorsementKeys) +- [Endorsement keys](#bkmk-endorsementkeys) -- [TPM Key Attestation](#BKMK_KetAttestation) +- [TPM Key Attestation](#bkmk-ketattestation) -- [How the TPM mitigates dictionary attacks](#BKMK_HowTPMmitigates) +- [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates) -- [How do I check the state of my TPM?](#BKMK_CheckState) +- [How do I check the state of my TPM?](#bkmk-checkstate) -- [What can I do if my TPM is in reduced functionality mode?](#BKMK_FixRFM) +- [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm) The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) -## Automated provisioning and management of the TPM +## Automated provisioning and management of the TPM TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE). A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md). -## Measured Boot with support for attestation +## Measured Boot with support for attestation The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. -## TPM-based Virtual Smart Card +## TPM-based Virtual Smart Card The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. -## TPM-based certificate storage +## TPM-based certificate storage The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx). -## TPM Owner Authorization Value +## TPM Owner Authorization Value For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. @@ -130,7 +130,7 @@ If the operating system managed TPM authentication setting is changed from "Full   -## TPM Cmdlets +## TPM Cmdlets If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command: @@ -139,7 +139,7 @@ If you are using PowerShell to script and manage your computers, you can now man For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -## Physical presence interface +## Physical presence interface The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence: @@ -149,7 +149,7 @@ The TCG specifications for TPMs require physical presence to perform some TPM ad - Deactivating the TPM - Disabling the TPM temporarily without the owner’s password -## States of existence in a TPM +## States of existence in a TPM For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive. @@ -206,19 +206,19 @@ Applications cannot use the TPM until the state is enabled, activated, and owned The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled. -## Endorsement keys +## Endorsement keys For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup. An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken. -## Key attestation +## Key attestation TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. -## How the TPM mitigates dictionary attacks +## How the TPM mitigates dictionary attacks When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided. @@ -262,12 +262,12 @@ Hardware manufacturers and software developers have the option to use the securi The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. -## How do I check the state of my TPM? +## How do I check the state of my TPM? You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**. -## What can I do if my TPM is in reduced functionality mode? +## What can I do if my TPM is in reduced functionality mode? If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM. diff --git a/windows/keep-secure/troubleshoot-windows-defender-for-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-for-windows-10.md index 55989437dd..84bd5daee5 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-for-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-for-windows-10.md @@ -2200,7 +2200,7 @@ For more information please see the following:

- +  ## Related topics diff --git a/windows/keep-secure/trusted-platform-module--tpm-2-0--.md b/windows/keep-secure/trusted-platform-module--tpm-2-0--.md index 8269ff2272..7a5c161b45 100644 --- a/windows/keep-secure/trusted-platform-module--tpm-2-0--.md +++ b/windows/keep-secure/trusted-platform-module--tpm-2-0--.md @@ -21,13 +21,13 @@ author: brianlic-msft **In this article** - [Overview](#overview) -- [TPM 1.2 vs. 2.0 comparison](#tpm_1.2_vs._2.0_comparison) -- [Why TPM 2.0?](#why_tpm_2.0_) -- [Discrete or firmware TPM?](#discrete_or_firmware_tpm_) -- [TPM 2.0 Compliance for Windows 10 in the future](#tpm_2.0_compliance_for_windows_10_in_the_future) -- [TPM and Windows Features](#tpm_and_windows_features) -- [Chipset options for TPM 2.0](#chipset_options_for_tpm_2.0) -- [OEM Feedback and Status on TPM 2.0 system availability](#oem_feedback_and_status_on_tpm_2.0_system_availability) +- [TPM 1.2 vs. 2.0 comparison](#tpm-1-2-vs--2-0-comparison) +- [Why TPM 2.0?](#why-tpm-2-0-) +- [Discrete or firmware TPM?](#discrete-or-firmware-tpm-) +- [TPM 2.0 Compliance for Windows 10 in the future](#tpm-2-0-compliance-for-windows-10-in-the-future) +- [TPM and Windows Features](#tpm-and-windows-features) +- [Chipset options for TPM 2.0](#chipset-options-for-tpm-2-0) +- [OEM Feedback and Status on TPM 2.0 system availability](#oem-feedback-and-status-on-tpm-2-0-system-availability) This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. @@ -181,7 +181,7 @@ The following table defines which Windows features require TPM support. Some fea n/a Required Required -For Windows 10, Version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. +For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. Device Health Attestation diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index d439835cb0..b0a0d91b86 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -## +## The TPM Services Group Policy settings are located at: @@ -45,7 +45,7 @@ The TPM Services Group Policy settings are located at: -

[Turn on TPM backup to Active Directory Domain Services](#BKMK_tpmgp_addsbu)

+

[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu)

X

X

X

@@ -53,7 +53,7 @@ The TPM Services Group Policy settings are located at:

X

-

[Configure the list of blocked TPM commands](#BKMK_tpmgp_clbtc)

+

[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)

X

X

X

@@ -61,7 +61,7 @@ The TPM Services Group Policy settings are located at:

X

-

[Ignore the default list of blocked TPM commands](#BKMK_tpmgp_idlb)

+

[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)

X

X

X

@@ -69,7 +69,7 @@ The TPM Services Group Policy settings are located at:

X

-

[Ignore the local list of blocked TPM commands](#BKMK_tpmgp_illb)

+

[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)

X

X

X

@@ -77,7 +77,7 @@ The TPM Services Group Policy settings are located at:

X

-

[Configure the level of TPM owner authorization information available to the operating system](#BKMK_tpmgp_oauthos)

+

[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)

X

X

X

@@ -85,7 +85,7 @@ The TPM Services Group Policy settings are located at:

-

[Standard User Lockout Duration](#BKMK_tpmgp_suld)

+

[Standard User Lockout Duration](#bkmk-tpmgp-suld)

X

X

X

@@ -93,7 +93,7 @@ The TPM Services Group Policy settings are located at:

-

[Standard User Individual Lockout Threshold](#BKMK_tpmgp_suilt)

+

[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)

X

X

X

@@ -101,7 +101,7 @@ The TPM Services Group Policy settings are located at:

-

[Standard User Total Lockout Threshold](#BKMK_tpmgpsutlt)

+

[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)

X

X

X

@@ -113,12 +113,12 @@ The TPM Services Group Policy settings are located at:   -### Turn on TPM backup to Active Directory Domain Services +### Turn on TPM backup to Active Directory Domain Services This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -135,12 +135,12 @@ If you enable this policy setting, TPM owner information will be automatically a If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. -### Configure the list of blocked TPM commands +### Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -154,31 +154,31 @@ If you disable or do not configure this policy setting, only those TPM commands For information how to enforce or ignore the default and local lists of blocked TPM commands, see -- [Ignore the default list of blocked TPM commands](#BKMK_tpmgp_idlb) +- [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) -- [Ignore the local list of blocked TPM commands](#BKMK_tpmgp_illb) +- [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) -### Ignore the default list of blocked TPM commands +### Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   -The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#BKMK_tpmgp_clbtc). +The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc). If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list. If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. -### Ignore the local list of blocked TPM commands +### Ignore the local list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -188,12 +188,12 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. -### Configure the level of TPM owner authorization information available to the operating system +### Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -251,12 +251,12 @@ If you enable this policy setting, the Windows operating system will store the T If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. -### Standard User Lockout Duration +### Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -268,20 +268,20 @@ This setting helps administrators prevent the TPM hardware from entering a locko For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration: -- [Standard User Individual Lockout Threshold](#BKMK_Individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. +- [Standard User Individual Lockout Threshold](#bkmk-individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. -- [Standard User Total Lockout Threshold](#BKMK_Total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM. +- [Standard User Total Lockout Threshold](#bkmk-total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM. An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. -### Standard User Individual Lockout Threshold +### Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   @@ -293,12 +293,12 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. -### Standard User Total Lockout Threshold +### Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). **Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#BKMK_version_table). +This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   diff --git a/windows/keep-secure/trusted-platform-module-technology-overview.md b/windows/keep-secure/trusted-platform-module-technology-overview.md index 9a9ecc1b5f..d8b99558cc 100644 --- a/windows/keep-secure/trusted-platform-module-technology-overview.md +++ b/windows/keep-secure/trusted-platform-module-technology-overview.md @@ -17,7 +17,7 @@ author: brianlic-msft This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. -## Feature description +## Feature description Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: @@ -36,7 +36,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN. -## Practical applications +## Practical applications Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. @@ -47,12 +47,12 @@ Antimalware software can use the boot measurements of the operating system start The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). -## New and changed functionality +## New and changed functionality For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md). -## Device health attestation +## Device health attestation Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. @@ -67,7 +67,7 @@ Some things that you can check on the device are:   -## Supported versions +## Supported versions @@ -107,7 +107,7 @@ Some things that you can check on the device are:   -## Additional Resources +## Additional Resources [TPM Fundamentals](tpm-fundamentals-windows-8.md) diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md index 8ce60bebb6..d34824f7d7 100644 --- a/windows/keep-secure/understand-applocker-policy-design-decisions.md +++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md @@ -62,7 +62,7 @@ You might need to control a limited number of apps because they access sensitive +

For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.

@@ -101,7 +101,7 @@ The following list contains files or types of files that cannot be managed by Ap   -### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions +### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index ecffacc0aa..ef5fe8f433 100644 --- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -37,9 +37,9 @@ Here's an approximate scaling guide for WEF events:   -Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#BKMK_AppendixC). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. +Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. -For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#BKMK_AppendixA) and [Appendix B - Recommended minimum registry system ACL policy](#BKMK_AppendixB). +For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). **Note**   These are only minimum values need to meet what the WEF subscription selects. @@ -55,7 +55,7 @@ This means you would create two base subscriptions: Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. -In [Appendix E – Annotated Baseline Subscription Event Query](#BKMK_AppendixE) and [Appendix F – Annotated Suspect Subscription Event Query](#BKMK_AppendixF), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. +In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. ### Common WEF questions @@ -93,7 +93,7 @@ The HTTPS option is available if certificate based authentication is used, in ca ### Do WEF Clients have a separate buffer for events? -The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#BKMK_AppendixC). +The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. @@ -147,7 +147,7 @@ For collector initiated subscriptions: The subscription contains the list of mac Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. -### What are the WEC server’s limitations? +### What are the WEC server’s limitations? There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume. @@ -178,7 +178,7 @@ The subscription is essentially a collection of query statements applied to the To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. -- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#BKMK_AppendixA). This ensures that the security event log is generating the required events. +- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events. - Apply at least an Audit-Only AppLocker policy to devices. @@ -188,9 +188,9 @@ To gain the most value out of the baseline subscription we recommend to have the - Enable disabled event channels and set the minimum size for modern event files. -- Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#BKMK_AppendixC). +- Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). -The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#BKMK_AppendixF). +The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf). - Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. @@ -198,7 +198,7 @@ The annotated event query can be found in the following. For more info, see [App - AppLocker Process Create events (EXE, script, packaged App installation and execution). -- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#BKMK_AppendixB). +- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb). - OS startup and shutdown @@ -367,7 +367,7 @@ This adds some possible intruder-related activity to help analyst further refine - Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver. -## Appendix A - Minimum recommended minimum audit policy +## Appendix A - Minimum recommended minimum audit policy If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions. @@ -407,7 +407,7 @@ If your organizational audit policy enables additional auditing to meet its need   -## Appendix B - Recommended minimum registry system ACL policy +## Appendix B - Recommended minimum registry system ACL policy The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system. @@ -418,7 +418,7 @@ Use the following figures to see how you can configure those registry keys. ![default acl for run key](images/runkey.png)![default acl for runonce key](images/runoncekey.png) -## Appendix C - Event channel settings (enable and channel access) methods +## Appendix C - Event channel settings (enable and channel access) methods Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it. @@ -441,7 +441,7 @@ The following GPO snippet performs the following: ![configure event channels](images/capi-gpo.png) -## Appendix D - Minimum GPO for WEF Client configuration +## Appendix D - Minimum GPO for WEF Client configuration Here are the minimum steps for WEF to operate: @@ -454,7 +454,7 @@ Here are the minimum steps for WEF to operate: ![configure the wef client](images/wef-client-config.png) -## Appendix E – Annotated baseline subscription event query +## Appendix E – Annotated baseline subscription event query ``` syntax @@ -620,7 +620,7 @@ Here are the minimum steps for WEF to operate: ``` -## Appendix F – Annotated Suspect Subscription Event Query +## Appendix F – Annotated Suspect Subscription Event Query ``` syntax @@ -692,7 +692,7 @@ Here are the minimum steps for WEF to operate: ``` -## Appendix G - Online resources +## Appendix G - Online resources You can get more info with the following links: diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 9e3bce62cd..ecc4948360 100644 --- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 3c188f59ad..65a92d9326 100644 --- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 44daa6c1c8..8524789259 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 2cf38a7c23..d50a6930a3 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md index ac4704600a..e229cd654f 100644 --- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 2da0bc272b..6e31e0b35d 100644 --- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 6ed8a660e3..d1772f9cee 100644 --- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index 6a43f96b95..71d4e00483 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -17,7 +17,7 @@ author: brianlic-msft User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. -## +## UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way. @@ -26,12 +26,12 @@ Other apps, especially those that were not specifically designed with security s When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device. -## Practical applications +## Practical applications Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process. -## New and changed functionality +## New and changed functionality To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md). diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md index 2daaed2d20..0998c47e1a 100644 --- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index b69e7d9360..6cadbaa9d3 100644 --- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index 67e3ec35c2..fa4736f4de 100644 --- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -18,9 +18,9 @@ author: brianlic-msft **In this article** - [Reference](#reference) -- [Policy management](#policy_management) -- [Security considerations](#security_considerations) -- [Related topics](#related_topics) +- [Policy management](#policy-management) +- [Security considerations](#security-considerations) +- [Related topics](#related-topics) Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index e8d7dfa4da..bc3a1f3c4e 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -18,11 +18,11 @@ author: brianlic-msft **In this article** -- [Always On](#always_on) -- [App-triggered VPN](#app-triggered_vpn) -- [Traffic filters](#traffic_filters) -- [LockDown VPN](#lockdown_vpn) -- [Learn more](#learn_more) +- [Always On](#always-on) +- [App-triggered VPN](#app-triggered-vpn) +- [Traffic filters](#traffic-filters) +- [LockDown VPN](#lockdown-vpn) +- [Learn more](#learn-more) Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 35f2a1e433..2b456474f4 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -19,13 +19,13 @@ author: brianlic-msft **In this article** -- [PIN is tied to the device](#pin_is_tied_to_the_device) -- [PIN is local to the device](#pin_is_local_to_the_device) -- [PIN is backed by hardware](#pin_is_backed_by_hardware) -- [PIN can be complex](#pin_can_be_complex) -- [What if someone steals the laptop or phone?](#what_if_someone_steals_the_laptop_or_phone_) -- [Why do you need a PIN to use Windows Hello?](#why_do_you_need_a_pin_to_use_windows_hello_) -- [Related topics](#related_topics) +- [PIN is tied to the device](#pin-is-tied-to-the-device) +- [PIN is local to the device](#pin-is-local-to-the-device) +- [PIN is backed by hardware](#pin-is-backed-by-hardware) +- [PIN can be complex](#pin-can-be-complex) +- [What if someone steals the laptop or phone?](#what-if-someone-steals-the-laptop-or-phone-) +- [Why do you need a PIN to use Windows Hello?](#why-do-you-need-a-pin-to-use-windows-hello-) +- [Related topics](#related-topics) Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index c94eeae25a..0ec085e039 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -19,11 +19,11 @@ author: brianlic-msft **In this article** - [Overview](#overview) -- [Identity and access control](#identity_and_access_control) -- [Data protection](#data_protection) -- [Malware resistance](#malware_resistance) -- [App platform security](#app_platform_security__) -- [Related topics](#related_topics) +- [Identity and access control](#identity-and-access-control) +- [Data protection](#data-protection) +- [Malware resistance](#malware-resistance) +- [App platform security](#app-platform-security--) +- [Related topics](#related-topics) This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. @@ -200,7 +200,7 @@ Table 2. Windows 10 cryptography policies For a complete list of policies available, see [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=733963). -### Enterprise data protection +### Enterprise data protection Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This situation increases the potential for compromise of sensitive corporate data. @@ -223,7 +223,7 @@ EDP is currently being tested in select customer evaluation programs. For more i   -### Enlightenment +### Enlightenment Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, EDP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with EDP. @@ -353,11 +353,11 @@ Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC v The following sections describe these improvements in more detail. -### Enterprise-grade secure hardware +### Enterprise-grade secure hardware Taking full advantage of Windows 10 Mobile security features requires advancements in hardware-based security. These advances include UEFI with Secure Boot, TPM, and biometric sensors (hardware dependent). -### UEFI with Secure Boot +### UEFI with Secure Boot When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware. @@ -371,7 +371,7 @@ All Windows 10 Mobile devices always have Secure Boot enabled. In addition, the Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://go.microsoft.com/fwlink/p/?LinkId=722909). -### Trusted Platform Module +### Trusted Platform Module A Trusted Platform Module is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or mobile phone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. It is a Windows 10 Mobile device hardware certification requirement to include a TPM in every Windows 10 Mobile device. @@ -404,7 +404,7 @@ Several Windows 10 Mobile security features require TPM: Still other features will use the TPM if it is available. For example, Microsoft Passport does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Microsoft Passport. -### Biometrics +### Biometrics Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication. @@ -412,17 +412,17 @@ Microsoft has been evangelizing the importance of enterprise-grade biometric sen In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue to integrate them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system. -### Enterprise-grade secure Windows startup +### Enterprise-grade secure Windows startup UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system. -### Trusted Boot +### Trusted Boot When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files. If someone has modified a file (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and attempt to automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay. -### Measured Boot +### Measured Boot The biggest challenge with rootkits and bootkits in earlier versions of Windows was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution—and they had system-level privileges—rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one). @@ -430,13 +430,13 @@ Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hard Measured Boot focuses on acquiring the measurement data and protecting it against tampering. You must couple it, however, with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service. -### Device health attestation +### Device health attestation Device health attestation is new feature in Windows 10 Mobile that helps prevent low-level malware infections. Device health attestation uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties. You can integrate Device health attestation with Microsoft Intune or non-Microsoft MDM solutions and combine these hardware-measured security properties with other device properties to gain an overall view of the device’s health and compliance state. From there, you can use this integration in a variety of scenarios, from detecting jailbroken devices to monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365. -### Conditional Access +### Conditional Access The example that follows shows how Windows 10 protective measures integrate and work with Intune and non-Microsoft MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile helps you monitor and verify compliance and how the security and trust rooted in the device hardware protect corporate resources end to end. @@ -456,22 +456,22 @@ When a user turns on a phone: Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a Device health attestation-enabled MDM system like Intune that takes advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware. -## App platform security +## App platform security Applications built for Windows are designed to be secure and free of defects, but the reality is that human error can create vulnerabilities in code. When malicious users and software identify such vulnerabilities, they may attempt to manipulate data in memory in the hope that they can compromise the system and take control. To mitigate these risks, Windows 10 Mobile includes a series of improvements to make it more difficult for malware to compromise the device. Windows 10 Mobile even enables organizations to choose which apps are allowed to run on mobile devices. In addition, it includes improvements that can dramatically reduce the likelihood that newly discovered vulnerabilities can be successful exploited. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level. -### Device Guard +### Device Guard Device Guard is a feature set that consists of both hardware and software system integrity-hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model. All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app doesn’t have a digital signature or is prevented by policy, or it does not come from a trusted store, it will not run on Windows 10 Mobile. -Advanced hardware features (described earlier in the [Enterprise-grade secure hardware](#secure_hardware) section) drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot. +Advanced hardware features (described earlier in the [Enterprise-grade secure hardware](#secure-hardware) section) drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot. -### AppContainer +### AppContainer The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer—a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy. @@ -491,7 +491,7 @@ Apps receive the minimal privileges they need to perform their legitimate tasks. The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect, however, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, we need redundant vulnerability mitigations. The next several topics describe some of the redundant mitigations in Windows 10 Mobile. -### Address Space Layout Randomization +### Address Space Layout Randomization One of the most common techniques attackers use to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. @@ -503,13 +503,13 @@ Figure 3. ASLR at work Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, making it even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, making it even more difficult for a successful exploit that works on one system to work reliably on another. Microsoft also holistically applied ASLR across the entire system in Windows 10 Mobile rather than it working only on specific apps. -### Data Execution Prevention +### Data Execution Prevention Malware depends on its ability to put a malicious payload into memory with the hope that an unsuspecting user will execute it later. ASLR makes that much more difficult. Extending that protection, it would be great if you could prevent malware from running if it wrote to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) does exactly that, substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP. -### Windows heap +### Windows heap The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use. @@ -521,11 +521,11 @@ Windows 10 Mobile has several important improvements to the security of the hea - Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. -### Memory reservations +### Memory reservations Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory. -### Control Flow Guard +### Control Flow Guard When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known—they are written in the code itself—but until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run. @@ -533,7 +533,7 @@ Windows 10 Mobile mitigates this kind of threat through the Control Flow Guard You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge and other Windows features take full advantage of CFG. -### Protected processes +### Protected processes In general, preventing a computer security incident is more cost-effective than repairing the damage an incident can cause. For malware in particular, most security controls are designed to prevent an attack from being initially successful. The reasoning is that if malware cannot infect the system, the system is immune to malware. @@ -597,7 +597,7 @@ Figure 4. The IT process for Store for Business For details about the process of distributing apps through Store for Business, see [Find and acquire apps](../manage/find-and-acquire-apps.md). -### The user side +### The user side After you have prepared Store for Business, the user side of the process takes over. This side of the process is designed to be user friendly, with the primary app deployment method—through Store for Business—streamlined and straightforward. This process doesn’t require an MDM system or any on-premises infrastructure. In fact, the user never sees the “for Business” label, just the familiar Windows Store. diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 20f2d49e8f..a8991c8f6e 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -22,10 +22,10 @@ author: brianlic-msft - [Identity and access control](#identity) - [Information protection](#information) - [Malware resistance](#malware) -- [Secure the Windows core](#secure_the_windows_core) -- [Secure the Windows desktop](#secure_the_windows_desktop) +- [Secure the Windows core](#secure-the-windows-core) +- [Secure the Windows desktop](#secure-the-windows-desktop) - [Conclusion](#conclusion) -- [Related topics](#related_topics) +- [Related topics](#related-topics) This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features. @@ -40,7 +40,7 @@ Windows 10 is designed to protect against known and emerging security threats a - [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10. -## Identity and access control +## Identity and access control Traditionally, access control is a process that has three components: @@ -124,7 +124,7 @@ Microsoft Passport effectively mitigates two major security risks. First, it eli To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks. -### +### **Windows Hello** @@ -156,7 +156,7 @@ Figure 1. Set the number of invalid access attempts prior to lockout Now, your PC is configured with brute-force protection. Restart your PC. When prompted to log on, mistype your password until the PC restarts. Now, try to guess the 48-character recovery key. You will be glad you printed it out beforehand. -## Information protection +## Information protection When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. @@ -344,7 +344,7 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](http://go.microsoft.com/fwlink/p/?LinkId=626935) on the MDOP TechCenter. -## Malware resistance +## Malware resistance In movies, security threats always seem to be initiated by a nefarious hacker sitting in front of a monitor with green text scrolling across it. In the real world, the vast majority of security threats occur without any human interaction at all. Just as software has automated so much of our lives, malware has automated attacks on our PCs. Those attacks are relentless. Malware is constantly changing, and when it infects a PC, it can in some cases be extremely difficult to detect and remove. @@ -437,7 +437,7 @@ This behavior doesn’t limit the choice of operating system. In fact, users typ - **Use an operating system with a Microsoft-signed bootloader.** Microsoft offers a service to sign non-Microsoft bootloaders so that they can be used on the device. In this case, a signature from the Microsoft third-party UEFI CA is used to sign the non-Microsoft bootloader, and the signature itself is added to the UEFI database. Several non-Microsoft operating systems, including several varieties of Linux, have had their bootloaders signed by Microsoft so that they can take advantage of the Secure Boot capability. For more information about the Microsoft third-party UEFI signing policy, read [Microsoft UEFI CA Signing policy updates](http://go.microsoft.com/fwlink/p/?LinkId=626936) and [Pre-submission testing for UEFI submissions](http://go.microsoft.com/fwlink/p/?LinkId=626937). **Note**   - PCs configured to use Device Guard boot only a secured version of Windows and do not permit a third-party bootloader. For more information, see the [Device Guard](#device_guard) section of this document. + PCs configured to use Device Guard boot only a secured version of Windows and do not permit a third-party bootloader. For more information, see the [Device Guard](#device-guard) section of this document.   @@ -462,7 +462,7 @@ Think of the VBS environment as a miniature operating system: It has its own ker - **Local Security Authority (LSA)** enforces Windows authentication and authorization policies. LSA is a well-known security component that has been part of Windows since 1993. Sensitive portions of LSA are isolated within the VBS environment and are protected by a new feature called Credential Guard. -- **Hypervisor-enforced code integrity** verifies the integrity of kernel-mode code prior to execution. This is a part of the [Device Guard](#device_guard) feature described later in this document. +- **Hypervisor-enforced code integrity** verifies the integrity of kernel-mode code prior to execution. This is a part of the [Device Guard](#device-guard) feature described later in this document. VBS provides two major improvements in Windows 10 security: a new trust boundary between key Windows system components and a secure execution environment within which they run. A trust boundary between key Windows system components is enabled though the VBS environment’s use of platform virtualization to isolate the VBS environment from the Windows operating system. Running the VBS environment and Windows operating system as guests on top of Hyper-V and the processor’s virtualization extensions inherently prevents the guests from interacting with each other outside the limited and highly structured communication channels between the trustlets within the VBS environment and Windows operating system. @@ -504,7 +504,7 @@ The functionality a TPM provides includes: Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits. -Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure_boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC. +Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC. Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. @@ -531,7 +531,7 @@ All of these features are covered in this document. **Biometrics** -You read in the [Windows Hello](#Windows_Hello) section of this document that Windows 10 has built-in support for biometric hardware. Windows has included some amount of built-in biometric support since the Windows XP operating system, so what’s different about this in Windows 10? +You read in the [Windows Hello](#windows-hello) section of this document that Windows 10 has built-in support for biometric hardware. Windows has included some amount of built-in biometric support since the Windows XP operating system, so what’s different about this in Windows 10? Windows 10 makes biometrics a core security feature. Biometrics is fully integrated into the Windows 10 security components, not just tacked on as an extra part of a larger scheme. This is a big change. Earlier biometric implementations were largely front-end methods to simplify authentication. Under the hood, biometrics was used to access a password, which was then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication. @@ -559,7 +559,7 @@ The design is simple but effective. ELAM is a component of a full-featured antim If you want to learn how to configure ELAM, you can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers. In the Group Policy Management Editor, go to Computer Configuration\\Administrative Templates\\System\\Early Launch Antimalware, and enable the **Boot-Start Driver Initialization Policy** setting. Now, you can select which driver classifications ELAM loads. When you select the **Good Only** setting, it provides the highest level of security, but test it thoroughly to ensure that it does not prevent users with healthy PCs from starting. -### +### **Measured Boot** @@ -608,7 +608,7 @@ Applications built for Windows are designed to be secure and free of defects, bu To mitigate these risks, Windows 10 includes core improvements to make it more difficult for malware to perform buffer overflow, heap spraying, and other low-level attacks and even which code is allowed to run on the PC. In addition, these improvements dramatically reduce the likelihood that newly discovered vulnerabilities result in a successful exploit. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level. -### +### **Device Guard** @@ -662,7 +662,7 @@ The core functionality and protection of Device Guard starts at the hardware lev Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to protect all kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can’t happen in the first place. -Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#DGwithCG) section. +Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section. **Device Guard with AppLocker** @@ -677,7 +677,7 @@ In another example, you could enable a configurable code integrity policy to all AppLocker and Device Guard can run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -### +### **Device Guard with Credential Guard** diff --git a/windows/keep-secure/windows-hello-biometrics-in-the-enterprise.md b/windows/keep-secure/windows-hello-biometrics-in-the-enterprise.md index 424eac0255..4604f69b3e 100644 --- a/windows/keep-secure/windows-hello-biometrics-in-the-enterprise.md +++ b/windows/keep-secure/windows-hello-biometrics-in-the-enterprise.md @@ -20,14 +20,14 @@ Windows Hello is the biometric authentication feature that helps strengthen auth Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. -## How does Windows Hello work? +## How does Windows Hello work? Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials. The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. -## Why should I let my employees use Windows Hello? +## Why should I let my employees use Windows Hello? Windows Hello provides many benefits, including: @@ -40,12 +40,12 @@ Windows Hello provides many benefits, including: For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic. -## Where is Microsoft Hello data stored? +## Where is Microsoft Hello data stored? The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. -## Has Microsoft set any device requirements for Windows Hello? +## Has Microsoft set any device requirements for Windows Hello? We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: @@ -54,7 +54,7 @@ We’ve been working with the device manufacturers to help ensure a high-level o - **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. -### Fingerprint sensor requirements +### Fingerprint sensor requirements To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional). @@ -74,7 +74,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an - Effective, real world FRR with Anti-spoofing or liveness detection: <10% -### Facial recognition sensors +### Facial recognition sensors To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 5b6e983f97..5fad689a53 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -169,7 +169,7 @@ If you use DLL rules, you need to create an allow rule for each DLL that is used When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. -The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#BKMK_DLLruleCollections). +The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).   @@ -178,13 +178,13 @@ The DLL rule collection is not enabled by default. To learn how to enable the DL Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash. -- [Publisher](#BKMK_Publisher): Identifies an app based on its digital signature +- [Publisher](#bkmk-publisher): Identifies an app based on its digital signature -- [Path](#BKMK_Path): Identifies an app by its location in the file system of the computer or on the network +- [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network -- [File hash](#BKMK_FileHash): Represents the system computed cryptographic hash of the identified file +- [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file -### Publisher +### Publisher This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. @@ -267,7 +267,7 @@ The following table describes how a publisher condition is applied.   -### Path +### Path This rule condition identifies an application by its location in the file system of the computer or on the network. @@ -330,7 +330,7 @@ Because a path rule condition can be configured to include a large number of fol   -### File hash +### File hash When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules. @@ -403,7 +403,7 @@ You can apply AppLocker rules to individual users or to a group of users. If you The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. -## DLL rule collection +## DLL rule collection Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules. diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 6b1d5feef9..8c214a782b 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -1,4 +1,4 @@ -# [Manage and update Windows 10](index.md) +# [Manage and update Windows 10] ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) ## [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md) @@ -17,7 +17,8 @@ #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md) +### [Configure telemetry in your organization](configure-telemetry-in-your-organization.md) +### [Disconnect from Microsoft and configure privacy settings in your organization](manage-privacy-for-windows-10-in-your-company.md) ### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) ### [Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md) ### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md index c1f6d000d8..064d2cc81b 100644 --- a/windows/manage/add-unsigned-app-to-code-integrity-policy.md +++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md @@ -21,16 +21,16 @@ When you want to add an unsigned app to a code integrity policy, you need to sta ## In this section -- [Create a code integrity policy based on a reference device](#create_ci_policy) -- [Create catalog files for your unsigned app](#create_catalog_files) -- [Catalog signing with Device Guard signing portal](#catalog_signing_device_guard_portal) +- [Create a code integrity policy based on a reference device](#create-ci-policy) +- [Create catalog files for your unsigned app](#create-catalog-files) +- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal) -## Create a code integrity policy based on a reference device +## Create a code integrity policy based on a reference device To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://technet.microsoft.com/library/mt243445.aspx). -## Create catalog files for your unsigned app +## Create catalog files for your unsigned app Creating catalog files starts the process for adding an unsigned app to a code integrity policy. @@ -47,7 +47,7 @@ Before you get started, be sure to review these best practices and requirements: - **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx). -- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create_ci_policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. +- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. @@ -81,7 +81,7 @@ The Package Inspector scan catalogs the hash values for each binary file that is After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy. -## Catalog signing with Device Guard signing portal +## Catalog signing with Device Guard signing portal To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-for-windows-store-for-business.md). @@ -94,7 +94,7 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr 2. Click **Settings**, and then choose **Device Guard signing**. -3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create_catalog_files). +3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files). 4. After the files are uploaded, click **Sign** to sign the catalog files. diff --git a/windows/manage/app-inventory-managemement-for-windows-store-for-business.md b/windows/manage/app-inventory-managemement-for-windows-store-for-business.md index 0b1842c286..8332ba51fb 100644 --- a/windows/manage/app-inventory-managemement-for-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-for-windows-store-for-business.md @@ -44,7 +44,7 @@ There are a couple of ways to find specific apps, or groups of apps in your inve **Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes: -- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model). +- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model). - **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory. @@ -54,7 +54,7 @@ There are a couple of ways to find specific apps, or groups of apps in your inve ### Manage apps in your inventory -Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model). There are different actions you can take depending on the app license type. They're summarized in this table. +Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.

Control only Classic Windows applications, only Universal Windows apps, or both

AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.

-

For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#BKMK_CompareClassicMetro) in this topic.

Control apps by business group and user

@@ -178,7 +178,7 @@ For each app in your inventory, you can view and manage license details. This gi Store for Business updates the list of assigned licenses. -### Download offline-licensed app +### Download offline-licensed app Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store. @@ -192,9 +192,9 @@ You can download offline-licensed apps from your inventory. You'll need to downl - App framework -For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model). +For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model). -For more information about downloading offline-licensed apps, see [Download offline apps](../p_ent_manage_Update/download-offline-licensed-app.md). +For more information about downloading offline-licensed apps, see [Download offline apps](../manage/download-offline-licensed-app.md).   diff --git a/windows/manage/apps-in-the-windows-store-for-business.md b/windows/manage/apps-in-the-windows-store-for-business.md index d2c7a4435e..6f4e3b40cd 100644 --- a/windows/manage/apps-in-the-windows-store-for-business.md +++ b/windows/manage/apps-in-the-windows-store-for-business.md @@ -18,7 +18,7 @@ author: jdeckerMS Windows Store for Business has thousands of apps from many different categories. -## +## These app types are supported in Store for Business: @@ -49,14 +49,14 @@ Apps that you acquire from the Store for Business only work on Windows 10-based Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. -## In-app purchases +## In-app purchases Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Store for Business and distributed to employees. If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory. -## Licensing model: online and offline licenses +## Licensing model: online and offline licenses Store for Business supports two options to license apps: online and offline. diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index c53a28ed78..832bf7d5a5 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -11,7 +11,7 @@ author: jdeckerMS # Change history for Manage and update Windows 10 -This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Manage and update Windows 10] documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## March 2016 @@ -59,7 +59,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in - + diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md index 2dd9ca8e5b..02ec8bdfdc 100644 --- a/windows/manage/changes-to-start-policies-in-windows-10.md +++ b/windows/manage/changes-to-start-policies-in-windows-10.md @@ -18,9 +18,9 @@ author: jdeckerMS **In this article** -- [Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education](#start_policy_settings_supported_for_windows_10_pro__windows_10_enterprise__and_windows_10_education) -- [Deprecated Group Policy settings for Start](#deprecated_group_policy_settings_for_start_) -- [Related topics](#related_topics) +- [Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education](#start-policy-settings-supported-for-windows-10-pro--windows-10-enterprise--and-windows-10-education) +- [Deprecated Group Policy settings for Start](#deprecated-group-policy-settings-for-start-) +- [Related topics](#related-topics) Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated. @@ -117,7 +117,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an   -## Deprecated Group Policy settings for Start +## Deprecated Group Policy settings for Start The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index 9978f43052..ea6b6cf007 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -20,11 +20,11 @@ author: jdeckerMS **In this article** - [Advantages](#advantages) -- [Typical use cases](#typical_use_cases) -- [Create package](#create_package) -- [Apply package](#apply_package) -- [Manage a package](#manage_a_package) -- [Learn more](#learn_more) +- [Typical use cases](#typical-use-cases) +- [Create package](#create-package) +- [Apply package](#apply-package) +- [Manage a package](#manage-a-package) +- [Learn more](#learn-more) Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. diff --git a/windows/manage/configure-telemetry-in-your-organization.md b/windows/manage/configure-telemetry-in-your-organization.md new file mode 100644 index 0000000000..9fcca525af --- /dev/null +++ b/windows/manage/configure-telemetry-in-your-organization.md @@ -0,0 +1,314 @@ +--- +title: Configure telemetry in your organization (Windows 10) +description: Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. +ms.assetid: 68D9BEAD-8ACE-4771-AF10-CCCD65EC7D98 +keywords: ["privacy", "telemetry"] +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +--- + +# Configure telemetry in your organization + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 Technical Preview + +Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. + +**Note**   +This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those products use a different telemetry service than Windows and Windows Server + +  + +It describes the types of telemetry we collect and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. + +We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016. + +## Overview + + +*“In order to deliver the experiences our customers need for the mobile-first and cloud-first world, we will modernize our engineering processes to be customer-obsessed, data-driven, speed-oriented, and quality-focused. We will be more effective in predicting and understanding what our customers need and more nimble in adjusting to information we get from the market. We will streamline the engineering process and reduce the amount of time and energy it takes to get things done.” – Satya Nadella, July, 2014* + +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, whether Windows Update installations were successful, collect reliability information through the Reliability Analysis Component (RAC) on Windows Server, and collect reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview , you can control telemetry streams by using **Settings** > **Privacy**, Group Policy, or MDM. + +Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers. + +Our goal is to leverage the data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, gaining insights into driver reliability issues affecting other customers, and using usage data to tune some of their operations to reduce the total cost of ownership (TCO) and downtime. + +For Windows 10, we invite IT pros to join the Windows Insider Program to give us feedback on what we can do to make Windows work better for your organization. + +## How is telemetry information handled by Microsoft? + + +### Collection + +Information gathered by the Connected User Experience and Telemetry component complies with Microsoft’s [security and privacy policies](https://privacy.microsoft.com/privacystatement/), as well as international laws and regulations. The principle of least privilege guides access to telemetry data. Only those who can demonstrate a valid business need can access the telemetry info. + +### Data transfer + +All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +### Microsoft Data Management Service + +The Microsoft Data Management Service routes information to internal cloud storage. Only people with a valid business justification are permitted access. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information. + +### Data usage + +Microsoft does not share personal data of our customers with third parties, except at the customer’s direction or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that includes aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows 10, Windows Server 2016 Technical Preview, and System Center are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%. + +## How is the data gathered? + + +Windows 10 and Windows 10 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) [tracelogging](http://msdn.microsoft.com/library/dn904632.aspx) technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. + +2. Events are collected using public operating system event logging and tracing APIs. + +3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings. + +4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft. It uses certificate pinning to protect against man-in-the-middle attacks and moresecurely deliver the data. + +## Telemetry levels + + +This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview. + +The telemetry data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including info about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels. + +- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels. + +The levels are cumulative and are illustrated into the following diagram: + +![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. + +**Note**   +If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, Microsoft can’t tell whether an update successfully installed. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center collected. + +  + +Security level info includes: + +- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + **Note**   + You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. + +   + +- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + **Note**   + This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +   + +For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to Security. This stops data collection for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is collected at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they gained user consent. + +The data collected at this level includes: + +- **Basic device info**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, arhcitecture, speed, memory size, and firmware + + - o Virtualization attribute, such as SLAT support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **App compat info**. Helps provide an understanding about which apps are installed on a device and to help identify potential compatibility problems. + + - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-on info**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System info**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS. + + - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. + +Data collected at the Basic level helps to identify whether a problem occurs on a particular device hardware or software configuration. For example, it can help determine if a crash happens most frequently on devices with a certain memory type or a particular network driver version. + +### Enhanced level + +The Enhanced level collects info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. For example, in Windows Server 2016 Technical Preview 4, if the operating system or an application crashes or hangs, the memory contents of the faulting process at the time of the crash or hang is gathered in a heap dump. This data provides Microsoft with valuable information needed to analyze and fix the issues. + +The data collected at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +You can turn on or turn off System Center telemetry collection. The default is on and the data gathered at this level represents what is collected by default when System Center telemetry is turned on. However, setting the operating system telemetry level to Basic will turn off System Center telemetry, even if the System Center telemetry switch is turned on. + +If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires collecting more detailed instrumentation, the Connected User Experience and Telemetry component will only collect info about the events associated with the specific issue. Also, if the operating system or an app crashes or hangs, Microsoft will collect the memory contents of the faulting process only at the time of the crash or hang. + +### Full level + +The Full level collect data necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels. + +Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem. + +However, before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- Ability to gather user content, such as documents, if they might have been the trigger for the issue. + +### Manage your telemetry settings + +We do not recommend that you turn off telemetry in your organization, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +**Important**   +These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies. + +  + +The lowest telemetry setting level supported through management policies is Security. The lowest telemetry setting supported through the Settings UI is Basic. The default telemetry setting for Windows Server 2016 Technical Preview is Enhanced. + +### Configure the operating system telemetry level + +You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings. + +Use the appropriate value in the table below when you configure the management policy. + +| Value | Level | Data collected | +|-------|----------|---------------------------------------------------------------------------------------------------------------------------| +| **0** | Security | Security data only. | +| **1** | Basic | Security data, and basic system and quality data. | +| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | +| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | + +  + +### Use Group Policy to set the telemetry level + +Use a Group Policy object to set your organization’s telemetry level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the telemetry level + +Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the telemetry level + +Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 telemetry + +For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps: + +- Turn off telemetry by using the System Center UI Console settings workspace. + +- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional telemetry controls + +There are a few more settings that you can turn off that may send telemetry information: + +- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & securit**y > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716.](http://support.microsoft.com/kb/891716) + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + **Note**   + Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +   + +## Examples of how Microsoft uses the telemetry data + + +### Drive higher apps and driver quality in the ecosystem + +Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we collect help us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications + +### Reduce your total cost of ownership and downtime + +Telemetry provides a view of which features and services customers use most. For example, the telemetry info provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates. + +### Build features that address our customers’ needs + +Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage patterns of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft. + +  + +  + + + + + diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md index 6c0d31e4cc..f123a25279 100644 --- a/windows/manage/customize-and-export-start-layout.md +++ b/windows/manage/customize-and-export-start-layout.md @@ -22,10 +22,10 @@ author: jdeckerMS **In this article** -- [Customize the Start screen on your test computer](#BKMKCustomizeStartScreen) -- [Export the Start layout](#BMK_ExportStartScreenLayout) -- [Configure a partial Start layout](#configure_a_partial_start_layout) -- [Related topics](#related_topics) +- [Customize the Start screen on your test computer](#bkmkcustomizestartscreen) +- [Export the Start layout](#bmk-exportstartscreenlayout) +- [Configure a partial Start layout](#configure-a-partial-start-layout) +- [Related topics](#related-topics) The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. @@ -33,9 +33,9 @@ After you export the layout, decide whether you want to apply a *full* Start lay When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. -When [a partial Start layout](#configure_a_partial_start_layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. +When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. -**Note**  Partial Start layout is only supported on Windows 10, Version 1511 and later. +**Note**  Partial Start layout is only supported on Windows 10, version 1511 and later.   @@ -47,7 +47,7 @@ You can deploy the resulting .xml file to devices using one of the following met - [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md) -## Customize the Start screen on your test computer +## Customize the Start screen on your test computer To prepare a Start layout for export, you simply customize the Start layout on a test computer. @@ -63,7 +63,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a 2. Create a new user account that you will use to customize the Start layout. - + **To customize Start** 1. Sign in to your test computer with the user account that you created. @@ -82,7 +82,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group. -## Export the Start layout +## Export the Start layout When you have the Start layout that you want your users to see, use the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file. @@ -114,9 +114,9 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed **To configure a partial Start screen layout** -1. [Customize the Start layout](#BMK_customize_start). +1. [Customize the Start layout](#bmk-customize-start). -2. [Export the Start layout](#BMK_ExportStartScreenLayout). +2. [Export the Start layout](#bmk-exportstartscreenlayout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: ``` syntax diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md index 2336a4b7fa..e3e3a08640 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md @@ -22,12 +22,12 @@ author: jdeckerMS **In this article** -- [Operating system requirements](#operating_system_requirements) -- [How Start layout control works](#BKMK_HowStartScreenControlWorks) -- [Use Group Policy to apply a customized Start layout in a domain](#BKMK_DomainGPODeployment) -- [Use Group Policy to apply a customized Start layout on the local computer](#BKMK_LocalGPImport) -- [Update a customized Start layout](#BKMK_UpdateStartScreenLayout) -- [Related topics](#related_topics) +- [Operating system requirements](#operating-system-requirements) +- [How Start layout control works](#bkmk-howstartscreencontrolworks) +- [Use Group Policy to apply a customized Start layout in a domain](#bkmk-domaingpodeployment) +- [Use Group Policy to apply a customized Start layout on the local computer](#bkmk-localgpimport) +- [Update a customized Start layout](#bkmk-updatestartscreenlayout) +- [Related topics](#related-topics) In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. @@ -47,7 +47,7 @@ Start layout control using Group Policy is supported in Windows 10 Enterprise a The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base. -## How Start layout control works +## How Start layout control works Two features enable Start layout control: @@ -66,7 +66,7 @@ To learn how customize Start to include your line-of-business apps when you depl   -## Use Group Policy to apply a customized Start layout in a domain +## Use Group Policy to apply a customized Start layout in a domain To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. @@ -79,13 +79,13 @@ The .xml file with the Start layout must be located on shared network storage th For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889). -## Use Group Policy to apply a customized Start layout on the local computer +## Use Group Policy to apply a customized Start layout on the local computer You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. **Note**   -This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#BKMK_DomainGPODeployment), later in this topic. +This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic. This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10. @@ -122,7 +122,7 @@ This procedure adds the customized Start layout to the user configuration, which   -## Update a customized Start layout +## Update a customized Start layout After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md index 97359258fa..e5aebb264f 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md @@ -29,7 +29,7 @@ When a full Start layout is applied with this method, the users cannot pin, unpi   -## How Start layout control works +## How Start layout control works Two features enable Start layout control: @@ -43,7 +43,7 @@ Two features enable Start layout control: - In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=623244). -## Create a policy for your customized Start layout +## Create a policy for your customized Start layout This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 46f2c730a2..2c9549e3c4 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -22,15 +22,15 @@ author: jdeckerMS **In this article** -- [How Start layout control works](#BKMK_HowStartScreenControlWorks) -- [Create a provisioning package that contains a customized Start layout](#BKMK_DomainGPODeployment) -- [Related topics](#related_topics) +- [How Start layout control works](#bkmk-howstartscreencontrolworks) +- [Create a provisioning package that contains a customized Start layout](#bkmk-domaingpodeployment) +- [Related topics](#related-topics) In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) -## How Start layout control works +## How Start layout control works Two features enable Start layout control: @@ -44,7 +44,7 @@ Two features enable Start layout control: - In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout. -## Create a provisioning package that contains a customized Start layout +## Create a provisioning package that contains a customized Start layout Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) diff --git a/windows/manage/distribute-apps-with-a-management-tool.md b/windows/manage/distribute-apps-with-a-management-tool.md index 24510e5252..8483992273 100644 --- a/windows/manage/distribute-apps-with-a-management-tool.md +++ b/windows/manage/distribute-apps-with-a-management-tool.md @@ -43,7 +43,7 @@ MDM tool requirements: ## Distribute offline-licensed apps -If your vendor doesn’t support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-the-windows-store-for-business.md#licensing_model) +If your vendor doesn’t support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-the-windows-store-for-business.md#licensing-model) This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices. diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md index 270d9f1f23..2dc4f5ab1f 100644 --- a/windows/manage/distribute-offline-apps.md +++ b/windows/manage/distribute-offline-apps.md @@ -53,7 +53,7 @@ There are several items to download or create for offline-licensed apps. You'll - **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. - + **To download an offline-licensed app** 1. Sign in to the Store for Business diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md b/windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md index 4f483df086..716f6a3f4a 100644 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md +++ b/windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md @@ -18,11 +18,11 @@ author: jdeckerMS **In this article** -- [What is a CSP?](#what_is_a_csp_) -- [Why should you learn about CSPs?](#why_should_you_learn_about_csps_) -- [How do you use the CSP documentation?](#BKMK_CSP_Doc) -- [CSP examples](#csp_examples) -- [Related topics](#related_topics) +- [What is a CSP?](#what-is-a-csp-) +- [Why should you learn about CSPs?](#why-should-you-learn-about-csps-) +- [How do you use the CSP documentation?](#bkmk-csp-doc) +- [CSP examples](#csp-examples) +- [Related topics](#related-topics) Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs. @@ -51,7 +51,7 @@ CSPs are behind many of the management tasks and policies for Windows 10 in Mic Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. -In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#BKMK_CSP_doc) can help you understand the settings that can be configured or queried. +In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. @@ -75,7 +75,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601). -## How do you use the CSP documentation? +## How do you use the CSP documentation? All CSPs in Windows 10 are documented in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390). diff --git a/windows/manage/images/aadj3.jpg b/windows/manage/images/aadj3.jpg index 46520c667c162534c6290ef6733ce8a741b2d50a..80e1f5762f846225f1169024d6e530a11156768d 100644 GIT binary patch delta 37102 zcma&NcUV)~wmuw01O!Bo-r^Q%(xpj}s0fG%2ud#zkuF3;dRaE4gAf4$Y0^|mloooV z3rH`K-lVq#1OjQl<=$uCv(LHrd!Fx)`4Co}Ys@*``Hpvt*)(x1a`M<`9$K2da$Z_? z8k!lT)bYBLl*yTjr3Na5?mcqnxIT>|Qj<=U^ABG%%YFAQ>6NX)wr( z43&TZ6{5ob0hoP~L~z%Jg#LsQq-7(XQX$BgVHi&BraRE&rg0s!>y;Kxq3@({61>5S z=D~|}BVjA^m8>Mz#8*_v^I^gpDx{~)4N8EDgbEH^fmR!V{Vv8|1dq0^K?#B)Dio;s zeEiX+SS>1q_9v>9D>591UepC%Qz27`uBR~1bPAL0{4=mOY#)Ky;5Rdb5L6UBX;L|# z3VAjNgoU0DU?Go^KJ4%lOAc?-Z+-;dIzh;0J-lQ9zKS-F3OR`&X|A_vQ9RF>P$6Ge zVa*u!QBhd)Op@&DnLl6g(3-*&FrSUtd1RIK`(rr5DNI1fd=vOiTJUkR!C7=JVkDUBTNH z{97o|OW@ORdB}2Fg-yAGKquj3}8M?Vf0sYMMLp=1O)jG@cklG zi_!xDPV58tJt(mm;|~saY}QT^^ciq)h6))vl@EWJ0^JcnQtGnECoz7o+1PhfNYmZM z6Tl=m!EUJ~L4a#-jI|*g|7w6R6~dtk4!N8E3ra%?u%8s_gxa20A%i3?S&2HWU{pq3c|Cjatwx_tF%Ku;6 zSl2YHY9azDzd(z`ojS(|T49&1Yc?ExY@BUFgH5m7)xmkKEa)N4tu z*~g+*LWP2rv5iuMsy;2;bV@+6Tgo8A92#x#UGLKJXQAa|4crTU8<9nn-b`pU2zY50 z3s~tzw0YGtwC>4n_M0>hA5T26%V4@4tv?B%%a4> zzKLhkdm;isyDLXQe3uS#y@Q5avg!Vsrr;s*_h2j3QBfm%!3*FJ%D5YU{o7xX$M<_#s&GZmk+;5_Neo;JADYRB z1cY#ILRnx=WR;Hb`ZSyIq_)`MqY5jJqyVK^E74o!q4uXf;zI`%INo$hglT z5uS}?4(&pQu)zS>qWCzL9Er_3x_ALXc|VmJ&+)Nqr-C&>G6kQ~F3U(#uaBFs!;6OJ z+T5xeRG%P}OkoSII314Aj>^Ts@rbsRJI5w@f04^E5| z`&0Mk)j*e30A!>>IIS&`-P= zdYq)wA1Z9A=as##=J^G|e~6Gy8nij5tnmEq>r?7xIMsOKNS}BY`(k4GuDZl<%t8+v zz0VZ8u{H-E9f#BJNf6VITniINT1hbjTiYbIa*9blPGJ>X09M0IP|cF@ho|(Y5ZgXV z7`zUH)9E|Bnew%-ppXhF5WM*mmZK*A{^`koHCQ4v3c3>uJ57aPD+?)uC9(v?I?5f^ zxfvq&9&}OAiDXQLym2K&QyMm5`$?`qQ~u1(Ti_HG@&f}puQ;$md(_WC`?`o3lxUgl=Z8o?oEg zl^)LJEZoQp3$PM|i>I(`f)=cW6Wq36VSZ`)gTVdQ@H`38Wh2FJIiKs1i+4*P4y;@{ z3cZ`|4)jqWbDtXdsE~g094koxTru!ZhKOdtO3>ZQzXz8dq%0&`sB!833*uXS#b)U> z-EG~RIBnr~^EETagN<<8tu6(~mZPPVQYmIGv$DFl+3QAU<*#`Wuve@3mNHbYj^FGn zS6dwpyRmz9%J2Fc<1~d^{lACcPY6ODsIekvOu2w~3WGfrBEd6+y0Nc=c8xp3l~{>Sm4QXoE$ED3ebr3xMD9v%{0Q^E2FTc4~OK(UM|28#lhB z-NO`ag{oE2hctL!qop0r!Oi*F@;6rLu6z70GBPs0!j*Y!8qbz%uby|? z$J3{&B(M$GK7Y5VKHC>jX+%ebAgsqGDxJ zD`%Cu)&`ER9+bIFBgVEKDp~8VpIMYSL{9-)l1(dPY^0&nf&HL# z7PG;l)xtVwJGqX2<1ghwwo^Jm;ZTXh%t=zd5oNNLLXbqQ&8+dN ztg$TTnZ?5y&)v}O#Y0TZ%+f+Hc{I2$F;-#LD6*2p+hk}QYgC5R+i4u|20o2j{D=o} zvTV)Ogi+&1Q=)X-^h3Aa^w$6vM8JSE=hLdW6<48;LkQw>#@?HFy0(T^C)IlidS<$2 zO=czxXJekrTmFK8NCu&OVHfQ{yc?`D`0#9HCB87CWOLKO;(n~Gpqb+BV;^`|Ajj(0 zq97|IN4!ES^mHO8R>{3b&%^d-gpufG3}I5YW*p?FDmSsHiYqe?wa8OEY*HVxPZhvo zgv8NN4f}GC9Fwd^dzXMan z>zKUK7Og{lClPiZbR4yl)_>_!803j+{;UfpY8F_$+qitKMl0V3u>BaDra5;l9`mG$ z^-hv;=GXzM&zAcd(1@2QWQj|6_6Z4i)Fk|h;d`Qj&{LY8(74ccDg(AOD6``-#e>=2s2C0)L;T|*6q`5BlVKbj(KaDXD!=v zoLwUZMwBeBClyU&!gZ z$dy?#5%L6>`03>pdd^gV7n|$SY}lz|ZY45d;0L=0F04~EARl)ExVEH#`RvQU`b(b! zu{KN;7lx4}bW}WwPJ1(GbJfw+(T%&ep(fMx70;V5C+qTj=-!4IC*FWyTVOcPZ+#mB z^D{&qek$a;Hr$N_5a0p$J6~N9xzjBL>*J<-Kq)HU=uxalbqzYn@p|gr=L4EU{IfqL z6IG94(g)R3jWK7Rad1>I2ldKIKIm9obOnnWu?ULzfjGq(6c!j$&> ztJ?CGM;e`_(jI2YQrE(0$}?-`OV%+JuofzWi2ygmDj5k7UlDV3t3(t3Q`-yY2<$L+m(6+l!6Eaw zKR#Gzsc|uX72j1!-of_Fc`d#kYbr|9-4w&^wrVmD*XtD$h)w8e!GS3-_`QoB-OMll z;t<2=WG=z0ojw=9_{Q{xO(K9I=@bQaDs7q&U50nK4;ST z*dGk@TwB?^S_)G6roN=m1Ls59but`55G!)SRKQ!vCoiAS-xeTfc52*?7L6HNHybD| zExt?ZY1#3P(FaoCT^$$&Txml@qU~sggQe{q3MSUfrzM9M2TNKHUX5OQV9iul>FgM% zRgr!>{NxRG&lZpIX}u5}_x#I1v$ArPXC&K?{_99FL192QqVd%9v=OdR-Fmn>{A=3V zy4tkOiQc*h*OcU^F~|6>?dA%+mg8BzbfV@qkVNs-W_=3h(eS|Q!?8J7lJHyztx-S1 zY3O{q5nk%(&ERCmV&ZXx!?8ncn~cQ+N3ZgC@n-aC^P#6ns`WU!zG%K3eM=a+k{D|? z)9K`qa6>TRLeWoVm2Zzv=o%XMeuCXh!WC^hJ~rLzFxKYOMh>&f05dq9xp=~btgo1V zkw6TCC+w%H7}*bY#2LB`Mw|k$#S6eON?I1>tq(}BU%LE`Gyc^mH$ug!kS;}%Hpp!D zvxqkLvAe(hv zoYZRmbA}|~uAsYs3JV6eR|p z^|P;!bn8uS!d>@T(!gQivR?dN>>+j?X6wv>a5;vOXkYn**IPe1HUK zp=hB&f9{t3)v~C;pVrf-Cn>m{0O(g5%}O#&N7CmvJ7aSTntFXV##BUq4Tuyq_D(?i zNZk5oG@5zBgO(Zf-r(d>l0yZ@lgLnk2{X|m#b}!cA?XB+PdTC z>Iu#ZH8Jb`751WufU%#so_j%B)~76-r$!7F!W#OA=lvPH!V8dX6kNkx(Uc|`BjkwfS7W8oFg*7`mLXelw<54_4 zUM{ig&hsv=`6d4Qy?5osg=bF{R0NyjcfU>_tN)C~YPinX@-5t9Q+j89RKd0FdtORd zKKzl5su>d+P_KIDe4^R_-UJFer5cD_!aS6fa00<*wTcZ?YLA6Q%Cu$Fvv)HWX{fya zTJzYRWdr{+2n_P&F?(KBz?n<+| zh_iHWrTm2#c?lzx(_|1(?`*#DK^GKeufi+iTgU*sopKQeh9M$WEF}j|Z|fJ6b4{wW zD`PHHB&uv*{K$JRu9rg?=Y9<_t~)n{ewu@~$<)MI`P;1lW!lBc=!c4jqRR*FnpB7s zrfWw0AudF+N5h_Y$-mnKuZi|~5Udb@@b=DiPcGO$@*!&PXD!N(6~tWmdTsvl{H(en z0{DC=i+~R* zQDQSuR6Eje;k5TOv8edCI@8MR{6eMA)*pBGu;x`w^Z; z-YkxNV(Nz3*$-zoHD8regh?i&8mbFd$&xKIlKit5b&^Z9RLI8iLV6pXJKVHh_=Ah4{HTXggBDUi7z*gx68wTblKgR) zDBZckqZfDv3cnjFy=;39z(Z4YJ`Obk2ZHLX?x^2n-2y?#$I)DKN+LH8crj?b* ztHer{NW{3pW?uq>ZmgzvLfJg&6wz5Qg9&EB$@=5F3krV_qxhArSpBO=jo?xcD+jwr%$1MSz|C{eRf0=zQr6VO!}mS*7TcmanZ6}zpGGF} zf4(aGSqXzf&-&&p)Kt0`@kf_ju2@$HDNyX^^w4gNisln~7J2XDMTILu={S|P*FRWf z5U1Uyp~Ff>rwF6lW}`mR`nC~ME;ncHOMhJ55H%h46f9Y~UxzS`E#`@4PtXJq&ouP% zT5!&KwTbH>slrR*3d-|s-0rwZ2$kne8u~ylG>`Xv7YeBdI~^X}K7RlC{=%8IMOsA1 zdRDpbM?`_E+6yqlf4+9O*heyiyZH!+%UqhdJ$OIP zqWEDVsjSB{DxUv>4((ZnwJWslr&!j!kHnlq@-#@tib zT+edbDSPZfyK3#>t%n;eoD)=Dr+^C1sYzMVc{``rTz9<>E;}KpTT#<9y>%+wCuA$T zVm(xjZU)Hfl(Cj`?M~<#k5pvbX=a+M_Mkv#+>(9Mg7oIxF>HB4(4l>s^;6r34SERj)7aRZetz?t5 zUhehiKGEjG=n#-sh~#iTOO!`kZghM9RPzmGW)PVBgVII?AW^VQIPT@|sGwPuT#i)blvvb{PS*c@u)ki03Q5?5=^jGU{Xv!Q9GD=86rd-aQ8AS)BFO05 z>OJxQh2gnY+t^>UPjE7I8P$P(ZM>B^18WFzCTh7(Gm`VD5H}#Q78;}B=#xE85Cd+O z4=WNU0*sS;7+P0yp7BRYH1GI@NbZ{N+v7JeueO4<`3i0cFc)Yo9XO zjT{wnIzDlAXsoj;DwxV;(%GyU8dwuS<(fJFtXFtzn#sCW;rdb9rgS6m=6F$|$DKFUrB)Ik98|XRcSlzxjuA@zsX0@mU z?#|*ay|`5mR9G>Tp8F<_dZTmd?gJWlX5%INehHr2)U) z@+EA|AT$s}^xByn45@RE;S~;=t+mGz?oIZ1R8$2oO4?)Z zL;_05y&$0U`E{wM+Wxu6+gn(WF>${41kyHuU|_)@s0DNCm$ZKGEB=D($U7FN6%*sn zmow0Qq(je!on^mxNs(rSxO)&#Xx=YapGM{%CNa zH5#UU0P5>*Ry!fqt#;?C2}K`WeN|Wr#!??Rs9ENgzpMzuCLf2UzIE<*sPu!fC=pQ{ zB=vqD{S{JrkFL@4CI9`TG2!;&7Wx84job8Bk?K-OG(yM$DSjXYH3vt+a9(IqJd71s z9|VV3i}UDv18|a*3KHO0%+CNq02mUbz>auOwO~fz=1CZ=Gb@vj0lMIY%%WXQ@a*#d zx6+dQlDOID_z(l@@{I?aN2jxJRU zQE8z7eCUy1#G;^xv4=L$=~-oSFFGTEci6?{jiv=6g5JNyq`a{KJ+!emrKYdt^_ZvS zcy@SfmWvp#Neu+I)R;qHr9zG`rdtqrOM_j8HN|h#Ue3tx?j$FjiInA1c)`~#i%X`t zD!B^(;uUIrlczGK)%20?Vzge>qG(m%dafA|(%0^9Emx!=HX?pi-?~#d(O7S*v|wqcHB~lk9PZ>7tloI1}KW z9!a_a29(F9C9bkWOdQxJRmFs%`e1@2ol#9uw}feTZV#XH@)7p8a~z(_53uQ;%A;bWKHO*`E+I(#07!(+@6NN5U(SK%afBz8NcKw(%oTYtb{bgS%t?J8;nls z$fp&dNM?AQ=vm41RnJoHyNTAF((kRWTa5exlX~#xzP{Il*t`2rFIUTpX24;q(;9fQ z6s3jypRuAJgZYdqE&$hS1K%d49B-eIWY_(!9*Fgr$8h;a-yj&|uNinbpDNtx477(F zMsP+m_?0qc%AMRDih}%#J*2>I`uH;i+hDVYg0)q~^ZIkjqjq*iori`ie@0om$z9NS zM04rqQY|aJ|9Tr=(sWjU*OLd8wIjl1?)EO98t+`U=&a*!#O(nciZtuP=1GJUIR1DR z_xZtJAdHr8Iz2J3w$@IlI{c&dv+#Bx)*e^hYMv=U2+3dLdl_oG*Q)x~V{G@BuHjf4 z;I-T5( z0X{Rg&K{J;-y%%pt}eMO#H}Xlr^;$z!)zn{%;h0QJQw5^KrX5uZt2OJ;9JCgrPs@1 z$wEVkr>Q?h!LM=L!z27!z8<=d-&YOANpi*0$3B5>kWJRqKRi}0zt(u4CPv&dC)BuO zw0cb(C9v{8^y%*erRv{5{{Bm5Yyf%HZCuvBcvX=3iuOv!M$R0Jczm1+*;IoJl8b>w z0dAzUDlafI-bXQR3ZX*a$yvP@_GAeP&J>f_65vM$h|Ia?vRT*UVpIk(qL|r6C>_Zj zFS-8=7lI8ZDWKewaV|T$=c|-2+MH8Kf5)EvG^A)RBaSOazBqiz6me@G~F6E+Loyy>myTg1LhI#I3p$Ug1EaY+3U<0b8a&UR^A(Uf}l?TjJ zH;H&Qa{Isd+NgoxwHQyA)c4AnlzUS={oo>E;wkr8=z;qzjNk~3?4Y=A$6#>AFi;_Z z4+fOSrfg``=IxycU>LlIzm`pUX*S5-gm*z31(ooTF+3`y5J15M;a+=N9K*Tp0 zi!}=t1J@gNg2y~-IJ6uURT6v^c)yk=I6OX0m~X7|7sPg6tv&%s$lN;!{v!3sG{Ms7 zwvM*c?TGNMPnfGWjbL4k^y)n#ZylUt-UZl9ZB$l8LUSGj*gW3gkn;-eI*ARmF)C}f zwC* zf-EFxjdz^29cZ5jbkyY(;h?e8=YjjKEO@k@NfJmH%u60uZQj=QC=?dH^ie$f6ryeB z6j;c@mt?(M>wdrPJX$ZRMXvXTqkzCK&D^LJjiimDrf&;5;H4)H_3L~`rq-i4ue)&S zKo;VL*Tf<3qr@Sfj?knRNRCi0K-P;2`J)rIUIS*Riw?pm4C`Q)*p$Fc*(&@qACI9g z{kIg02bu)Iij(J`f|;lgzdL_c2wj2p`*0Xvq5D^Zc0yaX4|Na`nDsCen6GF3&wRZz z$p8#1oCxuhYAetmE&%-?Rnf;R%25QVkS~BS#kik-FA2?g=mRE!Cde$KAU#v)=fPL zb>*tYbSTpsf`dS#lJK?igZcT1o2%+}<6EKTq*H{#54zwKti-c6_i_7kcVKV{Ruh1c zdtq}eXA3z`Aw1&M#IuUMK6^L>tk)1H8FrA6GrYj;dw?Q}$=h{cqi|9ojjmiHoS|!! zyJhibE;tSqsd1QZpZ__8EJFmjX73s?FTB0>PSOmhi;8lUtf*?N&B_4v7X%p6QX%ZY z3OLqyVLaE1VwcCZZl^2sLtOTOrQ5=gB<2&qN%9$&be@xsh8Dr9mP^Q-0KZTerl|Fp-BF8&e~(q0~{M}^o(gGD$l|6PQ$ z4x2Y8<;u2Z?KKa9;@2N$;Uqrr!zDl>N{&8?--&w)EAIMx2?hT$BRx5|K`RLWAoF=H z0A>W5u7`q7fz1SSHwEfPBy%zdPCu6@XMrD`AAr?cNkkBfj%$D)9YyJ*LiQH_VoYEy zk<~vQ3rociBv?sdfP4JED(=97J7?5bJV6{Bg)o?V);|vaS?h*OR%b;%Rb@wJsh^O` zK8CqgDblx*G6((FVousa_4jB|3>2DS`;3)fDDZ?PhiC!jqLjBW>sv^-%Yrmc$cW2= z^8dg`I*v0@1`ETtj|~{GOI+5L+3PdD!lW&VU)RB}gFpVP9HdP^_OXiraXw>z<1&)M zZ~z+2i~vG_&7Le-Zq1aS@*l{ZLSZ0+SC|w2XB3~pvTOhO^@*@ZEkDv3g};a4e~m&p zMFi-&NcwvirT^DBg0)oNf3F_@(P9Qb?01Sm;?+38LL)k0muT=iEc$}HO@$1mO70g? z7y`hKogss@M(cgXe`?2}7bxIF*zpEV!!{la!+sUqBo~7tEd-kGI>wm_IokQtKf$FX z=^v(peqSbWJOXJ--+nFlf|gd`$h!{J?nX`n?~RLbgI8k7ag0L3;43nwLN9_nl9Nu0 zC#9Lcgl(|>6kpOAN?(=eaMnwZl|hDnRCg#;5fw6_{JrrFL@wOc79cn#iqq?V>Ru9 zo1R%sW_4WxJPZ#~UUoFR^3A^Snd3#I0x-n+>v|Qwi~EUNli?M~cTg*4wz?u7?BnI* zsB=#>PQZl-6IS>;u7S{qg2usx@J(S$wd?lzK>7D2NZqkH+jFYzfWMCSU|c2s&b)Gh zPyQ;(zlfYuSn%FQ!h@Y7$}g6oq9eJ*Q~%wpN_WgM=dUMb_^;{4oaO`O9C`?WZXi6? zg7)>vWe%D}Ol3i2sXu1l0AH1rJCRy{HDr$X*5kglZXLWrQHuNEM%N(dp#iuA8)G|}0-50HdU|bKC!LgL4 z6~U4s-`;ln!Kd*ajXRhw4I;cK%6TW7+1OA6_%w~$W^|W4 z6ghxGDBr;J6vkycwvnMK-fC1+m=KbUSKNu-G-~;x3jhv6?~uAKO9w6ECT(ZzXwO{w z!h-&8vBguS4;_Gi0XpF9!2#&uJr)ODd}e&%#E;d_&6&cuw)STl=+LV~2Pu`)Z4$;R z-5GU^w+f7t(x>RH)RfNLH7%CVO+~Lzws+6JkGc>AMj*&Sby48oHQ51}*?7>El7MHh zEjRd){csV^X@R1Z2w=UzdQbChT@pJj#iRr$MyXl*eHvU082;hEw1*;uB(P5M8(xh3 z2wV%tO@k;bpeFdHh2TeNBkLaO-VObY3L1Z-0;mVR&9)PFB_%A&n4<&sDM2hHq7!a@5uHY#1e zpQNp{pCSNr*wggNn*xtB5XG>0U=iT~W?q3C^x)QNV$KuTRgUb7^6>_%0N7ndrL0-;n~~iSfOTAnHXC z`sU{dL51r=5(K~527Qal&lqHjGTOcp!_#!Zu;cDfsg#f2dxOjM#T=2PU;hXn-}z)c z(x^nT7*#BBpW_{_jCF1S6Ei*thRc01mFm)N{!WA0yNY;$P07xsJRQB`-gW`6{Ldxo zPUhrQhi@p`0VOobQ9x~=GO>!xStV*bG1%90u%}5&0C_!~0^u3)YVb`$>Kt%l4bJMB zHxR6CpYIYFI~p(WdNsjjW^&>NI(a{Bv8}bdP2eWQw#(J~%+vnsPb__6iTAsWWrHq=Aa!}{QhR`uBB2WmD1_e+xp5Hoet0aVlBV4&vTrK`$g0CyD0Fl z=1Q~mC@Gd$bWTp^r?n&)F|FF9Qvx>^poosTdfeG zEI&ZH%%+V}IxC!Xs<9^~-oaAw&(52#_!cNrIyG5A)n6M$8AA2(kx!2RKL0W=)+;P_ zBJv2n2j8AMY1&{H=XZ2eXx`B;KI8eeZP#X}i!WMeuf$>JPo?CoYC_X(kasH*uP`^> zlIJ*^*z@__W-ompq>pgb53gl1>=RjkRcTnwu^~4@+Vi2u;M$hfK!HW?h~wG0yH9ln z14Qe$Z{dMWK~W&z4a;R``%=w9g_d}6tW>68My)b*Y5cU0U{WkKGV-p%abb z9#)5y2&RhUgYm=+waKpgsnS;J2A^JZlYc%d^bO8DCNvp63ZTWJvs%mo+d5h-|0qu! zK**eSV;;K3l4tIC?GUcO@N;5f`S@+R?krBy!_nZI;|7^PR)E7jG~36K(&A0OhC2Ow zDi4pN-U_>K#N6ZL>Eq1G_K%-meo+q;tePhpctN9-B!ligcXx^5v;ACUp6NfPW7r;b z#gt;=bj#@@W^)te-gvhDRY!BV^{Veu)c*6UNUF8)dk=T6BNZQqJ(xat`^;(B z6h3|iC;4&ddZ~;0k{$t8_xcjMzdVvNc&x@9k8vr=5ZmPDlNy-3F&>`cE|T%-t@+05 zhQHT6DYh3I$E6<6x~ibH zP{g~r0c@4*i91*dd6vXY>=SUQ#yBEbP$;Ai5HW<^;=6Zh@@Nw-iHeP8C*E zp1Fl)lIkuDDGH$BdC1={aePZ7FzT0w*nY`QD5xs8V$-C5`i8R98>n0OA(<0(MZ0St zOuJGpX1AX0p7`1>PJ3py9gQC{ClrApRI@Vza41}1y|-gKF)^mIy0qj&+sjg8z4+|Q za|U1NEn90l@_TTx<-jCXq4`_}MQiRFD4%ey5nW+;vBhtBZ2Zmf(~EEA1*?i-otQEX_USceYVHtZ{A5P2cg%7HE@Y;?l`xUhR%GBAET%Bo<9{N9vH1|oB%q^x zud_-7?RbypOG3*dIwykB{%S4WFT7&n8$gm2N*vD{eSOG%@QSO?;+D1tbXzfPB2fM~d_D-7EIht}5RWY`-O=c7n^%V_<0^?``k)E2^+K zHS{LS0^$ToXW$oE_HKFQ@VUl{0g;O5!?w8CQ>9LasUA1XEoD49@l?}(*rzXURKZ3oZ*`}1MP{*l zw?w-BqeXYHX`$+5;wG1)vF0_~XY+C&Nc#1J!=QNvl8S@7S3qv(sa%%n51*~u_TRV% zwO2j5`$8c4qE%s+T=O+U2Gyf7B*s}9SOJ&xD|m1r1;e<12YUZ0(dAMY>A-l(;@?-? zr6C{x_v*w!LrVM|!@YUnj|4?FVDm!5e-}J{g0TaOyh7)}bS)QHFNyj)UI)Oa=+9j< zzXLs#2w{DWmB$@8O@e*!_sAv6BowS&tiPkqP*5ic9eeXs7k}dCb4X9%NC3RUC|0eb zd4|g$FdBTKTG<`z`anDW`%aDyPmB8IeL01_Y-ad#^bDsGz-gm5uP0OTL_NsKg>EFH z!cXN6+cz)h$xmYw6|q3~^MIZJlASa;HxDai`f$OT$HPgXzSa?w8aQvMbLG@=gT;tc z?xo|nj(3sul0*;xA_{xY)k;~Wveg50)oP)2eSri!SKQ2F)Yk6#x+SNxnVhV1-iGAr zdV63l+SZ)HS)4G@1F25pzl~59kqgP?4=%NK(t$O!L2T;qDM0)B6r3n)G~~nJVbR`Q zWH)A26fv=p+9e^mB(q)|e2P>)538Y!_n$zwTld9`+9@W~ODe*CY<{%9 zk~%b3?f9ZoCjoc!onqKX+~XV_y2ol_@i3R@EH&2(RblCXN1w+V^2;{kH=gBAopsnL zCce4nSf=pwR1j-4tTMA4H`G>Ug$m!;l5+Z7Sz8rQ3Z!wFC5ia$o*FzBFMCgz@HXVa zOq*PPf8jf z1dHk3$E_Px?ru%iw=A1p;=dC4)QrC_)8NUdrYa$!D44D~u}`lyzGK`ODUbkf;_$L7 z59^j0ssJERFWQ`I7Xz`G>p;~(Y`q?C!eqE2i+0jgB{{eASzfh%SekQLP}n8Ydk#?9 zvpfEKoRj|a`yU#IDO~I01^GEsAw^B{+Co+Oo8*d74Hf!bptqBbd~USBsC>LS`DBrO`lQjGpkSw6Gb_zxqYk zLWjIpcNw+q5c9vy4~uiZiNv|{A)Rgq11p-mYyB=WY!&T& z)xyS6Ah(RixNb+JEg>JF)9lLUJ#>zGeU3BcB(CY|@Gd8v-Cef}`1i(M&dJa|O%7aN zY^X8;u7^*qXoTV__j8%83f_;k<=5CZ5RT&%`uXNovRQLs569BYfPp7_L&1)?Q3S(E zIe!SWMTn=a8o41p<>Ymqap^{r&LMB~nYfV`vn76WQ)w8xREQZBa`xNuxq2Nib;}yV7Z?43$GYW!OEPy$$n;ao;*`!;!S5u8<3Hn!=yct7 zkN(=BdaN;x90riIi-YAr^m3iy)sUUF6|%-DO`Y3vrHuF?gj7No?>i>h3J%NQk*^=A zqEcP5Ss#EqX}g=$!dv_J-K;_ivhw|XiLJ5$1!J}ohbXQz$JCb$a-sKPdD?XiE8*>- z(zrB#!!>oLAWIpU3gRW{)*C8c=g*2tCoRaX=w0@qE_{bdEDZ~OYZUZ#P zxOJ9z88%E1zs+|4a}HS{$|{N>bw63X1Lahs0j{do4F zhX>X@g(uSAVffeDQVR~DOdSB1ImeR)=$nMX{k(S{gT4|;fJJsI8KK?~H| z#|y+YW_+@II9FrFt}XEF4Uof}Q&#xl2zs+TP5js=*W^`5tjC;12hBA|Zp@P-FN^Rw zzwn9XK^JGeat~40@g;o+=+ zxA47}S9=O4x;^_VPFG0D4J6SS4L{kqFvUT0&ERCO$wcv{^&?Z&NJFt}zXa8Nf8~d; z_uh4MS2r^Ql%7R~I#ciqD2!EuHpEmdSZZv?0fyYZ6L;*Q1`@cd4=4|A{&X2D*&NID z=(^>wc=_UGmK#!YY@0g{6GQyEgTEdejwswlGV+Z)9he1&JqO`f{4loxbqX>K7l#npzB{>5;}g*FZvGeMc@ z=}BF|dI_GDBA%0g`jaCw7)er^o_K<&PwB3t^bRk%Zq1JEOsXp{Nv|WZN(11NPeeM$ zVjR#DixKf#;o@qthA##SDSc?7g4R#1pP$Daekdob#wCHdjqE4<-27I(Bd@-`l|xMl z(i>(Dm*iMh|F(uDkHQOfQtK13I0L))PbDkE>S7Ccke#OPz&|o{-w#L}-V_*^RzUq* z@P2?A0}0tS2?)hz{kwj*`_H&k@L*$(2wR^4DQi0mv?)~3LMNw4AKhE+k-VSqEG5~D z!eM$Gxgwd0$G$AppkMHC(5iL$Sv!Dm`jU#=DsSD0(FLmRVn?$+`^9Op6RevWp#w|! z0&pj;fIreM%%=uY;1=YP(DPb(YvBG+ zqj0mj>M8~8ePKUITREThCG|UAs`OIaF-}i4xT5xr2qv1m(I(aCbcI&*;}QftxkkgZpehBL z@lpD_hg-T9;*Hz|Ie(4$r})>8et&%Ixk4x8&@`k6$KMt>T0>+YDGdfQ%>pchi97uy*CH^K z(H6=n)CEM|aLc<=^m%3?=3i^cU0jHlJsz_|gEy>kKb2H8ZPnx>_)B?L!+27MK|hT7 z$|KfG!Uz2G*Mz2wzIR}d?;hg5sP#DL@b^gOQGBaVe5lv$&S0cOOR~; z!+BOUHD~y|!fyZd1(ZK#kHeuSGGu=8bkX!JbOYnt*+{|M;hbtxPU+Cai1Ox}c;xun z^A%>n*y5e^WwCDNF)#aSPXo@0?9B@L+df=6r0?}vEtp?~y>95qiI^+zm~DcrGds}Y zmZ#q`E!(&CzKkqO!v@#O6oxd_$=E`dDAFV4cTMt3OWQ^g#*D&_U-J-tr86_7LA->) z7o-dmLTqWL86j()Cf;&E%>y5mg}G|pz;M^kK7Z$^xrFst`X-Tg-dqX&Ozr~-d5YNd z{mEKeK5*YUYA`nI0bUbXl-dvxaE*M{RoRxuwH&U#!w3Pmh1 zMmc;EZsrn=^hxsJO0pKlrU|1|AusU*enrJQKg67UH|aqa2CFpwaT8*gEodc4N9~~- zBO86_d|;E!{mTc=B>LQzQf!#<2s4S|jyIEYmPc7QEP#SpCe%WPM{6kh888RwPDmLW>zG_ zoJe%m>Ap1b;-SvC*o(!OJE@yA$5xs19x+QYkK6G(r%o6}01jdHT$hM`K3@B_MDs!l zUPW0$MQ~n8}{Mk&pP9t^oOnO#>|}uTIr(!gGMr6X@=w_-ZJ+ z)HyhC)C#4WhdmwadB1J^Rb;9PAN!R6pGR*MrndMk0+kC_k{UB4cMmk|`vVr~?_p61 zm1H?@>rOwACh4n&gFkf*;*h**@?7Xv-%R~9+k6^H<_bj{lqCh$`0#u!>?r7U8sxjd zMNs;7;PWM-mJE+(&5C-rEKQ0z$P{6`%${FKGHCefXH~#@bCH%+TEe38O~Hv((SrNqdOuyQ`d9DkEv{-`TqSG)g(XE6)7j(p71`&LMZ_q-Qk$ z)>|y&P!)a~BZe^ix>!?GnJG#MS1f*_u8qzLl2v4V0l0Cq%%1fSm)=jb%+puW&rNlz+$X(s z9o|5|KC>2vQb=&7N$4n=I(7??5#Fx-D@|Y4-U$-*OCTD77fgiHG>q71d5f2ozKgoQ zD>iO&ExM$CI{Hd$O(e5Iy3i-c6}Jb&=Vdl}c>*gPnl-oZy8TAt+*VKa%W0vn9?7du zDDMk{jg?8#P+su5(&r~`(@8mA8 zYH}?R5lEM1r1rh~(rsF7Cg`?RCA3g{v%JD#yAahY{cPzxy48pxLZG{W?^Pw4+_})) zr&&9Xcmp2n8gJjz%c4$x*yyL15~Alqi9;sk?PFzysOY?E$+Wn#?zu+c+pz~DcP8JH zdIUScmfeWxwWuia6mx)9j++`u>9Ksne80c1nzXb22h8v5W-8mf$nX%)t?uq8C#srI z>54MyuebA@d=_VO?d($4mFpqGohU?KN`+_qqgv7OJ^n9V)kJhX|0bQ{bbrQVQgB}Yb;j3b3Uk9gX?HpF(ik$5zRVyGOr=M zsqlK3#F>&CdI<=5r#CM~ZZJBaBa`EMSu(EE&QK5+11%GV%&)#A_UTHch*eAVyYAbv z)niHTn#(b7o@VL!lwoDksrHGE)Z(BQ%e$wCABpRiUUtyyk9*{8RQY`@tP`Hk7wpy& zoX{QY_Vi}Ev-`--(l`l7R_1Bdp`?0z2dk1W@;&mNPE^s|TL?#_LbLbHX9-vB7?Xt+Ya~(k z4j@~_O^-Oy+g)mo>|A#)ToZN;9wYIjjY7R4l^8kFW}mc)Xn22$%gCsvwX2|RF>B;U z+f&hG?Q6Im^vK6sLv~o51Qeu{qy9n8>fU2eR3tF@L?m?jq)EZGscbSQ zA?EUi2?7qu@b*<%WrJ`er~RCs{q=}Agr?@&f%N3jlupP_o^@tPckwO*%p5~K|;PQU!F_aflouuBEof|TeuUyRO7R)OXZ+F>= zdVkj)jUcx{F$#PHw|6Q5gY!&ZC~C8T9Go|)Ufh%~F1%||5MC9a;CGdFj-p$^l)|^I z8Z>6Ag>M^;Ybc26tO>Jp?%RIcSbr?S>~89e3(Cj6d^{^$sk{RvaY0`9!ZA+QWDTGx zAx{!FL1mi{&KLwoiXGFvL&{?p@D)wFlA%#q>tTK#i+**hi|mn?rA*GtG7(#Wv`qpI zY#Ik76nGW)JXqSKl}N12Iz#Zkvo~`4xhY}@da5oNEI_#;;Jb64s}vl~=sBkS4`$1I zu&M#5_4An@F#8rN5zt-gA;4@=O_QzX&kZFEzZnvsUnMryqX$19G)N)%!uLOOb>17<1MgnXKU6i%QU_?{zm+Zb~nXcRnSNfSQDqA@J<}DoIn4b`!b=X2YQ8feG)J9*Wn8oefK^s6qURd5pT#FMavbRaJ6(+35|5z zzGU7kZ=XYTYWW6ZP}`zFiMa-J14%h}`{l3#3P4$xzy>X;1g{SrelW-z~n+=IUNtg(m35ZBtv({V!hrTB#D z=4&fr0jfyV{G=wFWxK;)WqJt$=7V+)y>XAnub$rqY1X~WOu!_%X3gyEGq0Ac?QDPe zDop9{($V8EmJaO6Jt%AGjxt>_<(F@ej-32eN?+y=noOze32RwSM0gWUtRNx?`E1de zu%6xlul(v_bB)54VE(jQ;?GQtkF}~sCN@6iI)@GxCe?a(!t^DwWfpGUL|?e$c;YW4 z4JuH~-Gy|JGI}>;eRX~IJyPsu^cSR7!A3@TbsEkN*&!ang~|}_nO?|hm4qT3YX5^T z?{#-37_0EV+I{RT*i7&^kaO*7RAinu5wXY(f;EndP?18rm`qcT_^Z0yg*ce&j2k7J35wKHy7oZ!o&1 zHg(Tm2K1E?yMoT8f}8Qkhs5cYBBoRRZ$n zxD0#~H2Wmw7vFL7!ap2m@Vhtx{LBLAYEORhA! zuU^q3xDY>EpJMa6z?7MIlNX_OAM>Mb@vul7xOu@f_WX$(38@$sFKNV*G{qKVbsj+^ z9%!u>A#|9F_c;1ye^}uH;S)u;Jk6dzVGKD2L6ghN^9<{s%)%s%(b-M8T#KD+3MwjY%T5f2(&Q$*e8{9gZ? z(0x@vwmVnf#27ttiDAkY`L6TG`!~|aKCr=J!FOvI~ac@t5wLR+g{o^n0ZFa3mF$s8^ z62SH%v*ud&MDOBG8-+vhxQ{#qW)rmh70c*-De-lrE+bE>y!iS7N;r74RU{RLD}Y`8 z8!-vI$InN~0K_K%bqDyfFm9S9((Nca3B0QozPa=IS$^f3ljq%b9e%1GFKT1IP_inb z%QMY0jw|2>REg2;D_z9WS@zcVN!r;;?)e6ZEQb;^&*=Ps#b>0fUynN{Dd@45K%w_;yQ2(@+P$H&2ew2Y5H~cfVS=`nfnq=Fng!jcppUzg1oqUD%}c zrL@rCQtSY){QID5`VrivS9OM7W;HNH{fwo?u-=YREXmjxj&iClyoh%O@-;~+wS0rh z-SWV)of6ZI;lW=x5|b1jpjRQSftm_;a~QcCQ~W+aATP4M3-8i_fz!`p*-%G-R_$?= z!VcdpJj8HVm$V42Q;D0dI(Y;H+GMc62yw8AI{x2 z{{!~IX^5(5R$oZdA4P`va7Ri6TiKpzbJyR0A+LNq^{(Qz<$x=~+-WzX1Mu5rK*1ms z3=z!$ZE_dV8|(V2V#GF>>|C-+NTR{n5?vmUo@UtWZM!gS-zzsc=FCHlq+O#65_2MH z3Y5>YKzb$+<;|50iXfmBN=lrN%>As)N0_+f^f^FX+uVvL75DmSk5LvB2P7YQxjlcn zkP~8Tr(vVT7{Wun!?>JEQjuT|@0GCGC(RAk^B<*OX(D;5jz6>!4@q55G%L@FEiY6@ zk?k0d=$C1RC?rWXgoe<%N49cof4L;KdI`SNb`IJ$9TWQ^5JINmV45%oC_g&D_NyDb zP*IIOJ(+xZ$@1*UEg*=hU}cBFe7+|aS7Z3|h?r1x`YjI+GOy_yvEaeMqr$ES=H4FX zd96D_>7Mwow#)3xTi?Ms-o{mQCgSubFU%99(4xvm244*QD_DkfxX=))6=5(!{*Z%8E6BQ^bZg7huR94=4yo)~Ge&f#XKR7ps+CQm^LNwmoJQI4~- zxWb7au(E!S=nEC5{!?8LDmPs707*F`Lks=JS`R(xtz#Q$tsN;YuXnydN$s0g0YS#J*tl9TrrztmYNy4f%N+cy zKVX|+%)KnrqN0q1oHD~qeOvTf3&z_f)~o+6zd>7^g~?7LGN z<{wVeMTzd96w-wKPIqYXL6xK7B7FLkKAd;_HT7v$+KR!1(gHpY<8c!&Z??fErVelEMzKTy78J6(nyILvo0PoNRgtwB`Lg`Xm3H5zM_% zggLB@v{vPt8$#YRF*-BoaPyf>;f)rmao@QJ{HKcjYfAN9QR$;X^VU^eT{APNhfZ3u zrD}H9IXsm$(-WG1VZHcL22S03m=FQy#&A*2FV~9hBSwdov5pFbis!c%bd?GYe@I}{ zjg0HIt2p{t61pek;j-`!Py zY%gozNs-)n4dOz}7~gyYDW*)p)gJY#eoXef13c@fx#ml;?JUAhR-e7*P~lkeosPqY zCt|78uKGEJYLw6W6zG+K@{p`i$8PcYW?#@XGnkgrY zhk7sv&@vlv6nSO^nb3TKKAYR>3>=I-l}IvM(N9F!mi!hV!1kb$Vl@|V+tmKWZOi-u zITF@&f_}gNA`D^ohwTvyKx6fpd!vm4! z`zrtWdkUO*8TZct=^$L-0Wru<%c}gGuFH0xoOUIj`h>U#>sa}f)`2(3*T}Eyu!SM8 zFRXbqQ%HN5CP6@0eEh${IRC1)`1dVi?X<+8B8Yefx2_jG2g(kt1vlhEGf4{nMJ_a* zzDtF90Z!8Zbim*ZZ%T~{W8QxQq`B@p@R}6HUA@D#t!3YLjBdhn4)$M8CHDlxWIqc0 z{UMO@j1mQl_y%47X!jgo_uDcN1k@r;7*f{;g2Z8+vfK(8}#L# z2z~m(ccHLy(&n_qF1MTF>NoM;l=e{zh>vdCUARN3-Lx51Z(*C>BO94tgM-A5oh;M+ zaA`L_^(&kB-_kxvlrK{H+ ziWW?*s>Q_xctreNN97~Ti|4&*0)AJz)a@k8yIu~9Ts+s|hmi1?<|aF-@F8x-Hfy}F z5qU4OdG7i}q&QG+g?=kY^H49-HZwot1=>LL=*(RM0F%|m%*M#G5Rd-;E=7XWnbwtc z`zry^Q(g6VXX24^H}s{9`6CphKh+O- zX=Doi8ng`FZp8Pm>VR)_%@++&YPasGqLNF>%=*FY01VeCX12Z90SCHDDW^e26d@b& z{POe=@n#D>4Sp3QO;0TUfaz#k1Eoyhiz%Ri&&=#zueDABlp`nbjmavGwkH>{aszOb z^!}>q`Bne4<ek&ajV~eoaJR2pqXyQfC$evw%_{jT7vX1ufxJxtw-yS-&Cs zb~97|E(K|-+HF`wuKbe9C(YZ>@5p5LHz`ViXEJ|$Bi8dgLuu2K@T|&Fkwb&j&Qz3d z>TVrt<;bw)J_2Ax9JTnY9n0z4lke0FHbL33k-Ditq> z5l+ag*w!GI>@lFz!I)hR3y@;G1su0xU}Qm_n?9NgIx0{Z8b3g7`AepI84k7%Fi8ZQ zHzZgL4y`QytiF!U0`=QS)$>^IXby-3qCNxYvl(+Uux>xo8RkhCHUvFF7MuiHI-NTt zPm!por}IF=x(ruP9ao$2m2GkU&o|J3s6ng)V-|*(jRX4CnK=} zPJ7+qUfdZ1?TbS6pc@DCbm!$qT0QdeN|rj_Jh6*RI9{zI!FK$+vpV%+FjraJ7~dLO z*RAy1c5BIxj9Lt*Euk=`f)`XNqtY*zI>4dns`tuX!by&eRVXZDpAS1oqz2=N{=rGE zcQYK}y+`{$+cdT99lC#V-x$2=yqe9!@zseBDZJgW{60}v-kNyaL3&S1e7~?l?Uv@Q zljk0oTEfcs2%=hG8#o*&L&kikW!?J66Gr); z+!6;8lBUy-d`u3DIMicveQa2+VR!ppgffF7F)I;!F^ViaJl*Dghf46BQh6blTECYS zFYl<4x`sJvaK}veTDRKU>G!wH<7%^l%nfb{N*%hBno(J~@`By%r<$7853m${{X8Q}P7&?83Js!H=EU@SORa1W_ZGDNdEu(DZttwDE6B$nICeVGFGm4p@UL=YYbmaUNw0SjFRQs|Zd z)c6|d&x!n6#{Fp6Rp64e^>aI^!EC9u1;3lF5!psN$F@U?1+(A1dl^sYg3tt9g}GUY zm3)aNlvZJQBLXAs0wNyi6hz>NjJ57EvN;_set zJf08}_1S0{aVAA-IB_ln(*eYjmLfojC}AD~>n7p9teY3WDtXMEn+m`zu(3!wRGEla zdhBn{teI_L2=KT(hAv?Dx$nasao>hL=`M_Y8^#6U=)2L(3zbB1W(g?ivgw#50&nX3 zbu^W-A(y%iLQknW#BkP61S={HtRAxG0}#;0Qu+HIQ=hpX`YiwVl4<$xBK-e#$=py> zg&uh|E@jnht6Xy?pFa@G6@>CAJI0PO-Q0g%{m&`O@cP zuosx>Mny9-RwmULI^hPfl_B6;KY+Smkl@y`OUnx$jIKY|$FZjUrrex{i#%(>tM%0yqLaFUP_N%d_YxI7 z8=FYs)L1LMDR0EHEKX_i9b#utXMdu%ghj}Ju-zw%>yHup=I(^u?Y?LIfKSHocER+R zjJA@1lK-mI74r+XO0w0X4*P8-3YIns(747!8f66T7%KuTKSY^wu4ZT2E4l*KIDkiZ z7k~Qg(Z_jlsUPg5y87RzgrxDg^Q>_JeHa@jY;Ft>gedr_0O|fy0rECs7*xS;6ud7o z%YZ24(V^~9`FRzP=}_CqbXaNq%5>yX#6H#2_nQ4ob#Q_&&&98>FgE?+H?h!Lz{t}^ zjM2yye^lq5U_1w_Xc$z#Hh=F|Q9Sf>!+;1k7Drj-(Ft)0mnI2Em#fBcZ0$-M7ZrDB z%5$V1(R^TbeHi^v8N=5;7QEDKFdjVC9Cf5}?;Vx99p5>w(FDI5@q1xp;0kkjS&O^w z=JB~`+J7oPnv`~ryyGOlGEfOwHBjr7dx`S8oyH+}ozmgSd2&<()Y^^cmRA-*i(+rJlM2{{9lI{*BH6)OdDAt^Y9I8$F8?&>UY!tT47 zX|d5Z+BtpU3-#Y2^o)&+g5T?pxxF|bU27EL$5F~1F_$BkX!yQUsy+Q^T?0z}$=z)M z{OdiRZDk1iEfS^_7yJ1}4p~nhGa?qo9kzRN>xod1mdE(GT4DsOK`hv$&epnmFUtr} z`8_xb=l6r;@^UN~PnPt=Oty0F~;q6M;Q?*vJ>o~R~ zsQfJU^aCu^9$4nl?=hb~;XQNo>}QK)B{WL5|45js#DTOPu_t{mZeZuwBs$y|2ahsd ztM714o!RN-S>b#$a=yZaS#M7cv{NJ^*}TZ6bnkFI$;Fj`Q0=()$6cZRjS=6fx}I(d$(Hr~ix6PAu=Hc7RRA#>VCCcnZ62#}~? zFSgwsQ1w18v&A&;=zsbKJxJd#;5Dfc+ zo!;0Tk(6sKAwOWt^KZbe02e_Jx)XI`5nhIz)!Eas08F2sc=5N^;&0spL&QoP_Yc@) zKRBl1b;@6j(;N|$y&X`EVDrcNMefyp}R=We?5QnUk%TKZSV{>o(iqXTpX-sI8>1#pdv9Mf}e=QPvAi& z;rG=;z}4md)$&87jUI&m-4~K!=t(4SUH|IqUtRs5O@TYzi3UAb9?r1;)mA0KCVHI% zg#_pdV_Wyv&b(pn-jFH+=WRKOw)uq=RN4-y_1^bv;@R$SV$RCYLcVnlA1h!lLBd|qMB)REn;ll_J z*FwMI+RlH)weWTAwJ^eL(tizWS(zrjqq)?{TN^~O{|IZNm!y6PzPxzO{K`oZx|&JE2>Ib=9E_G3uG0V$_4c&EP|fi$VD<3@@NhZA-|lk?%t@ z&wGxtF(OJsn2#Hf#Y04Gu%*BO+#JBCt}(!jKIaMimEYLT#@}E5${A>E?Wey|UxVCG z6KTZtv@p-}odRG}G)R&OLJVN*?t}SV-#s7nThwRF6Zr(VIO+7~%7K8`C;_4%L45QB z#CKOMy1}xl0{7Z2D&iAk6Cg&?a@62408hE}dqX%DZ5|2b_m*3a)=S(!`XMYsO*i8O z*Yb!_g-~v&&*6l}@wi^{4)HVZA9D2C^*>*NV6@Mws*=H5Zqm&u+TO%uW~VfEp0~I% zVh{fpJMw(x&*=^7S#NYaQSB@ zllUIqRyTN45UYs4VzckTr{_JFD7gzFU-RxZT)teoa?b(LXu-qGnj^ zDAa{IsN5tRqmq(wahhKFX0}bW>aUI9z+l=KP+58Ks%LIY@nz%~M1Nw$1NE3r{($K! z`Hze)t}B3DD4`xfU@~u+RsMhpfjH$oDB7zkMo?8V7v*_5F!f9T?EP9ehO-tK%;JrO zqcVgk?7y?656gs1qBEdw#s)oG<$r+jfZmE;*V)(%^ZJgB+`s+*$oy{Z3J! zH(tdx=62)RYgo>w*IJ+0RSRFQp3M4`$<6^D#A*^wT$^9XI>A#1w&r zZuN4T1d_L)?evqb$&l06f~-8Yws2H_xcwp9&|n0LG-IVfBxW^>Lr;!9y{6*=h-J#$r|$KYUkE$ET1oe& zY0yu1x%X!_@r~~7bMoYNeZM7u^>%E_<^Y+f^SsK!KVZJB5uFG&`VLB{bP#6$RB3UT zK(>-zzftSer2fwj`zzEt1=hKMGHtrVJB=X!?bYnjw6xSxZ8_DwB^mcjr{Rd3cJkL*;_;E~WFx`bjN%LU5syynfP%Cu0`^L8|0_$h1 zPJ)$rpL=fVffw93u!|2y!Z86W6D`WJjy)S)rzbzE8?ac0_I}-n@{%3PzbP-Ia6n=O z{diS0_~Y3FtWAEt#Bftma5?#n`wm|>lihEGI-egpa=1tR-ObG&>)PgR7(Pcq-O!iV zE008=9kqS?BU4Cs^}0y4=xzHeub4cKYsM^Zty?I}&hV2ZVKe>XYvXt2OOy2KZ++v^ zeC|FQCDQ?JOtOu+gAzMgBWRtL;q_`})LGdMl2c8(aJf!+SMr19sGeG%&b`KLA@p;U z9b+xKD8Wm#Q>5>G>USH|v~R!T{cw!+Z)t*C*Dx%M?&ht!xKSG`5EV;<7dSB%t9@NVkQmoikMA-rncg-z^Z;n|4&=`R$goA2#~?a+4m~!Knbv_+7&WI6tl5% z`6?gf@>?0F+n`(3f@eX3!HfGvnMgYpj^D0#iQd~@hZ++zAS54a$6 zU!UJuQV2OH>0@8@d+nZ{mL~Q0T*+-L6f?Ls&y>mQjLOq$;sW{&%b-CSgILfO-$v!o zMypqB;0vi%h==rU%Fqv(B(@ew<^gQE)+VI4S25F&wSqw2TC~AfAtLJ**AFKj`~kt< z6?QYD9BJ*fge3>je=OdY|Fn2ReOMetN)zjmGgWe0OCeH$8Kc>ZXt$pp$fb+K(QK{H=T(n# z?`V(+VGkXlTzyJq2@7G0bu!)&rfi70U@yVkSSHNNqRJH7tdzT3{^9MzbSt!r^W>G4 zd=Kj7XUJ7jK=l)e42%bN4(baXvL7+pI&FR!>%cr*-nrNr?_5x-Ws$kbTdgrUF!_0F z^AA{RU@T~UijA(F{mm49LamYP~}jB{^O(4dK}JCVP02(`N$V2+8N^B zoY19<*wY+lyLWI#WslGrQjcE>taknM#UBRiT;zo+TM5N%0Z+PVcgFNv@!!(sYuAEe zzkNv&I3%ER^3(Jz@&=|+lndWZfb5NWOUKR=p}@;Ihn>Ei-xPZL%GC1i8~g8K8#Gr* zU|-0Oa{2PLEkUzcSEk8_OD|7_I!nls-ULZ{Q8AP-89aY`zw>)7m5^7u5!9VJ+J4T%i!8Hy zm|w_w)6_y-h`X%T)!2FG1vzGeYj)qmnB8YI+N5{8?}IDGB)$HC>=VCQ&{-JGZC>v$ znw#O!Ct-RbCuI+>L4S;5^ETT?r_j-G*BP6XJ_D+rWehV>a}Gprg#;&gs(`xm4;XZx z-%*t?JlE2{$-!KiBpu{Y8iye54|$pUWsYWob5zBxglvqEt3`3IJH}%0%V)RK4KYlp z@*raT@J}4|XKq{eJOSo55!C(T<5X`zOntyoFH%(~sf2WJV60&r0tQALr zBo_h5_R~|&je=~@{iu56JMMZ5=Ys8rl(Y%x(MA|2>33^_L~h^mz;Q4DII_PCo)w z_Cm-arJ77Y4JT&B>Yco7wQ2X2fY`^QTOANgB7^+0tIhjqAYICR@Q5BeUn8c%6=(Z!sEqzmKD(2{j+(Ksq zwb(%`k>TC3-i`6c7ko_SB^eUJ8}EV&?B5?R<37K`#>;_zznuI0sAU<=4*R|+d&WMp zD>D&c2>s{C{@(|>#&hU(OFNPhZbq&Gm>3-BN8UUg&(XXF2h0 ze`sF!?QwxRU$YMQyZFGIZ0I`F%Ur6i(&Ua=kjO(99(z;r!FKb|EZ4X1tLo(3=g{!@ zx_f=#h~umvgh@<)o7i%|{H&$Qw`Q-==v(sB`|s#doq$92|94LRf0@$I|C@pQHK$)~ z%;|JSq55@*Y$Xr&ka_7ES*HeZ){3*txEvQ<<;nwd+7i<{DAI8wze5Sf*=u#$h1fLG zlj2UjuYlyEA0_H!yVKMhIc+m~DW1k1g-WsCz76<4fedZ7oZA~&zU#gBK9RxBCOXt5 zJKj#0dEEf&G6W~0uMuZFzY?ClSJ1mEK1A11+<$jow;+Dy(FbvcvVSKq>nP0siJ8~h z7(L2<7NdzR!jzT^U4>iC@SV95w`I54>^heOcJrT%c-wy~Z5Lim0G{u246gPl5O;;l^ zCackWeY581cyi;ha~PWiYaLY{>KYjTTLAJCjq7LI;F*JMmYSCc0-ny`&6ZzuG=vb=WmDDBLH*gNCR$9zZQsjGnF@%0Rz4DY>S^d0Hi`@i4xcq=sC4&2Lp0(D#b zU^Pu&6@X{a(4}vZR;fOV*73c+Ql6x=W^t zUaDS-=+0VX-j`f^$NXFciP56n{_Mm*d#g;o5lU(NXVm<4b?S~&jABhmuXGa&4dt$G z<5HI^+MLl(zjLLtzFSS}COEf*TJv_8w_GSL%qxx9)M{iqUc&aWa?T$mG#nl1E;Dow zFO$%6p@29rk#-lw6ErYT-y8M%jb$Th&uYuj59-_l0Y+kZcooN8wZjl%`&4m458nUmAuyuEp^hF4faO*JeLEP_dksfSm0DxZtVX0GYfof{5|2*9V=oi8S&Dqf(? zPanm^Q8j2Lz{f5GKDPOWj~$iAlE^8kZ+Q2lARa4<6JptpJ%JNspeAYd-mF;ge&YZ@AXr2C z-ijAne+Gl+P2y6o1LkP@eFC7O2>WRm7|kJgy#fs^*tne@S(m1Au)y9peea-$b)wah%sD*^@@ zjzBIw8tNTlR#HQl&*W!`yz;BFt2{K2G~a9s{H@@PJqXEMfJ@Z?YP1NK{@mbB5kWNJ zrmO?sYt9wa$v$6{A;mD~H&_#uTG3SdpYUMx!;S6Gy^#?suv)7Q$VrikN`QTMIoq8q z*qObUWgpwM)LC77Nch+;!%laB!pQTZOE(9UIwB80;CzuUoUHjeqZQDwSg;$rgDC%8 za_+DT8?#ves~tIbjN-X@=M?@xw_=I&jjPwg21#wl2P|Cn-wn{Z+n$Z~vuEVur7&Ly z`P)|@A+JVr5~PevJ9k@F9H01Q$uh$-a7DuG*+1m4EyoXTP1J_DX&xgnGsg05$c|_g_=aE1tq?&l z5#Z)>!s)YA81UmSaZ~yxE6~3Wc)>k%=nqyeA{Hl1A0iqMc%g1JKp{jX7E-mw?%^ns zli`S8Zhh0t|9l+i|JL)s`KYzjFa{0W=rO<-(SqzD8XG{vZxC`T^ax$@9cGJ*^j*L_ z@X~%#@BMcA}F3J;CFud#_vy}H;zXC^+{X!=cTJl5eSuEmp+-u z+}=R6grG0Aqb;-*uxsE#bRc5os8=qN!LEw5Ut=o_al=5jkv`xAOaRE7eZX@-Un@5b zK7b&ej}Fvj-sI+mhFfS$Fz2_-Um;{>?&}SEe!FY1_+YetBB^fbj@DW|QTK)((gKdLugsG>Pe5N5v ztot-|E2g`WkbVGv+`L5567uVt3{52;*aCqia`PGm*osrpdoY*o;9C~>3ZmWDaBR~i zihW6Cj%m-*jA09RkzZBlyW0Wq$z;b7MQ@4QMc+>2GFqz(%!nme-XtLC0yJ5=0EH(< zYgEelqG?Hce{*pZg*k2MW}`Ni?JodY@nPi15gZ_jT*w?PWxCYAGdHBb+q{q#YVXx+ zI%7LBZ+Pmv%iHa&8V3G{yal_y_>p|1qNjbr4rCnohe<_0JJb&+8X$QJOK!2nprlzJ z5lSZrDzo#^Jr~I@(c36z(VHoa+V~Hxi`dchY!)Nzqc_$pn%KoR;Se`HSltSA3W5sK z&qbPhp|7^JLu+F{VA&_(Ea~R%{%d^nJ-#DnjGlD*nKSEzp|idlP~h&EjZ#+d(h1B$ zm>-){q-2d_%Hc0C)^g}1*h@QG&KJ}f@y)GC#Jtb)FeBw@B+>xXA4cJ;8p?~W1UhG> zH7C9|<~TypHiJ&ag9mrr7QU~eTA${>@h<#)Pr}=@|8y^!xaX-tmpTwmdc#}w5hKS)`}$7MOVfrCpFyGR>W
    Z|o?K^*TXy3}j2mgy?PRgD!D;>kL zZALt|T&)1h=j(olQR(LgSI958o6Vi#s0V>&^&kZxJEzbB&`>V3PzyodgC5R$+Mh-F zj6i;~N2I|po~_82IO04U%qLM2j>#HLd;!*KMLg#uQ!7~k_Bk^G+j-1c#*-T zZU>?gP!r+^qp!XqoFqFVD)%dn;sK?D zmqF$9YGl%()eHi09vKMS2SHLa6Bx}H}VT`Q^q9O7DV&hu|D2_J-UOviiKZuQn zA`pwfJhH>+v{xGzs&8l;G^H}ez0oGPe?k=kT)BGV%HTo^VGO|M4MEYx!I>@K%zAJi z8{B8Eo(*#3sc2vbqrqUpK&?pVUqca0U)vE~#@62>m4&$5f5zW`6;9uCcjOHELm`^? z-O7ZM39dcIT6>e3(lG>zcVI#`J8cR@8PsV>pgp2qJbr!Vf%HKbdxdskgk-C=uZ z)^ad}#^EPIPXjX=nfDkU0ew4sF>H`4x>A&{)qUGa zXPoH5sEqff_jPw-q(xX@*tsn*=tjySgmYvAsbS3y6Z7XOQ?J6bIpDr@nz82EI{8)D zjR4xvWZ%6tLQCOZW7x)bFZ>sm9RXAa<1T0Vzu7nx_ts#QiVIyy}x9a9s%lNPd-NtW03EPs@Mre`Ee-dU;LTeM?wKrJwxpN%|z zOoA>ODSr$N=+it^ZXQCuE=duGV;~3LphRmJ2i+k={LBYn+UND~A>{c0IT~1)Rbr#E zA*oWt1+Z5u*ej6}_|fJjL>4;F3O->G>Ea?U~Q1?AmPPu#MdUZ(2*bDzxz=J)6d4NaLC!hvH%)spA*& z43&k+q8kXX*Bfrn_Oh0@=)4<7c@^MaIUX=&}Pgj z32F4amtffWjG6wFB`dTE^EIQM25&zA z4r?bx9`N>nvoXy5e&So87~E`VCn9Ir_T|!RXFh=4+Ch2Z1HL8h$)$JDSRNe$V8466 z`^jLYE1~R~q3TPcKnIFlX?#lB{b+@l#pNB%M-(e8fVQG?Gwd{zSwH9pI+G|JxFFWS zEbE4}!tb@-$=nr#0#DpGgN7H3jl)xwUFPBK3E2jax6aff>M;hLrA#j zGK?!`@ZvZ)+tx1j%MeRcH9YUHOL8&GXfH7O;i|oQKYTcN|mG}a>XhFo$PMkZ0 z;9dU5UIAv2mF7Suy{YaN$zO8@+|El6x=q&@Vy9~MPMX{ZF&+*)5<-B1X!&LQ8}t; z7P&+@8XnkxFjzuNo~7v|12}K+O|8~`Q9U@SvdNNZU$KKlY<&nJNLC#}jur+0W+Z(o_f*SpP)dBk zJGarJ@7wwRu)NzzuPIo1EQhTp23$*I(#fat>Q=i&phoLAWp7;!a0fO0)ggqW2s9@V zoe!Ap|7}(4GbZEzxlr=|uNF#Xd~(YZd2m9Uu{?&h4MjSg6!|}Y18U^9W4BQg>*RC( z)I6(cp@X1h=)MC6)rK8?C{}Zj*AOb;R?#68wLWx5kN%nW1qe4qAC$tSL&)n`Dg&tB zCg9H-{#$ehC(U)aAb&MF>UW^Y5SWvrSOY(2@n#2V6S&zsh;Hzro)R!RK#hqAJh&i)o^`#2-GU!iPizMFgF6Vk^yeF!#(Dbg<1sfHA>igb>XV%S zE^i2QR-)nYuvFRI{BE0`KxR#k#6KLmrymIfKMaG)FQP2T+r(f%m+bEtcp*_~6L2I) z?6&M0`+Ex%IKMcZdMOHXZm;gw8JP8pX_Y1dFFxhVfSYyJI|msw;Vr+%j1}XBHxI?d zw!7I1F-DM0W~osvK19zbJP{qJ_!%t~%U`tZQavWsF16zx;p(6tckX8Ub$w?s!CV)i zRw*n^lB^WMG;5=jsm0zr;Sdw-7x=PA%%ZhY)RXyh*GH(2gCbowZjt*JH9a!?5VFb( zDs1)2<_<>tf)FVN`HTY!0P_-~xPxe1_P)F%gqC|6Ihqm(tG~Ku@fkQ1@{pL_Qu2*} zUgvZPQflq~BKidrGcghL=;(ce-Qq&iTOl7!FfuomEyGneZ@bE_>y)hPsiCwEArWO{ z@J>3vUK~P*aQGpl?Z+X6^&V)~BBz)RA=8snhmhE^#@r~IW&q}`X6gJg_;%uC;?x9A4e`cHkoSgKx;Nk(8!*)!__#cIhNI#wXI_}sXsvb^5cGNe%r)CeON6tXdJ^~Bz?`-EcU$JV zjNyOj38*VbeGPFWL68N&5cRNoMxcQyC_ID|2pVCIl|$#$#1H(T``m~%P)qos^O7(I zEzt4);S0*|<>LDoh{RuwW`K|Yx)iB8hYH7eX1afU?*=pyScMG&uYEH}`ZV)G zyxjh7^&w>R4(P0prU6|Ks2YcmhqPR3ZVnr;axq~(&#vXeJH(xG?{*9iRgO66;y_}G zQuN?44!dC-8YuYr^~rqyr0nJxpI>TE+mtDPt;gW+^(c7XK%w!~&Y%w1ve>|<{en4! z@aj{Q;4QFyAx)t}$ctcrCR?YK8%5LKRY;?l9Xo`~&mp#gSh;_7>=cnb-JlByVkGUP z%prtaXGV5IMdZ?)|6B+B?={R_R+{VsyqVt2@NA3j=Jr)3nE-z<|Dtk`G+Hnm@6yfK zR?;m$y}ESIx@%428HZ+A+wqQBn>|+B%|Zzc!+Sf{wmPer`jHXYcRJ!69#^EegKwkr2Nx_#r&rUWBu_TCJcP< zf7q}?$j=!(^iLyZ@~08|)3W{hRfx|NiB7en65!|-PL*wUVqINeP$=&_En^9SC2 zk#l3=SnP42o4VTo{SY` zFODin{@xk}IU|M-llWm*UPu&g9Yxd^EUmZ~PIi_AVw^vJ9P*GWHG5sZFy+gFIszbW zKQffvg-I$~g?`XEgFnb@xV`^&m;ldhVY#fYvh#9uK2F`X`<$;f_sVyfd?%NJn?<6^ z9=}e1w_t=!FP52+bpGcTm;vk-5FQQw#7tKL@qhGv$%D z$fxigP`d%2ZS=tUqoIbWs_~z0H9*?1c$eKKye`7(IaE?!EG-z7!Y|c0crJ>GTh|Xm zeAi%d2sv)Gqd($v2vJzghEtq($_jU!M|SrR{$mYOm3s*In*ZLXO^k20!d&i+-#5{* z8?4?z53J_(hoGu$rD+l*M7(+qm1cR zT}5MUR_}h7{&V~!UP0iaL0*Yy$^DXxN7(hWPZulx>9rVM*hf21Zd3L99}A<=q{65& z0wMSA!+1GCOU0Y?AI>a7=o{8zAd3x-B$ZYn_GE6Hl6#K{lJT^p^kUA*_t3br61Dxq zZN3C^56cHnL{4SC*RDNzg?9bdLDJp*-6**b^OBy>4--h6(}93smL*0IGmUq>2Xz%< z@^FHYlcAt>GciH5CN^MvyNJg*xk4!g$AaD#$L(Oh zAOaWbSa*SFwCZD@F^!Uy?ug?8m-HSb{jmi(>An@bqYN4hze7lic)$f{^c0WQc{kVz zPt+;LvVv^?Ia`khZw;OpU#8&`G;nKK!VfR~=oSx;H#I_5CQ5pmOlXLqtE`o4pv=?i zs?koDTe}3dX8dKHUGm-SYV!w16f(idHxRuvMu2>A7C7cM$z4_1uVlt9J$tjVy47Vl z!>{L~k65z86cL53(v0t2psuW7M+=)lTcU>OtEpHzgm5+Z;-z|?oJW6|L^&+z3&f3? zHw+8!scpgR-RC@vnmt5l_~Drw-qzoK7!(#)CLg1=`8~OFdZ7E_Oo__HHoMQdg(ZGd zfSvN5fb9dDQKwt2=0=y0mF6kK(S8GV*q>%(6~~c7h!c$0QyReMTme>I`tIttWk=Uc z9dF>R=bX=iRjr2{T*H3Sc?%0s-jHNn?;;@fM`>15-y+S(B}Dt_gX?^So0|2a}jx^Y1A*eO7D z9g`;-iE9aXjRT7*o0`w?0^qCuXX#}7hrJJt6r5)OM!f178|`^^A2y~-jc^6!oK54X^)j^yc^Oi+2<&_olihlT9Z)U;ETe67s#!C3_)T z@!Lx!sda=$87|wQfXz+}IW(s&r!#aGb#$Zy|N5SyWwv!qoZE8SRpt4&fnU>ZGCONT zekcsFBxm>%4a!1+G5%nvoFKH30(}OUn1Sh;dI|)%rf9AU;rgoqVo)w%o(~}cCUC)K z2l>`8qN_i(K&SEiT5CQ6d*`~I)`*n;s8WL~IbF7t<_Llv+0 zI~+J5e0S5R?AbdZL})vh^+`069KU2$gw9X`9t~7eN;RDW@At1lgFPXj0S^%^aILlO zS@o;&12*k!Z!}p*+^qk6B}^dw;N(FRW;%lxM%SRg)@BwnsX5rlb)Ab}qD)rz%M2@a zolQK63OTg`>(dO3Y98nokG!KMens@rc*el>)N+c(V*vWZgys6?>4$1+@0bGZMlag< zO{NE?PZ8}=Beh?Jjz6Y~;)Pg${#*=NDAW9CX9JAV@r}2?GkBG=c3kwzZ**#C69lQU z;`eYPQ#Fo}&57{J8m*$;l4 zoOpA<6N>xUOT64Je>*8%_0-8C$5$;l&s#=>E*TBwEu4)^csn`K{f!xiwnVdu*!uy% z%Fw+aJ-Zk~^puVRZ586&+QTW5!V3^qD7c2XN|UADN}K6vOmZ%C^(YUBZB2_b>z4+x z9p?zwmu3o@10HZmt^^hTCka1K-}aM?++3%zHXlNgeMu*1%})*?i|=4TAwFbyc|h@I zilD#y(L&k5UdF{5c=w6o)Ow&(_J>J72V*VC2Z zpFT(YtV&@qI!0zFDr4gb2`0*gp`<;wv3vn$x}OGzFI2@GLab_QgDcKG0M5i|JfG?M zX!m)ddRA4b+5IdVIn#SKUZ{he49rj`MbHDDTQ>200HCA5>6MeefYL~%01Ap80U2aQpK2f zBqSHgyAzmo(0B;>QjKiv2GWP?Dt0+yp3Y-DLai|q{)IO7JN{Rg3=T>g&o0wcN!gKy zkQvE74|oIpb311OUuNa`>IZl7k}!cO2Hi*ep1c!!VQoR{hn<`zvS>*oLE~+9!qzr4 zS>^${{y|}<3bg*-?w%vfa!<$k#ge`AEZay&yLDnTx;{gWth+7)tad>~tx{Qq(Nq3^! z{;W%BTk*K`LeucRzHPKf)`-ZXyRX+SGl>J@yUS>+b-!e|v0c654PW$D9VWNx$G)q- z2mDca;$sYXV)_eQu0vUiw~pi=PN13;>s8%zm0$jNetY!N!!m*MwRNvbwQp*VhO#4>jS+!7x=E*N%~`0lxMr?9ZGm2G5zaKVs3kvKrqrX4tPl|bjP1#R!NnmVL`+O>>X6R?@AV*N-QVsGp8AffQh~JnAa-S~uj^E$E;)Q`Uo}C1!Qsi3& zi`Fk|s_gG|K3&^c?K#6~Yb-ha@z$;_Lx=75id~AqZ;Z{!T)*!Ie0bCX8 z>)|p7{x$J;ER_pMy9UMzwFe1jMM1NlIe}2btz!PXjQNkNH<>~y^2@_@Oavj~&i?-L zWP3ZdHU06f%BgRnF~^3Nm7V<_Gv0wD8-8U_vf2rub%KcT<}^T@%*^pvodg+ zDF$CQ!R`{fyW@7Qgu;6ngv$kCC2q1}x9|3Cu^7`OC8a~Qu+JK$Bfh$N2fVN((%uyZ z__x;v)l?O^S+DA?T(hKbc$k?zkT1`DLVyDb++#s;9`{@CzK-5(IF2{D0PZ1^!8Cgi zgNTNOD`iT~T4b0TY-e7;dwd!Hdz*&pyt0D$kT(y~(8f|3r~3_l1KnOF?szC%iKY>U?RZ_3-s+u)^>Q`#3Y>iQRW{*cN1 zQg35qG1mldi?3H|i9U^OS>E4`q+X_YO}JUAr!>aSghD&ayx|{QFY8NNDjOp1Io0aw z$ES$Wy*lD6OoxsYN$_-t-T=d26hI zu*%-SylP#_muGY>Wv1*_v$_Y4dX6Ue2}U+(=;7BJM&A4}N3nmy{RNZh=PAnqb5G$L zg>Svyco_dk$Vui`ZI91QfTX#r=A`U)z7!xK->dBIGT#tksPUcVwTtlF zz=>36-RsP~#~#uPADMOA5=h~?NvHc?4VHt0Zn$Z2gGho2iZ+14rXL&wi;ze&BI@9I z8L*QHaYYPIZ6s)5_bJshFRLP;DFeFkI@Fogx`I78!yO1GIAf`&Vs-&qBLVvM&N7VX zgr(*S-8+O-sBa!Z^mMNZ4SK(Qh!KQNXfp^=IN-@ziRzkSYM;4C3deF%1Ut0_Jx%Ui(MA)sQk*}y?$&JN%A|8d|IndV;k*?- zx3+J!kiFV6I|i_hlVkP243=(vQX*(}u=XshSG9QYODCm`9;d5${f#M7Y3o;u5LsM> zDgso}DoFL#B8XP$CVd@kXuPAE{p2wB@vy-V(m_*a`=&fv;A~u#MF2Tp(iFpma+m zWiWRccbWOM2B6ydSh>hI3Dj%7leZty!LqVcNo&X_7x@4Ise2CTZ8LLwq5;O~I1hiz zA5(Til(TG{KT=tZPejE9=DX_QD$S}Ii%0JsJO!gQtq z?1e7_GoL;smH8^UpEr?O%{@?Zy!$=*QG5&I+b2)z)k?FusrDqRNCY2f+D8kK*2z+1 zKk*bkY29;wyw}}5E`7V`>)gguNDiAnlSrD<^hYwT&6)+5TC@Mc0GEy)(8Otr@LUyX zFn{jwAfmHfU*pnA6TlC~uIY{n@ShnDFAD5y@%fhQ=1zY!*?cbb0mN6hhRU8tucv=B z>eC%;LR{I_#~rLB z*W7YDB}`XNaFjga+3}v?6mkq$K-Gbzax*5{k16zSbOS#g%RBC}507k6fR`-oTJCaG z{`>^}^7U~!o;gcR4b`1J0(9(5o+L%&JBJ3t3rAM!d{QIubC)BIYqRld^_j}&Kc$=L z3DqU?(~fs2R}rP`$O9ij%###@rHs>%6iIP#=Qtl#N`=ix(?7TB2QUxtt2J?#WBH?s zm+GH3<&8Z>+FbGdQKI#0R#WDUWft3VK#*I|rlE4Ox#3!Q^^nG%fK`GoiixUDF7yg5 zSWaL2JZ+;9S^eVHkW9_E?fIS((Lb6Po+LPqUnbZGQXZ3euMWUNr0@hbYg!+&W7K5` zCBqVI-D}Zy*ZI?VLtvYGyRc(@#JCB10+`MkwQ83;vQ+85-$tzY{3*MY?I1@6|C;@0 zJjU;gjmtM{Dv31J>fwNQDiU0%@WWZ?oQ~jT=1~IVrY>nHw5!6Q5k_X%xJXr>$(+b$x{&;rxV`R|u z=UE8qifRs<{-y%8@%1v1hx{3(T|kb3qYdBbICIa>mtqTx+&j5y2JhdFo2K{b?D0AK z_#|m6MoHs~)&_pD)7`gN|Iu*sk2@g+Q58r(mC%`$1Q!O}2b2^^7K1;oC2N?!1iDe@ z(eI0>CpEF69veEo_w^^Y%Ufn(Q7FwjM2hjC(lKiNN|g7dv8sh537J(fkfndt=h%_< zmqY=CG;QDzvf&M|LsuUSLbnQx4hlfT7cAv>>He++WB_k`h4ad_$<5vb zjm6oskBmRR$}19{6)hh}C=HO2vq!VbY+?5LJ0-#KhOfKn=yIb(6(EHNrC|ZHGAs5w zybLdjbh1kK9Lv)YFuB(GBFo}zX@{J}5IBfmRNG4Tp$BdN*q|jZxInR8=G~7>@iWh- zPwL;WyggN|A1fB2xrY}B0&g~OIrV9E3{x>RZI|COQ zBv*~=K1b09G?_;VP^^+|)jKuhWrrRboavPk=w=GfJ*}y^m+@t1!2R(Z=9CLlnjSxw z8>~o$t!I_{F#J{9#vj(+eH-mz-itbV>0Mp;p1zRv?Be?d?;PaSST5wv*du?pOHx}G zc4;O$&A`raH0a5E_Xx0eytzV^kuSl7=M)$uRxdIb?^J-ah9@upH;+QT6Xyk>d-{yK z2MB9GwPX-8-IKj%qy-Ls==+Nn7ZV2kurQ6A!%}%WrZI6^=MjBcY;_=T8R1KKI>~z0 zU@o=2-T0;6ruXyP>}+U6l~8?5Tsvwv#b)42$;3>Zq56tCAC;u41#nSc=n%EI z5;#@t*oa%+;x0DqDHMM+xifHGdbZ`*f@F4W`MRm(#k}(V(fwsCxD3GO2BFu%TTu`p#u5JsW92NmdgFcsIKJV^09A)`s{Hb#U)!@m&e_w z6~6c1OHeLQ_L}$huN)o~Lxd;Idv$+QB$|hGG2?<@<`~Dsr?sgWuOFEH*f@~VT4_#I zp^2b}&PVzV#mU>WW!IIQ)ALk!mS`A8b1$6zeCD|_kYrn&W>4245{XW@TAv$Vv(=R# zX(T~^T>3%iSZ;hRyXozx`bHr&Kfdz@NqMN9In!pS3-Qj9CHoeVe}*>(7t}~q8vFcF zs=zWAVcvw*SylyusPn;+#HXr@ZblMxjTUPYX#XI5xH%uAd6?=fTKyjs0LezMpKy0J z($-c80KLR>bRL4YBCJqY!IY$a6FO5)y0!$XK2mKF|cfD!dQq0`0L^oNj%!9&Pa zOVLfHEx~_FNtibDNg6cs43IG}^IO$RbZD%ypsKf!{b_9n`g{6dT5$@PKhp?;3gtW) zkZ=I~n{e`~YQUp3+; zIr|WDeYYJ(mH@v*qZ&0sNg5Ud&}n2HAlHmxAq#aF<4d{&O1GuF-;GN|F-=LWkG=RD z)-i}%#=Z(iIKsM;JlIvnVU&f&DP@v+frF$)>rGgFa3woT2BJ-21ZYI)>JL2WS5wf7F12ZBuHCZ^ba385iih(m52f$j(;JT94 zi~%v7nb!z$2b$q}9ENBP{yYWiPaMgmEdx`Efy^blTnMhpY*5*UBzwadDI;o%bE_GX zqb_Gq5tqN8GvZ#sOtk4Lri|La?96)C$tt@uK(yAG0EUhVa;)~SqM9uFnDzO_>R@jP zjxeJL252}UTGL(H5x93J?USftU%gpZ$-2e4Z>R|DX7ob9(ya4YD-9PkIvMtEcU%M6 zA@#L|;kcT_lx10PeLO`PkXswr1^nlQt~Rb}z=uG=7`fZ%OU~rRfBwd(-DaW-xwi8J_~h|JZ>(-!UvbG}HtAZm zTbDZhXZpPNVV5**rlp`~^yeoGeQM^73|TB*8{Xb#VY1!Yw`@bd_Isi);8m>8&YW{H zjDBK&w5{KWoY41QRIXUsH2{tI7iOkl zwF-i9k+f?VbjQD4?L#(cUX=g6ZD8-fGRB5$BWQO2O5cqRPGG?F-GrEZ@Z95f`VKoN z1?Ks2Q`>v)$R=?vj*azE49&bY^bi6|&F+=l7DBfBTm5IzW>StU3g+-u(`J>u7L-krqM4`R&Gu(NdH&wyNZSZOx}*Q)3y%T+i?H>8>Gx0w@P80?5h(1l zAhQPeE$fZHWnK2~$mjQ||3#{}-?9d1*Rs*rzhun_!j=ku3fu4>!nRKSwPQ?7{D))_ zLAXVycZZM*Z)SujM@B)Sr8=bVPhtB{ZST5L@u-`i6;cM-XZzT{*k>Ey%CKD#LJs?j z&@+i3XP_4VftAX?$e!!sRE~9;MHx|w_IdfYR7;4S|HcJfm!op*(kxI!@q-@Yze;7= zKL1fF12`jq={H&bkEITpRwOLq99=pR8p{m^Ajd>$fa||0_Yly;1}ZmDbqF~K{EKY~ zL#peDXf87BbNA*rvAR<9#|EOX#OMKcn7q{|BMxpTCqHT zM?3%h2}VB(;4VTM5hD+t%Yf>O2*fS=fwZv;Nz;cA$`R{7rTm3r1^O9fIA&!7Ii@a1 z_Yk?KE(io*2vTqqD_~OHH)R1M-zdu?Qoa-beUF^(G5)y1+Z}&lZuWfGO3Y4-1jBr$ z6h196k7xH|X}aBTY2}!qS0KmTQTKBKT9(6l%?&+1U&BsFUSv92@}Io^B>2Of2p!=%&N783UW6*xiF}EXX{QI zr%i`EFf(fjnWO*Q26-yPNevDpu7BMbol7P4FuqL^G!-uGnOBtvDFxV*UTv^-oxaa` zY*Qm~)T-6`WNoodkuBNKQ!&7if{5pCnDQLpl;F|Bq)_o%UBAxhr+(tpr?j674~9mC z$hhLamCZEX%ZnIZ(8$03DVf_}CuNc&EJ>jg(CX38UNy$oQ&tb`Y*)jAgMY zn=?^PUb%lqy4gOErIyVr_=u^U(MPA$i93~_y{lFFCcuiOi|YHaK$(yh%*@1sFD3qSUAY-((&TYb`XVBDa8qGT;8q&}y(B85eCoYEwxklBD-RF&m-?s zLsY4U(yIg^DRJk?_@de46X+T z+z9^Z>~|SG9PY~r0Vs{`g~DZ=LV`3w+2n~ zW!_&)G9|s^`D5d!N2mAOqkCR&@r?;Fld7lOM2hz%@zH?H?3*W~63A0JTYQ+jZ+CrE z!zphC+QQP~k@42n$Dw(dg(#+cgb%r8XN63lTnW(}2ryongdI;h?<+r(`5`FYJ#5$@E) z-aDXe17gVo_+6^h1oSS+ss+QiY~5BCPR%-vu4gSHw;#9gQ!mK$aws<8bS2E+&ol9( zW6{E;SWK3YQ25@8ycO87-uzN`knZDE5}>^n;#f4|eyc?}h3QRU)Gt?iGbIsu1JU%& z?+Q&^$y)QQ=UbrccoS*Tf9BPU4uG(iX> z`kwR&Vz}IK)+f`vB=sE8)s!2X3aaLO zEMdp7lbUQg{Ux+M3|kqEgBnPx4S(#Ej>onH5!O(kvRlx3_ ze%dlELUdrNmB+Zm(D!8OfJ9xeBddH{_8&Q#p6y=gke>Hn#_#~HX)1ERaCPhua)SSB z3BE^JgN>tQW~@Z!DW3m@pJQ#7Zf(ELarwW1N|2#QCA0su6aRAGJlMEo4 zbpqN<6X|aV^euJAEjhC;L`#c|nZ$q8T;j-mIA)5Ul8?{XTDf|bU)POXtCQGbFFB<6 zv;18nkZ4w)IwJcJto%RW=!%3nwd+@u7XL|)mfF&|WrwLWdjY2H9KUm!mCbg{btTxI zBESTeKtymLJ*tlpJK91sulOB|)%*^|*vJabG>gPiutR1bSPv0F$sLqn=J|FHA={My zC8Pj;Gurc{IuOcavkqPiSJ^g-W$&rYl9u3?4dFM5X-azm4N37|o$2=O>&a{2Dy))2 z+{vV}5GC@9{3SlK$OW9(kc`+X200{)?lG~d$Ko2^&nCkZXzcbOHwU*_AHvy9d{4fC zyZkb?$>8^?tADlSnyP@lXP|mVn4>z&5Cy0YXg;9m8x~n-#LCGw3rh1pJ9zUL$9oH& zX|LN7o^bU&kHI&`b00g@lvJK$Jl46C%R)wL!$*yS35KSbo{pDqq?QR53~A5PHm(lT zYnjopdFrk}$I{yR1DvpTKat(Vl%HD5%r~=Yr@LrZ$E<#UNi94O$OsOZj)8pk!efE> zbZoSZVb#F8^kW{pk~(@QvwXMK_3=?cSjy%RkIu;?{)ZhGDrV zNiQGn_R7SA7C% z^yI|a<}X^DxD=>zaqh9!OUqWEW~~AU6u|M&7*%4OJ>mH->n8%)1D|SK1N_^X_wKq- zcwwy!X87`4Qe_AJluG2IT3Qp*dSh1S0ZY4vZf$skp`!;%>c*Lkdw#M zDqNa?=zTozUJ(9Pla~`@fxM1GGNt~p+{;u^Me5jT7}R2)FyYcVK7@W)cO$4(SIB8G z%1hWGPD)?=Rq631<)Di>EN7J932A&D^Mmpx0)9JV9wMIxJgo8aZ^}E~NM3}fGon3W znoOSrr7!ye0wIROTJ-u}GY7y0mk?ivD_=5)8uMA)1y+}Y-bjpXtZK{7)(W(DDGcrv zCPF=6LT=#pR5CHsCfcoVnTDgHz%;ERx0G9@+Iw)ElbfQ?o-v4+4#tf)ZtkZzUw&2=z_1`cf}^? z*h5>~g>5Xto(ohR6|EVHBw)RmqKC0}iSg}7&qj-JjR_v4sZ;Q6t)SKBA{FRGtjGne zdY>(`(fxIEvS3-jGO*IT%NLp%_0jl5;CTm`@igU~4Qh+a#*p>=O=QQn)>ljr0j3Dh z-#sA}JPU-Mjr0w5f07`o(I=0#`Vg8&6 zC2Yg+u1ybK7m#HtDkRrlCvW40PLuH)J-)GO7Y6dG2gEiA{ThZ2iFY^B$BwLZ2D8-1 zw_szzVlQZ8f_RO5#`U1Tlx)ERh8^)HQNJJt8!i^abgf7HAq6z!iaBp0GB z6tU{zDW@2CZty|<5YLH##{PJCz;G|~D~BW}87H{!q(vbYl< zL(%HLj=<>S&8WGet=ZenAO!DvXPvBAPrJo7GezOu7Md3XAi%wpIgDV)xmi|kyinve z8*4S-*snODXBFf8fD7m7K#_lSj3zw(>gpMkHASS zljcGLO^z2p{OEW0ldSP7i&L&TGifJ3_5F*NbgnQH{e_Lz8?l@80S>*_C%F%5HNhz8 zxKqw(TKI?$Wo*o6pltFMSM&*e_-Cu#z+}5k1$Hy$NMd~ ztx^03l?={5w0^`lTFF$23Qgj}WG2Ynv%YJngEXLUsqUq6se|JX>T%hfR*#(<^IR#L zyuQPFmp2j`ENud^XPH{Cr>$GWkoIy>ax&5~rSmnht2@g-X!|qw^rky2{wUfrOhTlv zU}`7PsDOlEJB8+_Hm)@r*i#eT=Qhuu;DQUK=6f}yKDiTt(6R2LjqMM=bL+Pz^B8x& zt5pI1pxm2)^OeStx+$2{5dB@~m^B1P?g=ENcef|2ggZr21kqA1r_@7KSUv_y^lKfz z74fRBqW8AM*K(cfq;&#^_b(IWNHIs0EDyg`b&Xxc!7Ih!JQl>A?5A-oHF{6zun$NM zJJrKrdA7#*4)GwfEpC{n))K2UaILF9uN(ntw%Yko`i0agpF@=d9Z=uw{XSe;zM|Sivcp(xw`gY|qi_k$#5nODo0>a*fdevU#5(=NkhZs_rl_xCo26TQ?6~KM3zR6SxG&@db>fqt= zXc?^mv;GE+P&{wLz~gcP6&GtF|GoLhY3L=rI0w-}>#|uWZ-6QE_=Nrgxcm9G;cREd zPtixo0@shURW>*t92YNl@07>^{yf+W#>tlxM?{-2JIBE)BUl5Qg1rw)qo$j^fUa_Q zfU)!Z1NIuxbjPX8)07l|~!N-iWtZ->0EL-qMHv z;w?b{3vT|g4ylMomX6b$Uw&6ha$POU0aBIC*jn8D@i<4-jF3%?62GE8wZ&f6l4RT+}zdrX``S!Mu&XT2qF654h{Dd$^Spy(- zdRpQtmsdizsT3DgmPiS(Hep#(_Q>neu5pL|ZyenMur_4_c1&Ug2^>wPmzJednG zU;JkOqR?~lHR}DnZ*gVLZe7@gkC)|6eLsXuYWnW3Sh?gd7c}!c-n;x3`SDf){befh z>TP2{ub+_TGEznu$@S>E;V^$i{tBys^g9m1hQrtZzkYw=`!Gqs!TMxsYRkeDtq8G; zGHu*itnLoD5$-W_>*DyF-qFqFP`4f~I*Sz}G`LQ7@FU}ld$X)x=T5rmS0_A(Oi;GV ze{%aQoB3AJVh;1iCBGfwvDw;iQ9*78I(<(d+o%If*&K5YA@^afz=$7aWb|#%m2rM8 zn@Feewl7bE7V0D==%ao}lWJG}C?ORb2YvHQx=VdQx2HySz|%u6AyFZz{5OJ+_FuW& zUuu4p%SOAx3tdXM`}p_^=7S%7K1&207r)16tb2!2^;o7`F_#68&myfpbi|sQng!s-#CDM_{?)I&vtI1Z| zjFdV(qLh*V4N(q4iqbY}m47zzWg`y}9=R3R;94F4>o_ZhduQkQs1Gs3KOz?O5S;*5 z^AoM@IVYM~tnRF3L+buI$vX^nheuypQm>vA8JHO=Uz3UZ5gIkog}Wi>^*Ld1+*G@p zarR6O8{_*gNE%mU#KXZgnT26do2dKu_)h1s@?CBKTujBpU$Hx%#s-n<{!Dcx*P`fQ_U5-P=o_17VU9b?1`;N855QQ< zX#%?AHN0L8kWCw)c#mMC!TbTG6RcVnQ%dKeDnCn4(=%MOzvABMz6u+CkFy}hQxwQZ zpnZy4^VEAXFaA;1#W2^ZdrQ&z<10(**z+@~jP2W&%rsY_fLU?hfc8WptYue=zN#?; zMB<~Xldf&vJCkzvxY%n2wq0}c3S4$`m}W%GAjv)+q+aeu!%O`t%c|F+k;%7DRsR}) zSh@ITK?8N0tWQy@O{59I0x-5D9v}^bqL2TaypUeI`(ZbOmJ_#e zRm%$I9deXpk1nS*Ls@;Y>B&MZ2<5>oC?A*x5tH;kxc->xbY%Q)4J5a#;8pY3zq5Rr z?QRm)3=1(Yx7N*H;Z6N$ryt7NfaUV%c+NSa!!E$kdu+~m_=8p7lzP@zoOwKE85qlgdamEh_I|&H8e_tZpsUTXXT= zIafcu|Esh&4}|Lf{>R6QqLL|PU#22tP1(26g5)JzQCTKbvS;7tCZTLoCWIJeOG2_% zGIj~czVBqujAab7^nI#VukHJOe?GtE4^4CL^FHU^=Y2lU^PI;y=W)i?j`|KE2bgZ} zh571p^ih8&l%xhbXSF%Iir~CFJB52>loFp`6ld43rEI#W8$PP$XatU?=U4HFH;N(9 z;{H=V!HiP;*%IJU=YBBOMq%9ceu%?LD5f}aPs#=j`VokL{1J$t@Mj=G1)cGkbGjev7@4?L#8_kTpX%Bsn%7fKaqEF4NEk>izT(flb zin8R3VdkMF*XH&=s(4;CeYxQDsVTwkQm+1&IQ)A|!djH$YB_z`LlXVP>cEb;5}Cvc z9qhaK+*mIz9Y#AHKlJEJh-nEFEr|G%G@S2heX22B{gSbkEJVu zoV2H&5F0sZ)$q~OyBM1ht@myMX?Awb>9i~x1H5{xYe9|W4&!=st)SeXXK~pS{o7IP zXfuMDHM!T)^+khe_(_z^3gxpuWbU@{)@1V$7%CpMljFIWVXLNPVfKf)#6xvucyw;p zGD6QT53V#COK>6v^fZG`IZrv>zl3T|vgVVMEqnatcHgx3>&^0dr}*SPVIv_gPeHOc5_Oep3?FXGwTFZl9@d(A$EE7M*mql%J?*!k(1X*#h8tbU zW%1)jBi-9UK#sG|L_^4Ua+B1uOuXv-sr?Z5-IL0;W!$jqGyYL)P4$-yVk)_uV)amzgdj#kIKGzfcx|E$f3rZ7wgbne}e~sS8^N%?iTlQeHpCgIWt{S9@-LdDO|N| zY=#!PmNoYs22+#Cn3o+omA&NXXY48Hc#u8kwD4f3n{1YWNwIO%ZHuJ09`*rO2c0+W zL8-@@htH4ryhYR@F#hn`t}f1bd*O=0QpLS4g|8(Q)Pj9%`6AK*O^t(YrMj=_=hm#` zi!0-oM|7kP1aq4lc{p^tKjKtKlXy_hyV0sVc%9YpF8S#5$}+rLa*-c>G%g0%#;RBQ zyGRJJl9;-ZFjXj4hhFxQ2HZQ<;6w3JOVIQu%PIGk4|{gTpN2a(6wrdj3j9gkxvn=n zKXBs*Hj_Js6)BDONWs8k`Q)r#?XsT3&c+mrnM!;7O1`{)SwL|7C{WRO-F{E0b=dfGm6tWYXCISAzR5R|4~U+}zox z5#*Ef-Oj|p2Grh4jk$PU<_BJRf(`n+c}Di=#YZSS9I`lO!!UpPMOzxjY8h3&u?{#! z1uH-lOz<*Yp2Xw2W16<#e*Kq`sJIG^l6o9s+6|-*RHY+-jPD3R!RbB!Dq5{=cHaw#gzhwB=Kk7#9zG|6=o) zI%rc{^Z|Y$I-A~+JNnNY##Q)5I#eXlqM=6bd?&NGE+_Ho>S#;vZNHwH;WP3L{YFQ3 ztJ~_ZD^g&o-E->=)C*+Ganu7d|KC$Zii+MP>&Lpj<{3I>8ZQ!|S+V-0@2(hQ3?X5u zU<~4&zdiRZXr(pJ$|b(@0;?J&+4_*t?GL2~HLfj}mIN|T%mdXyPO&NkpM}sOMHM~L zdC^m*I5~GUO-4K`Lj#XN`JpcKLGnq$=y)70zc4dDAuBI6ktFuXQY?ItC^9suq-x~$ z{`J8?WwI_|rn*wZ(y^AE^uouH;>LXPRt@8sE#otCg8vv`6x*9CvrZ<-!H6 zCI(G*r?+Ba-Bx#Fjc5<)d=6Ymfj;qhZX~7a#c#@zXovxD5ta{3`9;Hj9QF%iE!C-;D{S;BHy(JQCOJ_ z6apsS+B4y%6|tlB5A$#>X?dY<(zId@5AJ#D&u^RQVuAihXRZjg#Tq0#)E+$d;P%Hy za%ii5qf<3aloxdCwoi~4qj4=Mf`HE6`BuKNxaiDyag4sUR+xV2gywG6rKyKiW7k(C zQVa(5s+=c6vYT^sUH6>&dbG3pkT%xy<(Efg5{FiBAx(`OFOWB7Sm$tiMCh7B%1iX*KDV`mD)|$3WY79v+Sas{eP(ug-Xg>l3xm3Qe4qdq`zlD`1ojD?q&wo3p zYHQ+-8gOFa%VvVTp6BGDM8iarNKzWzGDr84`mK~kH?G4IA^$syXC6AHMUvXdH`|Bs z)T92s=193ASymU4 zOe$WZBC6rStZXV%!58z8PKa=yB6GkmmA)!15XX@g#~pgfrcYeM@>RC_aSzi91BwJ$ zrs1k+_!>=5KlW>H?G*|;PakA^)SwOX;nT61@+=4Z8%*%J9p-b#<%W=*vM0rLDLA38 z0z{sAm|+*v1rf??Vfw~kQeQ-AIbWlB52uqFUZ%OTpauUVmwt@)qC#pM+B4@rX`%0y zF<)QDuCr(JjdQHh%A>gEy&cj9-2AH-m+-(56|Uk}!dZz3YZ(}l?|`^3=Uc{IDw=1} z`bgsFAV-e*gaw*Bx8DjH!Mz*QeekT9W%~EsEm601DsDl$VV{Y1OY-9gMshqwuiI7n z)i+6@2s4om9W(Z0Ze_QG$4`mI$Xb4m%c;(@@7aidBiXZI^y<;M4+7^t$~X9KkbDXF zx@fKZ632iXX zYzMJGEXWc#^=WS%oWdgyryYyMJ0ZvJgV?4=i2hZ2g%_MAJK8$|Eorz>^r@NvE5ZVm zz9UhB)J$i=0=xeJ4F@gMf@2^63kIEHo|b!cTZw}RDN;EQlRA-TZt_MAi7r6o%u7Gx zWh)t*nNoZ9&1)>|AzYMWW#-qONd0q9wA*P@Sbl5b*r#K9>G%KyBGJto!F=D>ue$VI zuJ_w5SBi=6pb^=Jz*x`w72`&-G|?{tp5Fn!=G)pz*G>u6UF%Jte;g%1hQoU%%lg-l z`{gTxCmI;`?{O~a;-e?ZQu3jhWMDUXmMM`X>QKem80wXD3;TiW$aM;ZuWn`LZa{^K@aeV_EC;f}tVAo(w6 zwa}{Bje~K3rvuf0fDY}peBsMFK!zGuEF1>JCzQM_c%)x7Y6>rl!%>yWlp%(VvM{Pq zHo5s!X*a*spsqk2T^` z%d6}|A$Rx63}mcUw8>VqOqHT-f;_B32>~P%;!NYP$ULRSpLf2r)cyWV56IcIx@A9R5IKhws;gS`EpLo9$lBaxuDjM?Jl@yx79U&TYm8bE~tYv6+8%f@VDI zdgTWG;LFPlGc8NBQn-FY8So{-3tzk(Ny!>=RJo@R|GLS|%Y8!Zd9o$I~lrK!N=Q}FD-n_XkDw6&Ob(T0iZbD)S)rMUMz8N{|{piu6L#V%E4W{2<0^R^pq%0jqxCpIZ^Rfp%TA!4BR44LyZ-dyq zs4RQgkT>eBca=csMar_P$-G~Bt1VT3t|zm+EVjoxM(fs8bi^Czb?q_!eL8ukG}(0} zejiLpOwQ76)dAd5X0!2yAgU@9B;Nfn-c+bd1?}o~bbWX=L}CUe+khv7BMEp#fVl?s zu4k`Cd_dA!!K;3pzJMf&T0yfPb6X$>{HAu$wz>Bmrj*LTRQy|d$W%n ze~0*Q=L}miCWW7RHp!o*G7>I8QwD@a`kq7IVbFxc8Y?b(GPvf<-o<1$(+|Cy2!^EF z*NMJ~HXLUkr!3jg?ItZbwonvwpa9|91Bw_qX;Oz!iE+-6=oeZ`IBm zo0W?+KB4g~9#2<+>l@JX6=W=QAHNbMgSEcM33=&E$WYVw)Qzq;{3owg;N}|hdZLvZ zF=0%FYToVq4PPQsxUxn`QT}rFjkSn{-vivc$u2K`v-IA0`WFozqS<}XPV<_DR}$Kv zyf}-yds?NPm|nW%?dPLgWnrenE*&p+dWG&}`P9NtgCUDn>S7>~OpRyxD1En_t4E)$ zJik0y$}l5oYZdv{PJE<1*S}y%iFp4EPoZRET&arBhP5{iNL0CCQX@+vF zt)o1H1@@Wa0qko>Ch&KN0fB9Il!sUfsFFAqfMusSjc&=AHI`8HCtSn*;Zf6JmbPa* zysjKJF8nZ^;URZz_0DB}c;-#aoyuK8^t0b#tRMj)A5K3~NjW-sdF=M1+5nLu|IyDh z%-z;<4c`_(di4Cfr6lF(5Y_QH-WchG46)*9$KQl_EbZxBfb!vRXJ746s1kS3J^jY* zOL6Y-j!F+22sau_+!#@y$lR|yq~n$~CwZneW2({1Qzhis0z2XxZI#}}MDvD6-!8cw zTi0t*>J27szxw_aa{m6h+Wq|UTrC41mafMw}(DHnD9&WqqUoog>8A_H?e7MBNxYFSrwI3`$TE;;SGc>Efi%ECxCWX|vnAlbhoD&!rFuFP>I<;uZ* zQ_c2a84^#&Rv|yhrYf)JyH3DscWEH{%v*ZfNBuhW7>kcl$`b`1=Qz!{4L;qcq&|Ou z7+&X`mXD+5xRE@oOmHchr=JW%y?mFW{7upCCqJ0i^~es6qV&C3-FZ$cPx^f}Uuc>c zxg&cEY*Z3G-(l7`w)v4`wAX09zFGJF+FbpD0X}=_&Oq@AP50&@x6TiKN9}!W>juK_ zQqS1t+M6ZtqBFBv$~eo8R|27U;nHK$p$Hg-kA&$_<03ke6v?440%f3(dQKH-EOFMdG9MG$eO_Vz6ONDrs8v?{K&$=TT@zJ1tY45MLq#}&&I-P$Hn z{(*0Tvt+#2i*`yl zH4K54&4R$8eMw&m8Szc zyszU><+zQHX?rmofuewj9I4ZNw6e=KhNAaYPg&~h6}T*{!eO)e*y_%zDv56r5Av4u zCfG{y=T2T8cHrXTEc(1*tUaST?alfvs0oH$x-17Xlb+22ECV9Jf9M}d3#<8ftrE

    bW8c;~4dAUF^9L*m4%;z8@2!8ul(!igI zbl7e6;u}yOv_Y)+PyIpQ4+VqeZwkhb7Ew^ODSBJO_}L-_25DXdy2=^1-Jjosw3frK zwf&e6(U}-cz`<=L1`@{a!%uT-i2Vsoz90U0XzZ&5IRkS#uiDtPGe1i`>#i6mN6*iqI zznnW&zt~&tfYeV%5NZFAg6Pi>(A|-f6cTW*f~bAej|@+hAG5rN(0I?wfY;K%HKT9H z;lR~FJwNf&$w^8!r&rEF{g;@qeY=|q@{nW6U{3eeeuwoZoG0@6E}ZIEZ|FJ_B;A2n zd>lJxT@h97C1D}xEqt_)OWWpTgX0VotszoIgzB9G42vw~A*ZhuUZpBQcl!p_bXSCg z_tXW%osyW>hq-(H@d6GSS$&|e1S)o-rRjYT8&&ny=`t0ooV>wCuRWeg>Q#@C7PiDR z_|aI-NSEmwLnltiJ~Ha<6+A+&&qep*3lr+2Z5xcuhaChNy5(ARYFBhz9s+Mvt(ynQ zUUG5(+Ie{J$mXrBpVNM1U2orRW+8)4VS*bFY*eY!DwrY`1?mg}71^;aeD3YgVy6r!%a<@xRGwOXOh zh#63zz>(ZeF}1H$BttpAb~PG%Is^A)kV7u%+g*+5m^a6iT?nQYqmHLMeD|;F^Rg8m8^Ob5 z$h>|S`z-Vj_Olubc8Hx1I~2+ak--Ez3c~1qgxUS@Z%AFhGvesloM0-4Y;)Z&Cs5h1 z+0u982}1O8kpE=UHOsgGa&`U;*oIHx{--%MEnq?p2RE@zzT*yF=D;P7zj8;peVc)mc+VKcg!HhJ*KOf>R?J33;iz z-`Ojv2PP);*t@n=uD)*EtmjkCH@Hl08~?yENGrM+hA25J8h(gQWN~Miq(NcS4-5Oy z9drRMM?OA`)cFTDFZZWM$=PUn#AtW6Wvck{pN*U3+F-0Vjx0MtY13KON6M7AYe<6r zz*K%U>huold3>|}$b+YkUYGN;x`<~4&q{FM9pKD;bG=+D@y}>jfr>22;lui5;osO~ zslt<`VlkHYlfFjrS?SKRbAo=0VkvF9pS8rew|Yh44KncITOHVMe!NhJ#(|;`|9N(c zz>hBvhYtGP)S8UqceU8M`S`f})DpMG;PH6z*zTsFnY5GbPxEf;QqK6=jMOOSd+i8! z7qYc|Gfi4D9Q3n&>$}kENYAAfGBi+hYt|3sA_Y}9f_}G$_TOPo0!PXFx}aJ~ zveI{0i-s$e#bGT^Vc1ok<*?1CHy>Y|TijLeUsmsWX8;jgA)jk?Wpva)J}T7aifCvE zgEwJ?3%eqw<};HSbm;=3Y3|eUIF=FfTlkNwLQ!?a1IeAOIGOFfRq4U2(AXIxU{Dr~ zEpI{0t-v3+*D6x$(gp5Mk6jmqHV*3?ud^CjUbd^HD|a4luW-)2QuY2?NkzO^wQ^1F zL*=dAG#JsWnR1vcL9Zf#WbDcv-C*HuZ`KoH+_K&-2NhdF|jN&SDPOs*mZ66i+Q7f>&48-!B*Hwbk< zee2=h%#JvWq#;50FjTE(E<^GZZr_+J6LEX9v+NXZv>@hIytjZ!9Y+8?E#4- zfaoT7qm8~xK^6$`Yh?I$n1z=NP1eDafwK9Jj4cB|LunK=f!Ue{FRS?F%)c_Wa<fAtTO7u zxf9U9%WPxA1UUhm=kJp|(pMzXKd&MCJI{Bh*}LVc#p>^}>FG&6UGLOVpBSDa+_M#U z^ownzL9{2C`a$|I$7{g%d7cplF^?^6_Wr)Bb?;VBw`}*<%}m9?HQ5->$CuI%y8E|P zqgWRTY)P%sJjwbGZ0_JTZ$`|IL8Is4GZ!#p%i-g(H_bT)<+Qo<8|{tX!v){_wq<&q zwf!J+LL6OoMf#GctEpM{oa?8`$@pH4{j(Z}Dp&JgZOBG8-C*-R-e=2%S+-=dVOZR2 z+Fi-yYkT>1+1(j~E1UyoB!6#|jL|(>H17_nELP5~KQj|~>Q*x8a;3z%+r;n;7Y&XvrV7)?gxEh8H%9w2tyVtSOiL! z6>m5_Q3hxhOuv)@@X5G|!+yEL0sT}Z4gytTd64n1*fQ?f-&(GE)wgJ$8&5jdHTLG2 zI6TWiEbG<{Q!Acx*MeB`YpX{0IZoP5J8iPk$iyM6OSR9 z=)7KONs@-VBu_MCI47EWGbnu=U<1)#s?Xocu#;zWyVoLLIIrQ0T2BV%1c6LrCN3bUdgs!v66q~ezK7d~J>S|WhL zF~Mc2dk8bNYXll*;L)O$uCc-5EOk_w6lZv4xY7bDtkTrvPug^-%;`WnxrX_3wAQ~u zGbA|+>ZUG9P2CFC?L&nIhPHj9ckg7T9p5r*O_l9&rkRbTvYF5!{o)nPTEC0SuNJ;Wn?&iz-dD@oq~o;Sc(tsy`-F{^R%P5C=#h31RN z7oIlq9euTOrR50BcE+QA@ zrWMoq$#;3OT*Kze^3wa}Ubcz90a3FoR|cbSCt3XFrbSeH+mHvTDA&p52P&izdpp4t zyO*d|H)ng^Q1i=Inqm$yb6*;$@Hb@6LD%y;Z1vLIfDk?{zouVOoRF}KRkq^I$7&<( z{dy-4e1WMXZ4Q#el)Kjpwk8qudyex4p(EnqRipch)omt@iIjCL+q{jHJ9P5pabZ?s zs>GIK?WTO}sd~$WO&oIy^x+eB-#skUee8XsbD7Hk+AcNy;H%8HlcuCM!$mCVv8N*} z?;dl0xl>o8%3WW_iZ+QDu&pZNz3_}VJW$jty~!tI$o|#Rk#oH}&&JF9IN42^Sv~m- zFY(>$X_9B0!S~c62pZ!lf6=VtG2t44S}`tJrm(aDb+#mEV*;QVsBN8@cMu?<_GVSM zgZQaT$5GOLU^tv{psdylA>N1vgY>|?+s0k)rVt3U4#=U4ZsM{G>HIZq+~m+sI6yP=qYX2ddo>sPP?!vjiLKZ%G*PwSw@`)df(o z&IDK;_htUuCD4Dq253C{P-@GF58+$w_vjnLK!qmj9JHwfzZbTf3~V_KAgFi9BM8+f zIDV!VjDJ;DI{i?k-v}}Q4xWUz{GPsx5F=I}1TJOeAW-N*UU2Ge2jt(!LXUpvGvxF0 ziai4;AL@Z|exnG=dpfto_y%=r9zi|`G`xR4RtV1w7%pT_l;}p~GFh}nDWd=wC4cYr z?<2fDT7N#ecf$5#5DfZo^fSDpe=H|xP2DLFNqeFOiv3MY=u3~xE4(v&Cu$X%ru zjKc0^eflD9qrafP+~6KD(c6+$>gL<@fd0}FpG8c3OA+rSB3p)xo$JTdEr~D4amzXU zFqTdMg}~l-LhnUsB*!`A8;Q-J8F=Y~nKiStKabx65!yakz`5paKw0eZI*~MlajkI6 zue{5B?YlT1yuF`x^XQ5K`#ez zoK4pP;TT{owRYViZx>Ah$V;^tG%bl@_=UDeUATipzxbQ}K-Z-M@8c(#ic3JtTtbrK zEP&ptho3%97XX+WWJEXWM&3uPM2>Pmy{g-2%RdNI#2y2hqnk!rOk;r0m8brXY!iK% zkeCzx@T*=wAuD4S?o8~M4+jJvXC@^BXK4x<$QoN|uv9Zom@O?+_j}NdMJZ~)LJ0%M zw#yHl-e!fHnn8o|L(Md=vp6P&^y zsP!F|t@@5yPK!oPjjtiLW&xPF#Zb_NBa30ELFm3;^dO2}o6ZzosHt`qx!w*eq@4xN z#}S+S|F zcr00L+^;y}Hesoi@hEepc0ZGdwpZC{U#+%l$C0~N?JEp=ET`T|_500@%+7wr6tz3p zwHregS6gq0^ry#)ta*tCA)m+#`0FVBQGM=@Ds&tvuHzqHd_y}>!A20ayCH?QxQXL(iAlz;SRT^nuc23@-?@l%rUU1q4r-V z6x6A6nG(Ez~!~kXYg%vO_FeH)M+D4!2`^TtCL}5>+uw6*8^9Y z^2t6XT>D4fd~6TWNHJ;F>QA*0QARe#ze4S&N|W1sa)#8<$1L%;UjJ_XJ5l>fNxve4 zHrn|0L$E5&2{_K}7GtbBOiM)z&--KdV+0x2vBxnDq9-TJ?i5rw2V^zd`$|m~-IU=w zDJHz;`gmP1?7fN@V{2d#A>5RR#tJ;-+sQf4i+o^>)p#ht#9Tjc42ycm3rQ2PVPN>A zg>D*5Jc{Wo=MPd^=;b$i0d8MElgddv+IU~?gPt)_tGjN%=@Z?;LnR|ON=Zn4*Ni}6 z#Cj4yBlnRL2?rWeg@}8n=^>N-#lADK-Vwvs5asOL_XlY13W60L^@boS%3wk}!DCWi z^&;_%e&)!PJyKFBiFY8o;4`1NkjL1$rrbT2tY})WKw2icbwr_vESpV6FVu6E@s?t8 zblmKGC$wXf_Bmhj68-9QAl6r^)rg3xg-3I7DMq_a+#htheP64%fW2H%sKxMPElbg= zmq6|;sM1=s1o*XF%ob{%4jG3P08ZC?_8-63V2 zbVl+^-TiMD^j^ab;QZhJg-8QI^V7$}f-D}TK3(2MghBWjh)8qAk465BNSmZrfFL#5 zQL_p7k|N-*R^6u1-_}k5h5jI*^#>s!)C?UG0F+*%f67)E?K|{~9&7uPaT6TBdmn0C zUJCw!9s?0L?SqOREzG7q)d&HJQHbv_O^0p1*6mikOW=?#=KjxC35ddUJ5tye_jIsUy+;U+f_HB~=MRz|S@VEtkbGZO@b?vP>=o9uXLc^6*Ncz56;7@iNQPt=-$8RUwrlwxv==ut zjQQAL>>k(x`upHHBfGhYiDMmHr>#ld5jw9#W6D4q5Am0N;4z<2pF zP@D8FUEw>d=?2k^7Mc&?*F4NdQl-Ggr1_@+W3u~~0Hb#SouOKG9sW~5O~dAM+; z+dRL-*vUo|>$0R|;3+q2k*6z`15#Z#xx_C!yPRB!ahx9=z|xH{FQ7i{PJm%Qb?vCA zTm0tyu5jxHAg#3rP9xOX310)Sz3uD7Pe{2A?xBYn?1sj|c&Sa#3sSzr&f)A3b46?4 z2I*|gw8H$E%bdflO=>vLO=d3;>JMCtfsakmyYv@bUxB+!vtseMQN3e^6n+Lit)A8P~ z`cnMMTW3ga^kk$y^p7V&{^J|<)AJY~+M!*!Q++3g=G-6&S4&t|Uy% z)U5YNdQvzo#n;Z3#&Q{}^?BefbOq=_x_kN?x11t@lb`k)KYN{!O=q#r1UhgD-brSQ zM-3=ocex!`MdHCj9;N``R3DdxCvui8g#u$sG!#iVvlsFAuh5yj=o>~ls`Q5e|9j)@ zw#G)Ezr!*Fx8KRUP8fLO^D=|B4L+`}84g$3GUXgU^bFRzeKhoc%EsK2Gmj*Aft0Ak z=cr~!zkFYZo(axD;gi1p!oF?K0KV5iXM+fWg~-J=M?qZf6|#?Umwcjh&&b5`Vgm2* ziwFCK&kP@N6E$X7)#Vv*#L}L79Jhj>_%&HK3|NDQKYCS06)8 zOClJ6ejAn!bVsQRMPfA49|Ga0csoX%ZKJYp)I;l^JGZUhMns|FQqg2VALC?6L7hQ3 z% zrX2Ef)gHY(N#qK>9(($?m$Um~>(*d4iK0}2bc)T{X~?|J>L3UMWeaB03VcA3CF|AX z5hm+W4<%b9^)~Q2-YW~1>-6n0tw%d%7}k0)K1%hD3HVy^9oC@1NwCbqcz9)zKT%A( zirz|1w~sI!6Mg#DBW5O3umja`dV7s&04v}hbJPBxixZ+YW&T)Y=UyEt10$VR7c2{oa_1)%G{$S)pO_JeR|csruf%*fK&Ndk0Y2rZm?f2 z8%VrpVNrP3bv@k0-9I(J>@$+!!Srsjno!~ujnwb#)}MJSbyS+~o1L1QPI1E8!w*1= zeAfH-x`qBRIR7se?*E^4s~ChC6%w`N;He5gu zyxNvh#)q}_)X!WY499he!dXWIA{0?Cgye}(Eu6`r7gdy>)}xYw3-{WqXL3cVwY9hZ zde5PY)#nD=`9xzGhLm-{FGa9igRco|BywjyX?Lf(~?9wm!Gi>qJ>U!wti<@bc{M4jd7KRLGm4{0ki z_23ygfKHrbfH|iF%sGj7)O%!~NlIH-rA$dr@u2$$e zlWoiP5Sc}yhSdJ15=ZlIgJwlg0ZP!D+ql)GpvHIE)PszT*yER+N#QqT+5iYVw?$X900RZ+t>3Bwo%|3irtGy?QS2QhLK1ds9^ZR|1Ffs^~>l z#frdvm76mhAIY_~8hZjHpoIljeut}Bc_MT1$2`pz1FtUK8~CjpkO>fmI`#&ca<`L zqW`x0@55CgbAwL|xJ6b+w{|6r)KWxu0XVLAC?NZ9o&G;~1+!Ajq+xR0M2eQv+Mv1R z>A7m_g9;k94^^JB)%HXOfO84Zc#sxgX?8T{dr>8IkfdRL$Dd!Yv8RyE;;U%tkAx;F?4~PVdhhrr>lNoHT%BP?-Vj`sCzJlc?jP@P4m|Sl|2{>ag`VvJWB+r&qGi|}JF!)% zT(#&8_Geekx#P7nc;*>}s}gF)J^VqhxK!|Cs2RtrX# z$wy_VnLcAk+HFADTc6WAwiCeQhgqOe)C>v_mfm^P=K19+XlwihU>1)wNrR7`hyD?s zgxOXcwrPrf0BUF#@SH-#8S3-Zdek2}$k%n)N$ZR`V-t%nI}^gF20>#q7Xcmp^4Ol0 zp>H~8FfTOH)()+|eR z(|2-w{wicmE~?|bdRZyp`rY;JL)Tb#m??2HtqCmXO!_QcAs!$-eBH4G%Hy`0*R{{S zr#F)30&90Jx>Rpe6{!5hBgJK%-SE3hUYROjS>ug~fQ=A)>!eI31aky>GEWqpVXtO2 zN{iw1?Ybs@Xk4e`^{wZ3Kz2{qJxbRWED*K8H7~I-LuaW6xlns)Kzm|K7k zLSfF3)rG;VcaJh31{ZVMVjH`<&x^sH-#KAFsFb$zM;Y@Ar_Myc7Ss?#d;=&rcvpZ6 zeHAGwYd)f)!F3#osG$ISRzIZGg~6zFJ;1W)gyU9IZq;*K(rkGkiMz zQuX2_9-{9>tg3+i{~)8z-f^h&RvKGKgB7w{&D#k*EQi)kc8ZUWCmxF7^E71slzvBd zDm5ck-(w9F#*?l+$F^5j^EdB;4g(OE)RgMWMX%}^rJTnrEUaOHEo+y$;}2Ul4cL4o zw)+~X2l#-4;B_d7O~5NHta*^Yq=N-6o!nLe#axQW( zs&fYPUVq5`$6Ycsb%gWC4OlkZ*&7y{;Fj)|#%P_9`RnATw+FHL8QjnTdr($^2B&#$ zuZ2;<`FM~A?lC6w=Tcz=WMk1@qR&VONEj{Ex#-((Pjb|oJj zjYKY_fZ)`E)&bgKVinNVSL<KzmQIcYcOEX`oj?xCeZKj-Wgz{-F5*tb9Fx1h0Sc;W`d8u-$Fq>_!8O-i9#pz1To z$z>9NI}01PgH$WF%aDjYPx|_|u{Pg=A4x3l_)+$ZG5uM+Le#_^uI&N7HFS$XrCsmW zsYimuLZqo6ni|A8>*w61OAbjAo;D{Ss$uu^B9W8tajx) zEHEO%l`M*?-gUv2$Q3EXJu9>`MyH=vy>xgOG%q!c%0q`hwQtd2_xsW`u}oPh{>L}` zxK2?JZb-00pnY>SE?okZmQCN)Ot=WO)K833){1e2Z>YO?P(#PJh)&HDY$ZXrX|Gh% zSC=KUP4TCgsRxqB3TUio$?q_{o(@$tVXW+rZ$~gUDadm5Kig^!(swlxEVlb?1O0~6 zceNAj=wUJ(-(jQAe%?b5xChFQdq5GsxrQLtj)Nbi?S@ki;KsDtfuAO%9=9=Tv^Z+F z!CVsViAGP~`qVo*O85qaKx@az+c$_He8Ys`z=Z{LS^@dbrh$yx-9ivHF$)2yCoj^+ zNUy(P?z}0!;kaB2u#b5%5}5YP5zz7%;I^oJSGfyc5=teS7A=nnlKnR{%J_wB#(hmkG_S1j{`VAA@nWs`oj->CJB!r1DBn*OHIM=(TI9qPR!fr!kroeti_m+?2_G#THvLYkulJ#`gFSF$)% z<(Cm1um0|_GIErc4V2q)OQM23%x3|16P$1)k#XGTl@Xxn36R+ z>iz}N+jq2Q__24$qHmZiPz$S4u>EWAx1(k$lQ+zBFySTg%#Uhb2(zwBt>uuM9dBy* zemJ1B_Cf35#m9f*mcsO-u1gs5(SnG9A-Rx`APD#)YS;snyiRId6r~s;SjgvHnaIsr zm2W#_u=`%*F(9#(FRT~>q(~z6cW>0Nb$e-{OFTEP!2}kzb^^0Q-ri#n zNB~W|-CN=4INLY)=m(3VeLhsPs!C2;R3)5xwC8ZIh^5CxD1dX-CX9G4^7a(F>}Pd} zc~FU9X35Qqm`>kg4>HMBF2n^nruFIPw|cn~R2olW;Pa_4Rj()G(g z)-#HY4(x<3AnZwau(Q2)x?6^UehCoMzd&&z9sKA(%2(^-?OpehBlRlYeOZPo#eB0k zR;5y&rE+zDi|KHS*<{X^Z=T1!cCEtkIh=4XjrGmdi*3~t!!OnRWRENfGck_ zn0|1S>|Ibjy0!PmWxzkz#jv@og}w)@LhvI%1Nh?DfZCY+4$IRAH|sz}fSc`&f(YO< zPZNPVXf`VgUaAB2@XzDRRlt|*N>w!|0^}O2!KYplNsOZQkSNBXC zcV)g0IwiM}W#LO6K}56acCt{-mh>~hq&MlqLt4&n7M@Hy#2y5~L>HexxQ<{t zbY3iv&8-VK736+>PlNr}{~3Vh|HJA3{VcNyHuIoye0}GT*Fhsg2dtIdA*_qtzW?yY J$_Rb$|39s2| diff --git a/windows/manage/images/aadjbrowser.jpg b/windows/manage/images/aadjbrowser.jpg new file mode 100644 index 0000000000000000000000000000000000000000..c8d909688e70c5b486ca5cb5563547d213721a10 GIT binary patch literal 67277 zcmb@u2Ut_v);78n5m6LDiqt4YP?`vcN{I~+5Rl%9jT!+Fl};2D=?Dl22oVqv5kp66 zq)V6HTWHb~Y9Q^Oxc5HaKKq>e-0#27jVxiU%r)m6bH1azW2}VMPaB7hYN)EKLVNb? zfo_9;5N!y$2JPLmXZPpN7acv_?rZ5rk z1LG0q!%RnZ|K9Cn_x9bpzz@>_h6B4T{_kG2?-0v@Jwbch>GlXfds+6-vFxGMLNEy0 zLl0)VJK;ZHd-l@pqu&pvbnp;pP9X;-zcXRaDh(sB7pO z7#bOyn3~IT6)H(%+GoG z1%*Y$-%3iWYijH28-6r4b#`_4^!D`+3{K!Cr>19Sf6dJkR@c@yHn)h|JG*l2f$07a z>tB-nLoOB|*Iuv(`xtiR+OyXU9CR%E=ub-TXT74!aL47Cz`5rK*sew-=T_1{$RQ*JJXY9mg709;*O%#u#L8-}vcIsgawmN|ZF~4=*xk!U}Y0&s6i7ZA)34$omaJ;E) zI~jBcx^f0xy`~h0}y-T2mxi!Fu@|EeJ_wI2T)YwX# zr9ljwJ;doL_?8yT7PTA?QG!uK@#*UD?Tc7mDtE;eQJ4hsfVO9MFBP5ymjwU1ZGybg_p1tUfVD%-s6+;l(yXm=Dt>W>cJ8mDmb<| zbq-x%TzjhW8~sU56#Ljf%haaoaEWsZ$v6W{<^&D0(;4K35ha|f5KP33$?!TIKC(PP zX2GRBeIe;&N!hE9!PmM^-IxtcxHmDW&XU_B^UMf)IQg5GX{1SFYRsu4VHr#z7x%%; zC}7%tLg*z7@wCqOtY-A6g z0^Vne2(z`!gUCti?64313))?=^~P^f&A|$Ow1CIGdAawh-vus__r}g5WcFS@4%I^E zL3G2BpR8Z>EwORxo8F0I7V&tg!3B$Q{1*Ax-BmHoxVxs3Umo|Kc{($^k21!`w#3CB zyBFyR<4SL+M=|-LVz}#O9-fgoGr9n{% zg!YN7G1PBh*-5IAhuZ5C?T;$;l%(hc4^@)Dm}rzi|Zs|Ku+4clAaN;I_1w!ixg8x`GLBGXUdJE>Gsj zGJ>zUR9*si^bpgF$s8HRVBiq2L(Fmq$$_nGdv-|as462xU4q}nV;`x_Afo@)7W75k z5m!dKI81|bhGHeQDPo;K)HkpK_!2V%nWJVL^NMUtXvSrPQF+}H3kwpo`xLLaK4FSf zNuEC@dz;T`RY^hFS?zhDM6ypp9kG`E&*MuGl;+yFOf*sM=gDS(jYEH z3H(A0`WRU~)$WpZG%lgc<(&C^EXx;Zh;+9&(D0TcUygLK+!3Ig^tVv2&0Y?w(4ZyF z$p|l-`ini@YACndhJ9RgXNB%1d3M2_vmMr|FSReZy4-P~IH0^|zh80g!r)8W!9D zC!VhaW|4e9A-_OKa76we2(+JCnK zAlCxe_JIGIEqC3;_O1$*f+0aiRW_$!Yp#_Sz+ZnFYa0N6dHLVA(Rea;V2qR=o{!x{ zWE}v4(>U}0tz}27yYd5ES5?p;q8_T|*Kz}S7`v+?0M+cojZHUrwH--ecGq{j06Jnm zwsR4|hx$WBfbWQ>LDVpPum%?Z_z#jj6?Omc06L#g9gVxnH(0^~Ex)})51{i~rb zSS&<4nFC`0TYJP0Twhfyn1H@H^^o~zurdw5Z_7jsA+mLGot77X?6M4+MzD-s~xxYI5_GG9= z#%WKUP~&;zHF=k6u*Y>1J4 zuc?iQT`wr3in7ZJd4|Gix^|T>3(;8L{b+W?JFdI#cU#` z5gfX%5>CZBPr#Uik8k*B))qVS%*CA7@-uH^xThgg-1Nh7wT#fq@4bo^~i@T>T?>H`oeqZbXg_ z4N|nGL6wJnmwgAua;F;>(@5IGyL>Yyyd956`OCSWFYRVNby5$PfAhncBFkYXssSW8t+@!j7YIS4u)2w zC1zO+kKBwQs76echgIqNrUmRRJV7+ajM$+Db$`V^GNGg`aTvbjTTR#ej2U(OcJa&s zz8_x$-9@w|I~#;)&_fzTa!umDXc%Aq5Fq#)n$kjc{MSGon~XGQHUzs>h3P-cP_tzv z+H)tjYjJdSbsTpgC0v|r6G(=;I)0`EEkzkVu|DC>?L|2l$MW=0- z^QMqLqpl{s?=5l(?EHm|FX4GP3|k`8Lh{ShOAA_dSEcFMjy}9{^QZ$2!ZAqg9Hv1{C`t*8zz=rh zGJIQqcZDM0|LWsk3$(M4iz-EL{Ybq_gPy=wBGky2S9U^w-~A1XQ^fA<0e|mqVbFiu z!amDjN;iPA3J)hK6QDZ?j$=S|J5#}MOEpwMuooX-Wbnpt`wz^273E1kc0`9XrTgb3 zs3+Vgsx)XCP928-?*~_R2;O{0H6Yax)w1Qr9Y-q5XwX}LLKir{nek3I)qn;q+fE%h zpM>1Xq8@N;AhVf|!znMEQR{VHh*!RflMQBl6ckX)RBr4O?706V^}GaLkXjXs-ML$i z`95D0>BJXDVbt(mpH!ZoU5BZ#8F16H>0aJFU_VxtvS^Sft^`=C*4TAS+wDV-F&&s8 zeKheDrJdsc0GsBmfR`W7C3bysz@r|R*o_SsW6*6MPF-`3AUPV_oAGxr_6A-kvMrO;z|v{cO42t4|f z-N@xb)5Tjl(`tX5&&%K1yX{En+SdJjRlPK{8>%!%J*FCX>|WJ#N__(TaV!7ts|i^P zUT~sF`fDE&&jOq^HKD=LC(Zq8SFMUl8g|n?2ARKyiBuerbL0Sh-bLIuLjSzGhSgx6 zcWj8cdcpgtRDRpM^7x?2rH_U8EV5VEBy9_vO452(8$2FmH5p;W^`kn@dq@3kf)}%wWz@?cUvl>HBRZ8 zMOS?m;n0LlT#CgdxzSWu04pl*@>S`m=IVU!uOFG7)&0EBX|Z`=+pF1m8Ql~vfh|Ry z`K2uG&P0|VMrFHuk*@X`S_&)yFVd&1HTYunN8BuuiDl!f*FP5H)Bj>M6UDZQsRtqe z_R!cNYvWS`;&7~%Ab4>ZU@W1C+F zKS`pa<8|&;N}Eb`(zfh!!^$lBxX}~etdYHQ5XPHNgQK^%i(HI~&#VmN;lH;^v4}cH z&Xm_J#h!)ha{g@(wYr@?(60`WGFDT6UyXXg^J$OwZtG9KuYMd+ore(r-p4bx>$Q~L zKO1C^`7^+e%3^kw;n}yB|D&(Hc8{AA-j48&s~n+8j+<2c#<(hF90& zn}-1lJRVpn+*6Rgx)O`izshI8A==wp1$NO43;32T?3IklL^kV6UF^=+jIRruZ(3wC zQ<1Qo@`%)TiF6+RCjB?k;-1w%dKS`a((;snk$oeu(gtJAL;W;qC~bJ=LPvVMnPt;h zDm*5-L&}6;|JXM|9)zLytZZTTfi1#nQQ0Xz>iD?M4qRSQcR|AYXZb^;(lO@_C^}2N z77V*GPU!E8^6fw$QMAVwDV>>Bjn`bSkWuQ655BI!zPjlsT`!&3{(k4+cyg`j^^puc zmkmFPkm?!JSI1pHAG89{xPWe|&8aA_6H-;v_xo~IZ32;urfVA;xK;(<7>BRl!Jy&e zU%2H1#Zk`K0MGCs@zG9Fty!=`E=RHg6W70x;68 zzBI0C7yTEdUVLxUPG8Z`Xw5F;ph3u$ZPoNN8gxgKnG#uP2k4RwsqOyTM>Ha+O5>J=GOCJdao}dUN^`PakrTqCYIA2ijUU*6OQ6P6QH9FEByHb*`6LCr zX^+HXqQsZ+yrkumY%`iJwaHg5@Z_j^OuiB0cOJU5jH5y35#=%;8<1a4hCUdNPW2yP zx}sQkVI;q0zlGRo@mgE^6Vx0URFej`Mem4kpo!-Ix+e>;_&NB%ENoRXc1nxqJ5*@Xf?Vxj?5`95dhULV$v&*YUe$LLT^&LpuCu8+?( zAJb?jBgkLK@%X-_VAl`!#xc$l*^)S(g$1w1XFlnM{)gOOJ{Zz;*}VVcjB2m#JR`ds zf>OHC>V&MbS$UB~0zw&*xK@QylA+R|Cy$1NG|?l@g^ zp6VIHfmhk9CY%@McREQl&6>{tTF8C}3ee$yXvKeCaY)0V4r@52))UmG6m@WkntEZK3T)kyA4|;brtCSOMf2OX!ta6Ze{5lP z&ZroElV985;fB7~9E^IihJAdN_3qtd^JD61MR{OJPow?c8ZX}lR!W`PE<&~c3!ozZ zu@{zD0{1!R?KR_N;2KUnq(QZZ+5kh^kg7zHpA+p>e5e0Y7g7IIPE@U3BX+hGQ3@l! zL;e5Ufu0%A^%m3$^DN>UNN)VQ!f9I5pnU*JhZhk9CvoZy4QkO?>!X%-S;kjS1mMC`8Ira`L=gy_lkZT>>c4i!ykS@=091i; z^!`_*%kDExo$xcg?X}!5kJd9PusGc}8w8?|^fSh+s4?Hrv(DiPet3dPS1+iwW2v3cLII!H1{T<_ z5l$>6X#id(0Bp}1a74lYW&$t*-32M?a~PEgaF<3jaIZCKDN;`n&7FCm(dL542{}4gh3nz0KgIuw)1W;zpF&gx9EdvBT zc{)_daN=W-8KW>?LQxM10am)ObVd{eiosx3?JMLM7&!n{%QTMN*@q&Y!vN@eC*x7n z16i5g=EVGo@PiEmX06<)+S0Vjcg0d4e=IoJMCg0yp7_DlCWG)s6QvjGfOa+3y1UUJ zMlS63nehI0sy1oDnG)*hOnsY%y5_vq-itNHuPE2gyz}g8(21*8mtdWniXcx;y3tSb zDuvbPHrab!XgiGc)GN~-v(MiKF>C-o8Hl6CGBHLLvH{Ecxe|-FmapB{mDGx|&pvCW zemroTpSxsrV9yUdEV2q(3!?h{!gTQJ8+pM3NOE52b`kRBZCv}#1=JDLgfLh zP$K42!(cUNqPh;4v>fGdhsuix*lydce{0(b)SuZ`3^36E{0fy-2DNI4x@MrC^GI+T zn1TP89Ec0*1+8s)Fshux7F1j7yUHwrrtRxx}vAE{2QcvU=?n_2zk!W5gU`h zY^RIOla+|O=o_lXZt{bqZ)c#`)*X)K04MMP@e#MCm zPlRvtPQVwI;1mgdPBzq!1Wpieen!nPQBLB&oZsR<-F2^wqrPJqXIj^?v`_d@=+M+H zQ%}D%KC5z#+Kv(L|j>X7XO(|0m@rUhl_U+yhl6(vZ$8O|Tsew{7$f5B@uTHL6HX zo?@g|1e*G`CtQNCQJ9DhdlFEvk*j%N#oF9Duhgr|Iz)O5W^wSNqr~D`&eHT$1xp9+kQG-~8Bu-lFin}G5S>uc3wFHi?m}s9 zU@3k;dwzbzJR>~6Fva$^cr#*+B%{1mHFw&D-c-%mR*E9YaFWDHKAJ=M2zNlxyNel> zlooV8skkgbj`>DX8%R}+F$_NOTu|u2=Nl(vnEWnaO!3;8_?68n{7S9X-mVE9|4Kd! zqE2;uY>=W{<}bJ6E=yH$<909e&2RD7OHJ<_NxFSw#JXRVEf1DZPB+(;l~bb%7Kp)XP~5B#CEhHTH`aFF%WvaK6EOyGz}B`QqJJ{Kayi(3hH zE6RP8OB>BU8f|lyweyns_s)+_9p>Vq^>R(odyw02sfkL)`oI`!Sh~N!NzD3{GZGHn zB!q`NhI7vO9_@WFq@Gki*lBsi=4?AtON(uojI%(KVxjek2ds4Q^N%q^kyEiGIp$;T z33Z;9?IG&{r*tx@hQ}96|^yg9MQud$Dg2g%=xxGD%Sh47XCbZ+%-}9-7#+0_ zeV|-qvXxP`{l%ROf<$*j}_m4PLa;~1Diwk@$DoQsj zfgKO76zcXC{_GH=d@9zUSmG<+G2OhMr(#vQ1v;(VGh%QgcTJTTBr;&Usge@ZI-QjX zXEXi`++bnY$1%D^??YdRwpCP-!k;N+FRpYKnqNfR`gynXX{6n_`?QMnn&q_aIrZGB zrxs3f(*}^P3frCvd<|7&KQKv_4I5v(HqTJvCn-5thwy!5nb6!UiN{foqZ%)FVi&$q3twD@IV>RXY6*@!6R}J3I5^P?#U#nR zIGYtJsc_+|t4J{Qfk(_3yoq__7Tt1$<+=0A${;+arvnJ}s39@BJ5NX^bJhYAN>+ih zd7n)ZaDU8LT;y+Za@Be};lxTcw)tDbiNW)0YmRJtb}OsN{A{S`r#nENii3u&x`q4tTF89mks2AL}eY4@!*~Igt8M9 z>cQ~0$HK~8yJ7WXL}64YcES{dW*kn68h7NyCfY+{;Z)89=l8c)pN zd+2GrG*(T6LizcKX%jw27Os9P=@x&oaA4)ZaFxLJn{tO=CKnDzeqmO`yCN9skGa&> zMEktj&VTS(I`Y#;YTq_r=$EIlX~N<6mMre`$3bgEUaH(9cYzqi`@D}CIzQX-A1%hG zVWN22FXcP$cN;cXx^;DjuK2=+&=%$rMp=GV?y)%>cg|z z#0d z!fq(MtuZ+*90VJA9$Bb4mFS1)!Yw#ni|@|{o(yCztn((CD5mlim;woaM<+L7&g^JaguS6{33Z513Fvr@@ z2ud@q-S(zIo|QE^N9gZ>ry7QOD=k4hJdQ?lVxEAa6D6}8<;d1q9(Zt$W9n*J;K3u* zXS}}b>m~aILg98<1{rKi&MIL~?x3sY+D9FTdtY##G*9j-tLXq*d>l zj=C%^rweP3T;b8muyoj=4-4L0Fo74|=~@yJLr&$!;4Td0nKVB8(Oj=ODr2%!7rUfH z36TqMELVaBo+{8(zwKut6x6{nwO=~*LYUfPT}g9#BfaO(Z;2tOeA9&2)UbRUGnH`( zL3bGd@{ zC;b@=*;ml`Q0DDL)JpvJ&E+&kW9^s8!q(Xrn$B!_WeTm#L>DPzPa58N9f{$N@NUo=S!;AjqwTMBX+|OVn^3rcbHUA}hsX2Tu5bl#h|RFP zh3-AkvZXfblu5@Q+$;9)S~7Rj&~sdw zE(-|Qms}%>!=2-C$Wb1kK?i=)pri)sb}E$xa6F}O%9{2s?;rTgX=1U!rJ=9&(%1p3 z$N3F!ZR(qvfwqU7mPF${qt)`>1wO5b3jb2e9@p*bU$JV*_cx5;b^U%@+iIM z;Y!JE#QPh2U(-1auUWPKKh1D^rI}cUW@eZj>I##3RY<3;aOSb`2me0EY@t>WZr9KqTOYk4{U zHN|kE>TB{Qe5+L~*^=K9Zzgp-yN+BbE}#6>G280EN2E;<=fP&t{U;9Gy_(B#Vn4)s z7bYs^)n^8az>c<;`s!~y=L-k9p(V&}d(Zo2? zt*`Bawzw1P1m$%2s>2`60263Z@%^7>`_037^f++*!1*&^cK>ICep4I`1JdNe zP3YdTrPQthj#U0S&-5L(FGTxYYcWhMS}ty zx8EtS#_GQNP<^jfsP8aYGITqKQvUw*&IiyY45U@YmV*CQ)j@-x0r3n;x&{2MMkTvD zW8t+FOaNy2q)ZdxIon1>dwK}IIHzH@_JBF%NcnWd{Mqufx-BE-c zIF7FjwIimFnoxujDZbIh?JyY14#jSVI!1Q>Nc5`1GAqK6_`aH$QGxQ{TB8}9rCXaR z+Ua^ng4dIyi|0h$#!gH^`zZ*>c}xGG^F`46jeC#hW;j z<9)HM12D;dP5@7X21Tfc4;K&tU7G6Sne5)Vqj_Tq5dP~g#~$al`F2;hc|OJT!(We{ zM)8v2Kc6&;XLQ}~Ef_*>KdG0a)1leB!hjIa!VR5-+^S5kR?k|kMr z&1!gKcSeS;=gUeLd?M5b@+3E2HHrE`hZZ^8mLEb8$8zZ>ig=kRki{m97v_5AG8e49 zmEPX(;g_e^iPSRNit19^Of2<8N1+J&HexBf7Gp#e8nk5%`}b4dALN6?JnT`o8jf7% zz=DCrKK)L)j|E71Y|*)L$-HXAr;WT35pO>8nclc{1*3wA%#KxkJ907G7_)#G`#kSs zsCa*t->yPgZ9<29Madc{1gAWe1w|Q9`}b2sX}1x=Fry#)rF+?z4P+0F^&-|?Tu~E% z+K#+M{o83YDO&{w+A8PkmkZof4{s2LPp6dSdg7I=8n~xFt_D-wz?Em{L zbT`a=UM$Edp#4XAK$clzk*t6*8x0>6@HkxXd^3Fi^D+X-lxnC+J&}|L(i_1Ez&>NC zi;;e zlDL*V3e|hQ-A+R0Ge&8$E?t%Hk*bj2R>4NRdeG3H)g6tU=p+xqrLZ{01*x42C0IPr zvgIcDzn@Y%3yuZfsO*ktc#`YA9vUp59{%q13D!MrjC6uI7<8qqZ{Mge(G6#*(QxC% zcpa|aA>V$9QaA~$Y38JXKO+<=<3zG)$u2#s-Lu-JO{Ra@IC{#rEvRfmli*Z?c~>eu z^J#ru*%3UAJU-^dJW#xOs+)Rfn5hyJiNA!Scvb_ z?lnUlY4s6!w=(&&Q1`RR;4pIqs|CF!ao-~YeouoWg}x`}2}c4amN@JlI2U4-?VZzJ zw{e`uzZ`AknwYYQl)E)1+IaWKS$AngxPO+FE=J2$*k)uibWD422^(jSo9DM#0HUT$ zXMMa$x1%Y2W8hBKmwVIjM331zY=2h`wm{0?X&uhjw6pp8lWDuP>;25BFTrPCNqyse zt+z+-5{t1fKXJ?KMuC#Xq;9Oq&nFaZAFjxyFH>b*%dG0DVJh)mEb2T3!lnntxU3t0 zSo3FCtWH>951VS~TQu#AU`5KP#g<&9t;pW=@#)l6HNtbimMn>aX}+ykyzW>C|GuAt zww;O+xYJ)GxbMYEf3k2=F7E?*H##-)UAO1h1>gf5xL4ssDHu6jZ1WWj%B`N=7WQ2E zzOpSlwii^$!>QeJ^(iSO_wtmEF9yR4x5%k*pb$CP;PEr7K#*laqMFR*oJk_38Pw>0 z<3ws-1{{BL3B>9}Aei?QA#-JeMAm~I>|)Y9ddK+AP1_AQ74~sh5ko_w`NT@lx+WYj zgK8B);v*PQL+(dGw)Bb-u2qOd;^Wk57V#fWiRLd#yT0!E!GP^R$c$3EcUEei5G3;u zY6Owj4MEPb3rM>azLnG~_a*N=98S4f_NcjFDX_e?fk($}qCMQRD2|{}Q|&9D%=0Y? zuO`3gA19WU_a&z9TtLoL#EJ85zFVz4Vz+MxK^uc&4JZ&Y1|^*!j(l?WH(yvfcbI!k zy-P~=$NGlAO#6~i<-Ou~b>_yV#MHEhJFo`$QDiU2k_$=!TeA=fukjTK;-a>1Qfz#* zM|+CD>A$)GCD={$Zp+j`K5{DVF@Yq#QB$Iqp`)k7sb=$z^;Qk)PF?X3#ZS{Dd)kC6 zG0s{q%75+6lJ(&CBbTSB!qlF@uW7C>X{PFj3)53=#fyr2gN4ow=^*9aB}qx6x3CK% z$5ZI_py7dWy196t0X;OyEMici((Ed=$>!4_mHS=U|Xv`Ab)<* z^xo;H{HWYK4Oe9r%BR8#x^eOrRXCxhZ)Z9!gfngYRPX8XB~^13%a6JAPesR9YnhmS zGW?V^ZXQ*jq$sMvgA|oAo88i@QXI^D(_Ed??fW{fc`9bB=@cX2pKNr+oCdRU-!-%? z^~}K!DqmbsmL@1a=TF`5{}`ms?YGQAUp{437@o^IRIga(r_B}ccK;d9`$5Ks-~VLz zqKmjNhK$A1m0M3zjQaEm&H=N*rd_g*muhbHq?P66%Qrj5uEss9E`Rmx$A#@H7QJDa zBm-h_jlP}kyr)WZVV46(k!M9lWYuKQ!Y!nN*E6d9jq=vCUV;1GS*Ppek23qDRC)sN z+lTX`tmk$rQ`6nA$R-3ImNJTSOi#>Uu^OQy{IKlj>3Y4!d^oXezkHt-0b^N#m#@n{ zX4NCPVT^yN>1dZT7a#Hb3nuM-eYlI$S*PT8<uetiz<*0OvT+cn5s;i1(43`kXR2rR_mGB z6_&4H|EbwoQQ1LNV$xoi2N9!;wDt%Wm3JBT<|8J2B9567_!G0QIA%DM%KfB4fu2_< z#*3c5xpMk#uKLShu9IER(fP|~?C8osEJjC!Q!?RGv&w>~{`O1|${7@r>_I9;={N|@ zg1qU0@>|YQ->rxdq&7c-0>^veZmgx80YXTwRl{VHukuv6;5_8bE7Wi@tN47kl5VmS6wN)Xi$-tqJA@nk2M8f;sU`4xKe zyghbDFPd_+Z>@p^L}?uN76;}oUkha1-(r6GW1rxo{tArI>fzg5x3LSuAZ)!D8?kNt z()~5gEmZL&PRUp=sconIdS9WKxzc&{31rpXU^l+9oZ?%2Ot}g-_J{~yX>izz)!LXS z#gN$)Hoe!%gR#M5hl7V&m}AcuI^BGf>Qd#zW#V&%oy5nhWHzW599?#b1_^G*JejMK zvKOkjA+9XrzM@}IS>%5RRb;}#qaqplFd&!5DB9`cLvtj@Dh+zH=g!PMhEF4en0y@a zS2@=g(}v9N5d%6(WY&I}s&TxgpC{xI*6})Gh>5r2^736!YBMege+s zz|oQ2v+k+2Zp@kji?Gsq`Til>vALjM$|7Vld_$GaLFEb@1*L)S4Q9(cH0B^L=DfG; zy+G{U{p#Ze-5HnkrayfluXAT<)eO2yT2YkOn7?yx1$*C&PaUBo4IX#A>4|K;jpu1R z)WkYb!}~efBrqHboxL!AL|>EGI*B+om*Ze$rW0A}S0@>F`|-9A$wB7b^qL66ee=C> zsxBp#YI30L$#!qk8|!BxOsv5VnoM1dR2`fyVao73F!Hl6(_4Cu|l6!l>3a8 z-reut?%MpBEYG)`DrR1>c;6n*qI_b={`@hkxfN$;_v`vBXmbMGnr>yE zy{~mRqxVfhTSoSrSk|u$o#F&tFR_5+oHvaEi$|jT?-kw|oIf6U{M>mNKQV!=no-3v z!qY4i{Y;uQ5)>nEp2wd|@(Ne(YA;eC`>_iIve6Mhfd^aI-tWD_mF*lj#_27E*Q|jL`AQM?M@?i4wriq_b`i?_ z4m_qSFHI-HKsT74&YyjebSc8YGCrRaYNvhtW!jZBk-|c9_=N3bbspJ;@Xltm#>Iv3-Y(_Ay2PHzLjgkSAJFC%kr$6n-`7`o zb7frs`v^N81Y3F|Iyx+6?H{cR|R7G^FYbM@w%f<@CVMI@CJwwD7+E3sE6x; z@$36-LOCzOsa6r`CH;)XdxF- zgV3W;vKrS+C8+zoG;1e;wL~nr4BQ9j>e{XW=R2-|SJXq54BvjL+r|?+T zLg}}#i_80zZ=Suzzan|yUbCZ$WmH#s1ba$fGDB{he-&@0o7F|pD ze;F8Vkud}Rd~-(hE1JrJgfC+$o4X0Vzob_#(P>f6lzEp@iXy6fp+Tj9st$mR-JdOY zrr~FIKDONrngbQ#zt$=IZ!H(zl56IpE?|ziKWeY%=dJ8~av&bbr@>J4O(i1LM)mjw z>yvMH&YpPTC)R|r#r7xEjO9DO^j7-#%U6)l-S}b5!hyBX}K;BEjmeL0jTCI<}+C;RYQW@nqvn+Y?5mBg~khGXgErUp7OBCkX zJB$orY;h^mz00Vqw2+ug;HeRN;vqa1k*axz$&O3#3TL~+VpFB*ZIhUm&`4Ei3;s7z z{u0_j)FvpTBpI86N^HuEEy>bcL#|%Xp?7!EVIXSP+)Oa+-e`P~!lIn~sld_A9fds| z%5unu?Fa+AdA;wE*jnRD))fB_JKBXQEnTJ~2VVZT_H{rY=A0_={k;=MuNa>26YKaN z$o*|8KT$iv;c$dXpU?U22k=kLv2XD!uTc5Fh$#NpeSJ@{1D=O_Mw2t_V|0HM5k^Kd z#q%wGtd^CB$4&Q_989`*`Yi8`!@Q5s0IV0d_p#&#w%_Jf9Lr*^m z;+bEb{HYz2#N1_k)4r~;fcwk=rqt)BS`*y%jB#ORTpJLDoJ;ihnpzQc!fqih_>yw^ zXWqeK;%EGgJ#80Q(br64utgd5L%*DaUf^cyOj8SV&QDAdlt|)?-y~-RZi)^!o%71! zTNt%qHq83mH2V76w{uy>hK3c)^CH>>ow8nI1%q~I>u;n>W*#|nL$Jo1i@_&db00md z*so20qe1)0d%jawCDYC0p69?Tqn|ECe4F;Ktx^mP{w22U=sXlYd2WN)Ku~YVSsHEu29QeSah=qma4-kKiG~OiVG!PJHnz6m(*p1Q{QEaG z`H9c5D}5V75_+VX4y$=j`_{DKo!gOKR<5MtGo~Kv0-trp!x=}km?GUZs@00)mhakh zym>eM^vH6CGgAv4>qVix9+(-<{}|`L%!Q%?m^j>cxQ3$f#~mMQ=iyy2eLry^2Wu+Lc)iRSz7 z%g*>U2qk$%A)4FC=V$BDJK``l6#jE1$WRt;BFIOtZN?L$3D>|=`YHDOr--j7(JXW4 z>@K~>Sbs(q8$Vr~4=fCMbWu;${Q|Be_dTC6^VKIK*SGb(lwY5hdinWh>Y26_@63ua z*tbh>xsCE|L6I?)=aU>n->q*?>YRe0(E~LPp;;w*+lKM>gEev?!4sP7QJR)94`iRT zrYw&Iw2i%SnhkMn_2ooWIf6_FB5>?5D2b)RjuxPpy>Ad^o~I68%Q*hv@sjU+?;v0A z*?h-PUeQLO_ea!ERX!!48^#9pC))iBmTavETlJx^8$CT{O`8j~#&d^%+-H^KX{|Rs zaQg_O{u^mko)_~*sRt{2Bp=5cEq^`kdo0uF?HQ6mN#xVwC$2llfi%i{6-wBsUW)3m zMVP38LWE0LkOy7voZ*H9=apV>75l6aqNiB4xekw`vrQM>u=x>p^@Gb+8Oh7Y?SO>M zV&aM;X3*Z5V2cZy=cMWkOejm1wNyUT=U`3@e|Kp^(e}NoffLpd6MEh_%DkEI8t19y zv>2H|7LNUxdb)~%byKc`nrh@_h;Y3G?=HnSWG&lnFr?V=!|**VUG}5Ae$~jh$_|+! z`@5%Nbly4N{d{gr=8?yCcxINec5F%ergTeGLM$9qw|w=IOy3Zi*%Z_lio>GG-x^2{ zy=|i(VUJgep55RVtALY?5^2!k5<&(wn4u0vK7+v$m*5*5zZDI(6KziQ#gw4C%3;jq zFeK7`pYM^bdoOg}4V%@Mo}n*#Gb#DPhCQrj%5^pTikT;0QusumBwDKjo->< z1HVdS0&1%fKYwG~Cy97}^3=#PSQ<(kjUPgDqkiRhgG5*LXA=0Xgsx;t5mh!WmMR5A zDu>TF>_WT%^{Eg$J5PFt$~4^l9k<;|(&eRgp;+7nsb_q2{LZTF0PYNcw+}u^J$M>_ z>`zXNsfO`bwE|~t{Owze>9R;gyt;Knuwsa1pp8hR`bD9>X*jprcw)4?0*@odYe*)i^ zc@MKm-v(cql3UyTyrsZR9ir(D!z2w5mv7@a2d?5ICb`d-E+? z?Kqy61UJ9g=R>_=z*IiYufwoEUzyY0w%QE!+S@jrxL|-*`<9Qq@d16aD|^E{_soy# z>w!Ywp0PKKT1SN(VRoKTdHyIecFSfmpE_s~qxMpf8l;B<5 z+YqmdFrG*6^*un$8?)>=R%<+KQc5sN$TMP5P)dR^L*q$WB^y|9yR$_86 z_gww`jkDdtR*$qKElbzTX;7rGIn@>&OVDDnIe90uEApvZY2la7jfINHE}w92P=0Gr z{vZmzL}MM>-$2!&o3N#X#{Yhx^12*(#kU^5>JB>uUwqJoT2B+(If)tZ76KpbuSEs= zsu5;8?@?7vq;|HXD57GkZks|xx{L*E-ivtzKFymGC+6eHe6%PFx3C~rQXXvGIxl`k zrd(OTK<^!CuI&+WBdC&2hbS0cBlY@HOlHa;*_Bu^k=7@eWL_c3%vyzXR+Qmb+Y{V) zK)3kp6tH%bh{;bs(~J^LS1(>DO!aa_*py{_O;THZYWphF=%dJiHB-&c3r=&JXMrt@ zMIU+$e~Bs{3oBTnyHbQ7DQvGvJhka1DiA4TI=cC=HBZ$>@2V8n(ux&Gz|co`ES0N} zPT9pjSwHP+{mFf+=4tU+>`44+x#JN(N$f(fYzJx;NC1yP)H;5NzH*)Mb~g8{+B{-d ztL(s-VY&Z|+>JDeRkl!VxBHK7V6-SXsQVSiHrt63^3TaCpB63|CCV)of>PJxOg)9S zkqn~=rajN5JZ*mlP2t216|DsHQ$>WEqDN!%G&A3xWyj{t-zm|1Tk-{yULomy1=LYm zs7GQi<3|&~w;NPj9V^Q1+b}m*@RE>wP&r^1%fV9fc=5>WITgY8wo}7uhOIuQfpR_y z1W)|=IeN=nKYl%kV&J*w)5snxI0jY4Pd)B^<7YvIj3IG@@Y*6L_nX~1$$acs6+A*5 zecGgFLj2GJ-XqDb2rJ)a8kAojK@#<5z;D$o?O)NY>{PtSn`_?g`>T(Y@sx-5YEahJ zN5NOTdk}Edx6#@**%{ls+p6XPY2h)a(&Ub>4n5x3@)90EOHn)EOpcYpsH*FV0F!K1 zFD5H&HHbcG?H}g`Yx$piZrh0q{Aex2B}S8SjQj;?_U3t_8|jL-Q&hcYcrBLAU7_}p^+(U^ z*#4cCOQ@J!jyHQv!htf)#2Zs@M`9b=4bV*}ZME7X~FW_GgL@#$X(! z(6Yip`hv%w-+6WGhLS>G-DKWPOO2>oshl2TafOAWWmfZ)oyYLBbH0+zqPnSPzLhk@ zL=cNJFG7z zEDO`K(|%!jl|={p9jv_NcN{YU#x?C(FSm+2Ge;NO9CG^6fRQ7qF;D)wm1-32@PBA~ z^LQxR|9yCbWJ^S{PO@eRWhrFZkfb4@Y*Ps#B-_YxiI6>nJKI#YWEuO;kS$8~CHub1 zjAaaFrsu5t{(Qgp=W~Cb-}8HZujly-!(X zYPrc{NQrRlK<%@VkNW8!MR~H^<0>nqw~@OhOLa5QWHRDF4bT1s>evLkEAoJa$=G6o zAXBgGwetRhnPoktqs!fIHaF#%(zo_US=`ovt3#q9_T^8Qbri$WV3%lr{5t}7<3RZl z#8{$o_3)xkXbggPkm8S+Oa)sf!V=Dn4luyOL$*_VXG{x&hL=^Vb3A8)6r+YlpugeAWi~xn|u2c6nT{Klt=TJ$_4mzYsi|= zn;$}@{rOXo#tt2lx!-7yj=nmZNC7mg|0xzw`LCk|ystXI#y5=nH-haEZ$tmCX-*G*HHcBpH zNc0XlD@~7XSa}VeE{4e-vv)CB>NY{OTG=se7(V{x(2oG5ZEOj~|tl;hxL z`C)u1>FxemJLP8&ojBup-HHnm*^V`$yjVC2g^rxnnyIJU)O zM%qq3^l{rwX}3olg|DJT%s*N_Vd|{;tbahR^&*?m--z*l*`@sFS6UK?^8Q4q-4a+7 zq4xOz{nEt&^50-`BJw$61!R1SjTYMA@vi|`(Ms*Y5tWgkm0k4NLIcfD*zxE|#2x{$ zC)Y&>w5Ai}G$~L_FDMPB_F}Jq(zhaRPA0LO5<3Q7y}l~diLfvH3FH0Thg+4o{}WcS z0xA=e9ZtJC)_K5wV&^s>=Bt@t)Xbb+oo+Qtd;AI!2rHCVRPQXRD>-P+-Ph|;c(Qy@ zlZg>l#yR=W$9}H_JG*Xxe}OrIcvNd}Idp!!-2v5<5Ff4Uj5#In;~{f3|HcsfCAM}l z4B?njny~DHJNSLyO(qv-Fsv>}9ZaPuBzY191q>S0j~9Zi>w}rDV_BjwC1#^t$0p>& zP)wBM?dY1duXmXX9$UdKl!F=PhzzQ73dSlxEK21p+!nk^TJakTS6+5}kbV{yHJE#jq)Xdygw`!*-y&jA($IQ~X-&DYWKM*Qfo? zb0(qzv2tAEn|(x{BW(4|KD9?Am#_Jaj9))N`nE15LIA;Hh7(z+O`rgWXy~nJz*5p=$<SE6aeDGvO>C*(y|SZ&T~EQks~W-p-t0naNP84MGm(G@rRb4R*;|R_1nTsWQ_` z$;lp3F|8Vxs?>XhDS0107nYN+ZnEIY_T8)1Lb7k5^JcetuZv^=lgw8LCr0z+`ORk~ zSI;cuI}cP3h{YPuYuPp3vIDt*1lF*e66cg(qdiSIr8ssTTO%Ula^Uis;zDXD_1=y7 zbHbzVwIhu#v|nrZoRjO@rmoagqYq_v+GZZw0{pIapJo=rkZ_pmviR9!FiqW(A#wf> z$G^akxjj^;l|9S7X4!eQo;na=0^9(2moQ@u%Atc6K2X?O`AJ>Mrsk{F3KqCt-!Y++Esr9%d%pnv*Y8ZO!K=9 z6Jt>H!hD>N8oeVtnk8yI>| zP24^cdbm-)u)J5eyuV{CC8PKAwPFqBV{1=y;E4^H%uLr-7vO9+&2LG_2d$J|a`w zI~h^rxgYiQS{{J*rAYr8)0s8+MTkv$@64sF=5*5(!Irc4v(qeg2j93GdNWSmD^mZi z7I-CG1`W9RRnM8u!z<&*iw0dkmv9m+ijRfZyLh-9k366LswJPKrs-ZS<$5nzpco#8 zd)UcE@+=LBkx^gK>N$4TrY43uE-T4JGvk@I$rzFu(LEC$^Nrt9G3Q;NeVk4&YGtph zcW5ec?iLxsu3T{;E>{#fh3?U3l;zpvFRR!Dx~}Nj>y?-K4~^NuuJtN}&^#iKo^foH z|J*20|9pCTjATHxB1DC5rPq}7%ADx^YP9K-`Gd-QN8j<7akShg;SjyQovk+%11e)D%rAR)}n>P_~ zUAURd$sZq_s&8ISmY`gQzZeGk2Jy;k*7$*3*PJzxs}?`{{6l+n1NJ{OR)n8rIqP5f z?QDkSzOeU|zFSV>jo;Q-mzT!xRK9GJ`Evc_9sMg-e^k>ft($l~v-cE6I_Nrf&u@_s zgIW8ZYNeW>B8I3MVJk1^4@>dK3WiL-cnUe(98K_-=dq2xatv_qKF3+ZIY_I{^YII3 z#rq6WNbqx=t}C& zh6ej^d+gY8BtIN@^pEQw8vO-1dVY)Op_4O|PDPH8HA-|#yBQ_#T zar=jXXkQ2g2;Bx5-0bu^m>9IqKyP&qn+7?sgMFwE1e=06%m!C6KoW0#zge(S!0tDh zPCbd=iBxdTTRMV1NZnI)ahB$@HXWfe8sn3CQgp7xxdXjRJ&>t-I`2h#&+8d0pE@rL zvca>TB~9(qJo@$MDP8Rk!$kA^9A@* zDGaU+OxT|=L2NTL%{f1@xq+FGrCz0i0(VIC6n2*YSVo%QpD<|z^9Sr0oaBvT zzdjUZ3wadW&7BGIvnW#F`EoKjYX_uCui)exQLIoWC`XZ45WDwD+y7HVzRn#qWpPAJ ziZ`www>2R~PhKtQcQviR=4Mg*Y9X;lLuZr*{s{1=X`nOiR@_6{Bx70^|Jwh4C5KCzw| zy5hiML^vfPa*h3xxcKu{0|R5$OtfVSep%Pe1A7NKZwiyK4Ey5G{M<38!aHM(rFz8n z-o+EMGh8S$&>453P~2@nJ-_p6kz;nIYYfxyVWF52 z6rOmjTR8rdwCTgxAF8v*XIU(1#c_pil@)yj(Z;v%z2-o{d+&ip!~<$a;l6x5|N8j_ zhCmn#o5`YM?ukBq%Zi{=U2^w|PTV`R_{3|F!6(gI7jxAx*c6|v5;~SJK|FOslkL>S z%V%T8t*5WG^7%9*$_P)ZJqu^06i(Tm*bKOl*`w!vZ_Xe#Ao(d0E3n8K7d6#6Gkl1u zg6_TuJ6-DyqkT?&wY?t=P~mN$N%4>MW&lCR?YA@tbA1(t)oR0C(A-1+1I1U2?Ry0dx$9Vy1IabB>3 zp9*X)qP2iOnfsLiadgTZ7GebBhf7u5!}M3Jtgf#wHgcnoNKvgsGN zu9NMitKKtk=bn98tZU5Ghr?XTPtG7xU{25{4LF%lK~5lpo#90&Vt2-QSC%vw)3L8j zIz4U^K@~o^GF2fj}``M=7GFI(eQ=qO;Z$q|OJE#rpg^dxa*BIDTZeYlU zf~HWX7mmyr3-;u!2bFA>slCV_xH&CiA_QQes}4!SDVYFl}EK0d}o8&-M6;&2g}$9e4=Z$$^#6fB%q9c?lj2mDxhefL6Avx2c`Qv4X*>`mwE-cwhX)1LP+6Z?5 z>e2!D{>@ruD$4*Ev&?RSh;&0zqzc}$E!*K@QAdW%>~JN=avW?t9kMJsrtRa(sw)0y z6sW=3`$T@D83}4VH#v>V{Ybs;D>Sa11h9 z)7n;_@!!c?#2NH>8_TxrM;-078!iv2(GfA}AA4EbJL^?_cbmsCW_kYH+%WC6L8ZmD zNbI538-{Q=I$*{ll*%_chK@(@jFWB;AI}%7?ZtK1M2mP@KL}tEJXZ(RZbUjKE>i`_ zj->Bale=!U%GX0@wD3RDvh9u{Jsjq=9Hc5MDp`4=8QNreic+e(=QWIW{Rd?|2(i3v2>m-ebRlqlj zrA|l4PkT=kgvz)W_KRVz>Kf*`4#m&g^C@3-txS4+hlA^o(Y=lnlA8GX&?bWDV2kbp zRwv}ZG(iFNxJSrA+i|NX*1|-Xx@0~evsR@6mhCX&kC;;KK*Zy9UbNKI9?3>C_C{|B zve;8h3Z0?pAp%FBW1rS(K1tWqk(bcnjk-Z8qMle>k|^uXo7r@eO1T^L{RpPS%;B^r z6?Vz$W~ljRxctZ4AG6YhDc+%feGTI^3~s6Abx<(9gYM*Iu}%9fJoM&$@il?`fl-EA z&n=&BOyaZD2rc7L1l5@t68swB^qYKA{Q8albw`Dv(=ut1#{0M0c#FP{oSi==ziJ~A z@%EG%&7CT(wX7L9+wfA^0Q;kOBVLWZL8ExR#xo`@R;N4pwC2}h&TM?%H&fCn5Xm07 zgJXkiJGs2i6qS|rn(BDzpi1ccr`yaArJ}Q5Ir}3#S*)&4W=^~gb&S)tn}RQcRYlX2 zE%WDhtTHEM!=IpYECAdl1QUr_@Pvohz>3*I)gp=y_S0ikoC8{xDd3Xkzat%4l}= zpWn`dfLUt?r!r*_Bm^%7+@OO-)tPp)G)N=U>xWmg^os}w-_g%>3iP(cIVoLR>nJ*# zO{a9iI*jg!{>u}CJ>W4|V0N!(HDUHP0_=*YYD*7)Z-F}Ef3E>2gfNL7EoQl#qhT2;75O<>=Iv|mp> zPW@awD6lG2WGW?*>3@pe@9s%ASNfX^`b_T=#!As<_bj zODL8SabdKHwch3XYV_qOzXNsa(S+wE{s_+6zzaV8*jKd?zrIA5;Mf&Q@$)(9fW7M= z3Oscxv6IwiDetT}zbV@KN4vRUd;IX-E9}vU%M5Gx38I3^$m7d}IxHv0&%eKumZ)$z z|6;VBob>0wr1LM;F?`KT{l&w=asP|@ETJh9`Ue0UlundRHc)XK8O2Ii|m+IgWxG3!oUE$ zfX#-s&Z25?_^TF($@dTpw|W#{l1$ZhGA}`k9KoAF@zMDSd&m3R-&`1Kze=TnhQv1i z?8~G7mFETiO8F?X`Wjqxzkttg@YBY<_8yus@jwyzi>a4uuTWVU!Tyks#!%bJz_ZWT zbMOpa0|-T;=g(ws3yTCS45)+6Nu`Q|hGU0pXvsI}BD~MxZ;R@@oo_mx3|&GnH=v6{c08bO<&6kz1O1s zlL{;4kR4k)&DBuIxNv2WrTBBjM>gErun_DCp|~_@t5HV2E8bbS@?4YFhBf!?9TUK> zH5svVlTkr3%x^pW;Q^tp^bqda0829;CFJ!x>l=6v z`uqNJ%87$R`n@|jKN5C%ay3kGV~9G$0>vyV*V~w2@g~oF#ME28U-o|4MA?+=Nk*5T z8EfbMOZ!8!&pQ=mCYmtZ4R4#h>sa5+#VlCf(Nd{xa;6iR3%T8P4|cx3(|0XuiY+8> zi*k~V6p*VtWVI*ERyY>B*aX6W#ZRm_#&h zQE%mstD|DwU80^1r|_#;XGlid_n_YIzUjwW=-DaEVq&9~saJU?n&EzDtacX<17eUhA|wB~z?l&HfT99z%Z-svk?zIX4F0;ZXDAhAQ1LFdvwz0fcgts~e-YM(zY?X0(qDlQ#c4}IAG zo`89|mbp2Xc--<$-8TSMYIz>Z(?&MJ?j1Putgk@#?gpiIqZdj*eV+XZbGS*E-=Er9 z+g#d>ccRLy3_N`=?pOLH^A3m3b2z&6!aJuM{xjR+0~b7q zn5>E2Wz%@o_X)bSn3Wx06W%&5QWSQ@;#3r}4sVo`F~TXj&3O7Gn#<2u?(h%yD5qqX zf$Cokp=QQpDF;tQDf{Rd-Mh`D?>{*t9&a)}^YXje;AC>VP=PA;SybZ$GxYH_w*vGXs|1eDD7$-O`lUleiUD!261Df{Z# zk=emrOk;5C#O~>FKxYtk_$0J>Q6Z;D+MUfw>k_nk#DAqoy)r*xeX=v;r7f7DCJ2AHtH5sn zqHr6GU%OwFGPo{svvHX-8udb57UXyN)E?-FqUugLp(T&yndyxmt`Vn?2d3YZG=C#3 zYJ8k8gm%0df8One;V!Sy4=_O5e^_x=ibi7S>N zq~kf{pT@243GlRBQL8)hdOoAWrzZCqygn*Kdm6>3eSmzmSIwZPN87jAX{xMu^d7cz zo&(L(qPj3#?Zo`WCA(EA+f`=9=eCAQEA!bygI{0=uJIrOoiTJ&VV!C0vChY!5p$ia zN1q%;JXIq-Y!}Y8OYRBlMR=%z5g?Ere$E0xelQ)icL*ziSK$S6>;rs%O_NHAJV%F^u**&h?;bjZ20y%hs6r_)64ND&o8kw zA5r?mVE$cr18YpuC0I93fAbquY9}TTBW5RtbejflMSj#Wdj?;*W<1bpsKIF%-jC7QnP^(P1q}qOGeTlknda zx4~Bc33?&sYet(v7&CQI=S@-ZgmNek8MYRT~kNy}G9iIz5_w`Ml7%B}1k+ zONOIIPjcdgqXAL z1!>p6a$SnHe4$k%Su9l`9*a5ozHZ~3B)fNaWY$P4qvq-569>U2ZmxChPgdB8EQzOY zZN`LJ@Zj@u2_|FcB%{)v`>CkyCp8yMl{Wv?Oxo|~gJEcj*v0NZ?%7gQj4xROc zD&)HSH6r<-$b$+DNm-ZNNjgRJ8?WQ7)$N_rTDjhSYK;|nW>(cyI^ z?|e?~7%jTs{s~@vo`YN(Oo7)Qy|sVB@>NjOSC>%mL0^3;AVS#5(G!6BsRR&<1rhtVz$}Rb}Dzl$4hFh zlDtjIqH0C}`!O)dx*~ixp$7Jr-}nytFMKCW!cBRqu@jt{d8K>OHSz&$NdI`h<^e?7^MIAP2gW+bG}*NJQ_+Mc?)0{ zhkf5hFAhQ@*bg;>!(%1!(=!Hz_Wo3}GiTSe*dObKbIQhFj^0RwZMU7~cE0$f#tpWC z_@=dR)Bn=RCzl!;8W!#Ap(%6n#lq^o(sOJ1B7KU7Y64SaPjc&P`hMk%;W11%d~vW* zLPWl8T{f^rfFP`^<=Jak7C&$4l9SF|Hm@4zLUaES&93NYjA+^Rx zroeRfhmDwPWkh(wt@dS)YizIYqoZLA_l-V9o_XPQ;lvZOe9g%-nw|%0yqbOCq__{H z&fB2_YkZAGyGxE4Q==<$JZYbW)!N53+3;GayC2lJ@SV-6{Dd1Se%1XuS7d5SK21}^ zbSmiAR%40}Xx|e`m3eald+{Kvs{HrV?o_+DvUl`L>NoHmB?r7KY47pRWOY$BYqHEp zw%I6BfF5HSl2YiBQ@W}ytdnlQmG$U~>Xqgdak?wCqStf7q7MTxO^# zOJ!AS*K0mntUY@zGXL)N7R$p*QE#+oH=MVyLC+fPhxNM^yw>TK77I-64=`64nO||7 zx1rZ@WV(3JAO!wZ{Y|E^JozTs2Sm2D8Pq--Ff6|sx1RtgToAHf$NmNZ4u3MZxS7XK zH3*pIFH&dQtNJJ1En_+s>a<(A_QC3)Gy6sO#*pa%ocaCdA6cRnnf~4?IUhx3lBE_C zLBXUjsR`P1tH!>l?FmN#=veXtQc4%qfM;*w#0~`=@ z%5WNJRUA}sGOOER)Y`m%p^z`oHZ$obOvMLweCcgVGkSLYb<%KSFO8(5NIUEMelpa`yzO= zF14$UV?b=vmv=c~;!&dU%cY$o=AHqf6->YbRBEElCpPf9+rzjuT&#LyVC{>gfiw#{ zwbANoi;i;358(Y(B<@D&uq)PIMe9ZB%WYuAJB&VtTK&>hUs4u>LQ2yVpzp=Nd>XL5 zQNg$)r&sF)(a*R@5i=w7QQF1&4i1x@C0Ae@!n?PS#VM2SkCXQXr;Ve2!mJRXzTgh- zyG(UPmdu4J@lAHxDV%1NnbY%7Pff)`JUahsjB}2NTc8N6PAbifR&=e0H+wuLEP#CFlD*|pQR&K zjF+X_0f~XzWiMUdKMqVM*{dJxtGS@`hHE|e^lTN}QD&~tis_tw z=anT36yZuE>WDhu3WP8CVU2Ij8+#MU{4R@;du{nEH^;l;RqO&m4LTcGEs$Yvv^wF>a)lNBRPy}3(hR%(*{|<^Xe9%_OQdc=;2+pUQJ;xZwj}m%Lz~@* z^>?U#2C|%N{luOyjs=1LqX-DvU7^MUWLAK0RPl|V5)vj$Ro2?uyh8Os)H3WXX;FP} zwQw+B{!g#0n_2_rA_lpBiCP8V3C3w%YXe6F3xDA~G;uk-xc?@`leM|F&3}4aBmR_S ztbNn+)7RBvyOB5; zSSNrMZcJ=)t~uqC`6zy%{7^)rMD!6k23ldY!IYQN;UWd4a(xmTn_?y9hL)Y!ri#1w zvx3vK65gnf>HpF<(yyc(r84CaM7Z_5Q)K<2WjMXJ&wt$^Tn;2a{fuF%lR#(Am=VMq zoetRVbxi7Cpr*YuH5>iPbvb`YfSF$c_7D%t{m0E&NuzJM{pkLbMz2$xXw_n_>-}?8 z5xhsK+$G@1Gx8>py3WTkpS~tCrUP@3Z9p<+Zs&e=dbC zDE~FIFtXoG#wPvINiO-dntCvYpvioQ&zHqpxL1w+Jv!|=^;`GJ_(9FOn%)zY{R-zY z%p>E=Pb*(l!mGSGCvXt)w(~z{+>!zD5Q#th5J?qZf8;4*`u8$&i*S^07|=F+_cg)m ztYppI7awDCwBDR1B7)hDo3(jPQ;cjMdRoPA*mw#QeQO?yK|ZzLNuVBj4N^CH4iXKh z?1ptx%$q)SCa9JkGClK$%e$k^a zXh?ALH$A$$IyO73e)#6bW2)cc`_P!ne}M|N*(f4dfUj-FpdokA4f1~jml1P3I}lL- zw394>MPSVXV#?nM)L(e{_o+8BoV_Ow#+k{zrGNkX7?DT64-YXpMN13L5HYjH9if7# z)9@Jg$cc%3o1htIGwr}Gz13l{@omiXa@m8zR@L|Z*Jtr*iIl3%gZ8@(=7NJwP`MM) zhf-tgt_)Ir-P*4l;pv3Bbi?l8Czno8>;WQR+!#G9d8g9yL(BUY4+hWNoZwo6u57@M zxk&qR9KSYce?2KVJt@o%sHm})L%meytbNTN!)k_aV;2>eov32Th{-BM2}EI4;ievv z!I2Uvr-5NE{tNZUL`WSSknUp-qdld!_((7I3^P6=)vmP+Jo&;K9HhIpU%PNx{eHM{ z0}6i|P7+u4!&y!E@j8Wjv!|nzv`Z7rf^{|(M+UvZx=t0`Jx!-zNJ(vowGNY8nK+49Ae<`-5vB?B0V@3hJIk8%8YicThWCiDm-mp6SJGB04E1|5>$2D&%3+!Hp-%D<)J zs?eRf5teguGxt>mf}AH52@_<5Dlq~SA~0a@ZJ-B~-cbweBxcuGs~Ju_gQ1)s8EnNA zM%8!l5o0NtYO<5qBlcj`gfH&(^~ijCd*Da7^y4Yc@^+r@mk*2{XvD&{o=~-7T2k+$ zxPt;BB>UArxrbYFKg=r{Xgf|g2BlP0`obAQ65~u1s3XR&Geq6j2X)H4Ou=JCJnBNs zKI+n<)c=~dJ~%SBDlt6fA=sZVmrg|ggvl{Gf(Fw)EusvF2p}J5l=K}{KR38_L2_`0 z!M{e}ag|k8oZBNeQ?Hzt)31v@trn_kW~5o4#(1ys80iymWX{$}hL^r{)WNFN;e}v@ z3FZ-W`_wk&bStvr?%HH|yb<4-w-Rnv4($iKkYD0X3~Cxxpx}S_Xa;e_RdU9boLeY`0ldmOQ#MXIs)!NHQfHHB2%mJeKp9P7}&H? zVE(rH+SezlPj!9q;0|+Z{^oNLt9*a)xm*Mra)b$n;sdtvcZrl0@ZkVW+OA!902)%- z`Q1lAF25^!OWVU{Tjt={x$^JuE>=$cyS#z_stI+#$(+V-5RW_mmxQg<$~s8`yVp5# z_J2E#a^4RlLn#POnBfJT8!^QBfk%$%C8^ziq`j9~c+x;8cQXG$xE?)H$_OC-xmM}{ zfT^0g=j}RC7eBg8pa0Z*R7>8sf?vE;^(_DqI2! zvI27Nz!IE9&ka6}7Fmc_oI+C)MLrM)1c(_Q>`;Y2VNuM`-YjPCP`0i5V(WEf0|^tK zER~cficd3m%Arwi>R-XV>H+NM^nbITHsnmiZ-=rfh(aSZRL8_dYFr0-!7p;t(ijA^ z1~2H}>CaZYG4%#0y8H$E{nm$PsQLlfK%?>iJPX@F023P$CpO|cOsQ=@z{?r#TniJW zt>iR@UztJk|C|{BWAu9XW3rj-@dF>oPA z4h`PEbQ9nmP${)mjg{CB=Pv5IA{9LBk+196V@l^T4T+}}KCmFg{xoIfRE?obL9 zkgTM92e^K(+ws#|8wGY!`~}wsjAa~%alsGTYJb8!%1?*t-+0LgR~pk+rz2h1TFH_B zfYP#*>8dL&i!!tdyI#TZ=0#aOd`$Td?HNBtGY3&SwC`ck1DVUqF1gDwknPAW?`z$h z^0;h__~%V)y(c}MUdB&aE{pjt)*lp$+cz*n2OH!2Gq3@re~1h^IatQYI?7CY>F6Zs zguTo^bhsX~D$G$a$u6;zN>w#r%WzfD2(_(X6vfa zCfERbtDKzD=KKswYU9mFO3Z*!iFEgyw6Rix5X%L3zwa<6nEwQ^pbXcm+g~22h7@_S zw4P@s1sFGntb-3tgABxt<=bxwC7cu!IZX4;dH)f~MPrZ;nX2u^V>J6F_0UZ4YJ8_V zu?rF3!<{4@LCxhbQhJc{DK(%OqN@>|W|p|>!R8=ZmhAezzz*wJKJZ3bCd=wP8XO7N zHBLgvcff-u=oLB++)*@LGnd}psYvu{Oq(dJ&0X9%b2EOmQt+WO&+$_y_|I;!82KIB zB*xaHkfl5_Nm>RqU1WnCWXnp-8Q?r3YQOVk5djxU)+Y@Ph^V?gzTn3B=DhfMA*wq%9oL~&JN zmInP00a_2lVd@byatagf=5%Ce9Qa-glaGunC+s|n)jj>TVD`%V0rz=DYeS(+G%x2r zF2ZTmM5lC3hBtNk-7cu>Sl=&Wz27hP;@f6kb;N{%wnz+@L3;>4t-l7$$_^?MjLstE zZ(a`5>f2_umRj-Rv$vN@(upcj==s7?e5T##L>@Cx&Pl#%OkHhVUzI zWcDj9Xe-;E2&!<0Qh@H~=sPL$$FN2JZx+g0`!-Pf+0(dHRbZjqi4x z3~>lohf87g;)tq4Fm1*W+`3|UP@j#q3#u#1jW;cKgM8QSzE2^li1!621qwT53)t!V zup^)?#g4q%8R!eB+15RZ946rAa-p3L8kfv{GiUqg9oTWwLuQmuP_-m6-}ony16;41)jg*=Ff{LXhqY=V(lm*Wije*TQjW76QsVF*GK$KLZNg zFWtpNqp`0oiQB-J#WXYuS=w3MxSBG><*u( zt(a1EB)J|z{IplcOG)w-8uAt+O-vy;>#jtL5_dhuB^@#+_Hs>Z#%WgurWH zLpRW94G)lBmhXfdxGIi3p3ao3z8QC0Bwjr$G9Yy73n@wbZv4aL!6;E+GI|Z_yCJcOhPMfG|7^C|qYvtQKywhL znJ2|6X(~AQ*lp&x;FjtKul!ZA!)H$L&s1U=Xp$eI!_^TC5&4ypgUKby4~BPmZOcj= zTvxqzgOI6HgmWy`OaTiSm)QpnYwJwtD#Z4S4_21$gIacjLy2k%ywMnSKtWfhK~SjM z#PoawHQHKwws+R-kE@SX&xl_8j)r-Uml9gnF6~>RcZeMX&9H3J9<^1krW>5et5sGQ zIr!Ld>W?ESp1=iZ8zKp@tMi)K?celhwmN+w9Qe}mDmSpRhhX|!P3*{@t)W37xGtR*l}h+ziK8#+HFdC&z56@!2oy4JWli`Ss7$-l7$nwiSoogGCG_viBHUCaAzNC2b6j5u7 zMuXGH`rTh4oM96Xi1bJIL4&r_e>Z3Ymh>MD+Hu=EWKQHd^*aun(F^i}Uk%@E|7`fy zV<2*gy~!GCNwur59@5Mcf>jF!jAE{v`XG=sm%Bx4KIVVEe&5eZL~f?ygug2LZEtAG z3wvxyiAYT7St@Gw-~@30rBIBbX4|lU0N6=9ujMn`CP__quF1&csTqDew3=BRH>N0B zx@mDYRU_unt)W)uMu}7VZ>w)Ij=d7w+o5oi*>SQf5Q!mewMTd7d-+|TEN7I|v-Qt< zO%5w5>F{?9wJyG*q|(VKhLz6DWtE7G(oxZ?jcx9cLj`n<4-HSj>EOwchb|oYpw8p1 zK2Rg;4h{lzZx|w^40vSxqml zXj|suICJ(%ZO6xPO`i;zmY;>p!lk@Fojd!Shh-?%L9k;Q5EqFDELX6?X><&IjG05)XIlzK zN}^|;gIz;>{E`Q_9megE(j|`tEzV3Y&?-5jD z-2daNuVAg$Ty>3$vwKgNZ4cuW!v5#^nDc;T%|x$j44J3gjGcj)R>r0JTy^-8OgoTT zmB&2r4Sa~9Ou6(a(R)hoJb)6n$gTr@u?!(0fFwjTQcpC2%dVnIJ0|I~}bTPLvA zSXq`9YFn21P4Y`HrSXNi^IL|``>E(q#D@7at%4M-8t4uu4{~{d0+>B$$JvYB9fY1$ zuf4p$2%|p0F(7O)Bx$xa`6=uO-!$C6Mrc~f{ttx-u4P{9xU3PmB%)}1_uBJj;s#GsF zBWPTwl7o%;`!&lTMOl#-he#TF!1<9b5kxDtNlK<4P|VF}fa;cGD?qbg>w77iYBAoE zK&6+ZUPKYti$+i}&{I&_j2hqjOxTGk0q52;^w;Q2U${P^)ukY1T!X8vc&z2b5s9o+ zgQdlb(6nJ2b1)v@J*@ld`-Di zV{T`cGI%yT$$g{dR`rs*4XViuUhMlRd2~-K#(1;%@g7?f3U3HL5TYz<%{KeHw+iWb zwzn8w!M#^I%e2+Wan50?{%*d>rRNH{E6EjxqaV*WV^|3cWUe$K2EYDNkyXVhyiRh{ zbtT*3p%}B3Xxh`@fWul+T^myKpl*&X*2BB!9ZO5M^Qbc1y7%%&?hg~j+j0#weF6T5 zRW=QIQRlyhaX-+u78i-_i(NrgO`)$yy`>~S*&0*ijCm5~VOlPhzn-~D{#54^k+WV^ zH1ANpu26TKsMQ0EKO%D7=jRtW5fN`jie0rr!`OtY4rsT z7D}DJ94x$K8=Q8}b_V1AqHFxdTZ57TP6NPkP2tD$Y*mDpvTntbVQowgo^n6>BHvt%Kl8L5rZ&@S zpF}`>g0rGK&8R*7uJ)??6DLePV^2M9QJ!Q^e&`u-V zUcRuYoq4(Fy0Ph+bJY#qxcbZf!sOT6Kwih>zB{!P;a%mK3ShjFt`=eM>y9Ok3U*(@K- zJl_^O>S;5_yIYpPbU2>gv=iD#pcS2D@((_@F8(gf=x{RLsQj8<`n4DExC1dt;k2=@ zT+E$4ZH5i@XQ*17@%BV>L=|e@4QCZa^~|DdNbE~Pn;nSt=v(?0+NJ`B2G?TXaY9B+X#weJPyp6$&dxAlIT7H z%!$8ha-`?`x1hFf-a!9bhyfV5C)<99mU<`+D3W!EzJP61oB)>UfLr{#Aq(xUFr^rp z;{ojqf}k8X0`Mp1dIy-g8U&?r96n$1SIb+zI1#+``XMOlJ?q?M+JckL1}P-~n}+Ep z6`eqrZGfft+HMU@LRaTiqg{5QDBHue%2%Ibu7_i$!jG<-?GKM>$cf3ZLAs0~JTApt}4Hu;eE$Slq7jV<|D8A;9Qq2n^6t?i`xvw8utD$#* zfaN6rU#z`nSX1lP1&X2~qF_ThQHmf{P>QrDh=>RX2uN4yHS`Wq5Rfh)ptMj$YNU4} zy^Hit=)EK;5J=hg#r^HGJ^P&RyU%@|`@;u}%aygV-pqH-F~=MOOjL9FAi=&vjy*LX zKfrHNUsYEZVJ$uvC?c?pA6Bn;&uEHzLWLD-D?MGV@>x&QE%HLPTr8pJc zMi*7IeYj@HfrDeOv4<<&63L(8W{y^Ir(O1CAMn z9jDg2&qe(jp7+Lf5^wF1Z+QA@ zoa~}bhh;fWZde>g5*gXLemvn~1xf895W|6hf~vn1c@O85rEe`UHF#zEu2c5Z72%>M zmmjzpll_SBL$#tmU7?-x);`RwSqjt4sHxMf@j#$c&OTk38K;FjEC6BQVq8|*TJ?Qd z#rfK2dRyIvhSv`zqEQ8!16zw?-${qCT~J%`(;$cIc(rklQPfhL1=CHrM#S>QE2b8S z9bv_j`TC#N&Q!=vSEA_HBIz3&G#`H-@5DbP>+WM0`Z^!2NU%Q02yxe-jnPnV&ZaD* zYhTDR6>zRw88gIqI%yii2uT|7YM zPP_z>D#rUbh<8U8639GE{5%aI7Ihf}N<*+(6{LMP!QC*N0!_d_$iPe(-O)@KFMu&M zzreRJKaHYrw5s6<)S#NY^Si&8y71dT4NMRPz`)VoIYFYt)JVG##x|SqX?{kK_y(Ny z=ZJ@q5zy1~-QPs~JrsWxywN|V;>qBKh7tp1bxvPXv;y4uMNYYQL?v3^ei68<)iB;{ zPI0QzD>4vr9wwr3yPiF!ODn9C4P{Y3RIGj=|7@?B;b#6RC;yalo-K7H6L&u|pU)uY z1qFBZW(aAh?ladiT=6k+W50>yafe)z#>xM?sexm7Or|#!+Z^Yp zlw-x{UQ;pnslKeDcnBFy`Q*S%e8FuJuXxeazCA5)sIAK|v0QbViwIJxkqjHev?_iX zP}vl+cPkDkc8NZVkTVl#-IbdHS&Ke3OO|gmZntL^NotNg{X+JNQf(l$fYEFWT8r54 z1uU@eVz>wN=#wE6-6pCMDB&NFOF{Fh5p7LK91l&4t=ev)H0U2Hx#0Ce6MKY}9}Pb= zi*wKPvtZ|CS75uve)-ya(R=O4RnLcpnhh?k_ke$^kM$4ed?bNMdlnUrV)Qnczf;eL z3sp^QNoW~Ha^`#9rjF~8D!6vHrQxbwt7?`nVis|J@uPu_>R!@;vHBU_DaZA~4iZmW zn?s;>SZibC;Jh29SRLxAuiF};6xl$O?Hp-5H3Bl7H`M*oavdJG-&7Csb0w;mr7&EJ zd)dGFEPDRTmaq1i*$xr79`Q5jOm^7MfXJrdgouvdR#6xN3$_LGWAi@S%;p{XL=8VQC3i5tf}ah(3E8O@k{aEidZZJ*RqqxHR;0zLZcU zF2XC1zF^ZXdUi;6h&Ikh=y)pUnBVyYK?cn7d_|)&%?y88MA0m?%zf<~kBOL^io&bu z@zT8Ph2{4Nk~va43e%;p2xIdFCm zCMCur$2hv?X&CiMb@szqdyd1pZ1{0>wRC73QfS-rlG`*_50w>5;&4TVt{dEvaSWthE zF=rgz0qXZVpcbD!t>HZTHo8WIP+T|o9u-r)KDB?j5+?nAa8c3n(|UpqATZ){MIz2S1hdpawIT7$+NqP*)gzK0?Q4+MV zZWA^zTY|_Z%R}4bfPjGdfD(t0R;Wl)>w_h)w5tLK#Eus-btjR#ZD93O?* zF3h2>dsE;~lg3g`5QEET-Xg}QPbAKnkgiuK-%_sidQ(~+GJVJU`;MLx^G888SzPeaes9PXC%Gsn;F-hC}8qr%=jRz7-aI zny1X+{koX0gF{WYN{6kTrWfxR`y+3WlpT#UaY1uBFGK0=`fXP@NYVeJSSGAUHGSR()6lO&-fPy@0grw$`3;(MK1pnzjsRc+v`j4kz z^Xm!v5%IqaS4n{C;gb))b_3CF+P{z8vI(?tYUH!ih&4EgD&Tw{suFvn$(q z?J4Af6@d-bGQx17q!Dg49fcq zREzJ>00O42gx`rqe5ymn0NbE8N*?Diq|9c|i8e~{C* zv(pyM7zNf}#%z^2%$>V33@KkP`pCF3sVJ$$RPo`y=~($Svq{aHRSj*&i&A)xV@Tg_ zTDj_u!Ls!>y=uk}v(go&2O5pzxW*q@Hf}4`m95%tnp#gh*oCPShuB2t%PpB2<+N4o zUIt!I&*;=DP8NHbf3j|oZuqI8rD@JXe?{MfyuC-_)tTSqQh)y)>JM;;7?O(9oES0e z5J8GnGO7ffCjl^fWmK|Fe2x4yNfm_tN3CiPY-|uaQG#Rpq^~3JUv^#Swcp+X8m$Tl zQED-6Ad6dvt{Q?g@|2A+i8W^qg2I^9Luc1~xq6A0 zY*qgtQ*u5eBPE|PlOJzljWy#PyGlPBbnnT@2k*Q`rSGJsU7WelmbU&_;9gGg)TyY7 z>lA7|nqU38MU?_={I%2&8=JLGD^|^n<`cGURHd$Y%Bf|YVw-!ZiIO3`gE6+9{v#GW zE*C65vn~5iu;kX((*9rK9I|1n9FjNZrI?wSwZGMi;93ByD%kaj z9xkROg%f-E3UWz~H7BRXwMa&&>VDW=@p-oTIV`LJGG^VTb-Y)Tm{IHDVpl>;<;L`X zf-or^FMsv3(1}F9z9-pBNTP@YA@nZ%fU#cb!X3?i_YaC5gWx3&k6nVmyj8X8NnNFH zpwMB@1A$5i-jNAt1A72{pP(AY8PAF}D_hS*M*f7-TC867EPRKyDHU^Vw9uzD;f$(u zzWPNvZx=zLBw{pX+?wF8P)xQ`$FN+@DL1~0*z#q+-A0xUoT$Eke0Wx=xn3P6qxW#M z$?=tO!a+r&g!V@KESy>)`x$9KMl!JFsm%jSs#6&AxgIkW8RJ&3k)I$*V3vQ~xug4D z$nXy`$(5w^k=m3Zbpux!rm)(ZbNWv)gBG*PjPEZkX_aPh30SOb+KR|nK+2_8WHV-a z8|;G^)MmPDL?ukjCrK{N1QT3Sp0^XWYNYH#X_r@;CF}(=qf5fL?nDFZV#{SqMogO8 zQ(xL$&E5^*ba!!Dzl#r13XSOMTpW$0ZWmVUn9+Ut5lnY%<1fJbn%qGOOt}g_xQH@M zYb8iN@a<1B%PJ!#{Xy3C9jCAGM&HGd^;^NId9U&H!!;jk5UoKG`2IeM7_<%jS-_jY znF^nKKnS-Ybsa{2MZQ8~9x zo7adqbS4c|!mW(LRJr)K3VTaCs%9INn4!91nehR4wizAD^w+O{T2zRYhq_4q7>rSV zq-L#npOiHt!{1q{&5;qa96S4<_F}CmM@omUC9%zjrsbULgnV4fR>Cv8OLhk_POq1O z70-GuzWU~*Bbd{hZyoI9bS=)3L%I7d%S|#edor@KXO_1AAcF~x!PEm!B+gTpuuTZG zH+;7v0j&J1RmjBNG%=RFGCY26`pd)TcS(&k3(KUsJd91(3UN+LKqx~iDOdIecaCO6 z97@Hk)HZA3(8k9_@QS!V@*=Y-2ij8Ma07lFP7hxw0E4QH`|!g%>-$cm(>;KWavgUP zkfLh<9R&zl)3r?Gd2NTXawYW3iR6!$O*CE8r<1!CE4~>OLYx9i`4-5PPF}~6|Lec( zlUS)QXHeQj8@)atWM&@3brXreGvEanJpNOgq=$=e8M;jx2in&EN2^nN1dVwDq$Kbb zf0wh+f0na%A)`J2O`zm|c@5G6(mT46e-r51K%asx^pIHLBQbCw>3j>^4Op4K%X4`_ z8xRM#;6d=+IW$moKJGh=*a@xEAT@~|jfRu|b2J+WKW8J`XK>T zl_76AycfKIF`ZZmx40n%vd;77m@ywwv?~7M%DOYfd!yxPQ^T4=<1(K*BLozq4#n|7 z!{9Gr<7P(W7AZ8C;j)(rn&qhiutF|HrAJ1*Z|2FL6V@xp@~TlAXu7Ul8S_xiSOs$L zS;Kf?lI?Cq6Vj;{19 zKW>dusj}P1N>@@JtR^jJH#Cu`C2`T64{@-WbP9EWtuIhUyfKMV5AOqN`ikYI-YeD; zB>zl{OYUAzBO1AX9+*U#Y6X}~P8@tw5l70gFgK{dpZRWg{glxN1;u^DZxdgJse<*l4sy zrObo9Y-pjZ#Cd|*((Ls{(S@*3w-X+Z7C&Y_q50sDB!dZv!6X&4{HLw zJlG<1rr2uZUOws}e*kI($J#p=qUo2u1S$n5dCbF5)vAW$wOtPT}UJN{bq)>3X#vEMPRI~`wX&n<6WD_q^z z)$MYc?aLz8d!5tPw-w$4xmRp7ZN%`yv5JY3{LJ7?878zDz_wXVtAJT@Mix%U7t(y7?Owg@|MPd>^kHe3DXlC(2H{ zd0ni_yXGRvL&lp~(^XSf&e~QO>biM5h*-bCoga5S`lTZPZBwmRv@4K=t9%Q z2kxnET2(G8jG0lVzQsm?-HgMQ()5A2_~+gb*_O&yhZ;L>%a7%S*4b!?F3GFbZFY=c zj90L(md^>dD}!C0(vdY0zq>PCEigZ78fd+L;H`RQvNiK2Ivf@5dsfFl0fslr+^Lqo z=)T_V=6dFHhFS+l3K@Bwuj!oB(>Mm{Bm`+3F6U0A*{btqw)zc(6z9VZC0tO@`7R|i zr* zp`&bi{Bi!;F*9RWboZjBLj|l`^((4;Ia2B@qR7pkKsPI`(ewkTXE-^R59>C2hIbc< zE%#X+KpbVUPGx=GeMX8BHquT}!s8HcNNOe%E)Er6{J`;=Hv4obk5kvdot0xz|GmbEV!K?kK znRE!%a#f|@Fm2olgV{T_8=|*fN88`wIJTzj+coPwDej^onZ*UZ7!MCvh4OfGNS0bm zg%9eVzVuRUiNsxnhmxoX?A0T?G;e(`)eObW^$(A?(whYKrFisTHLY@bf3Gs>z&y*l z1g}DBOA#eTm9bnDq?606s|e;#*;cCW-yYuS-#s7TQ%H74z3bgmpV_bx5Qrn;X3DC2 zuDEk^{L^fusD2kFFuh`_ylf-!vcXwuNVvVh8!2Hf6y0R?Mcr4;=rp{+ieUZ8-Cql* znl-+jU|5v1;>o<~8y6qy#F-N{&%T`Xq zO~psWD_k-2LcS7*!@D%vVB3B{=CkGrhZVDJguJLZ1fBt)(<<+@*}-Rhv1VYNnCER| z{dsa!uPq11v-M4+rUoxODLJV}!zU_d5=KOSAbYr~Uy|roz`YHoCFBmsTe?r4g}r_H zr84;iN6awV&PO@&EttK6UAB;*2tv&=-~wi0m#rB$yZhcf8MnmBU%a@%HFeDl9njj> zA%zV&fb0bklL1OUW<9r1e;&&_+L1e+=_ILBQ!4-L-A#iF)j1?)*3@_RkRy@fxAr_k z(0k4}g&8Ph{R(jHf#vCE{;(KtTz#T&JU?2mZ7=X)bJ$z<$(GCQ*ll)^gK&^w&=nQ; zLoM~JS)hiMSlYUX&=+J?2rXsxhwW#*GbD(csjrT8kdv30`!%aLmL~77c+;@h4;#hL zPU(x#DdQ2gb^01sy+#PJ4oE->AE1TgX#jk<>PSbf9)fugd7vov6@otrn8zW9C~^V- zjM%k6s5AoPkQFnOH*_YP9fDDZy@Kvhfu;*!v3UyMhG9X zn~;ZC7?FOEtap5Xq~-?jC^K+_VASQGqy$=kt(RpJ($|mhsG*}#m%Cv9`1c|BU!yL~ zFq}Y>EDED8uKW#Ma*poNEjx%{{E||Q%xI7ABFXBiiTk_BVm^%HZo*>GLP+#Lj)Z+|p(YSWn#eCQ6H@FAm60LgsOA_*}`PLs7}l>bk4u_Abp6r}BXQjuMhK0+x$vI}P*w<9_t(0>la9bp8K{cmi46YAa5UwRYd%2~Q~gvye&`&2uL=?%je~tl9WyYZ~zkSdCZRTB0$MSvKTB{8B@iKmS0k_?C(Xe`3szaHtY-8QHxsT*33YwX3#^h^lpF+8q+ z_?3RrLmGIL)$roadoz%}kAXb{`Sn>lWapGWfYQ=XfF0)las^4?={;ub3SFS0IpS!u zXf!3+D$_oj7$8JLpEcpIv1)FI1qxiKI#fpo0)fUn8bFM3?R@~0AWv1|)mr2?&`Kqo z86l{qu8wF0XDh-yjw{tGt)!pNVK})TH8CK*;z5sG$-YZO)KX%myL9@0(oldwwSlrx zLinTcZ;j$FQLpg_@$pgZzU3>G7TQyECtSjor;wk^Y=rN!%Sh+)Ox8$K?^{NrAXL%vkU;wP zU7g{6rCS9DaWOX!;+=UGF6=CLXJ_{p3!=<{UzUX@U&W^pRXiURU-Sp$jN}z)tvwUM z#w3B{CnAXBLVW$e$6<nR%o(X)hx?PRu`W&a0b*>)>zKh z1P8r;;C8IW4QVs-^A-#*;Vo5!Q|9tx!w3c#V{E&ZJe(i?Tp4av6wBKdI#!zeRn%dS zTz@Yff1E&-yf}slo!#-CU?Oq6^KK#?tQtByiRY+jO_jsNa8X}l-4pM`nLo0+;83ix zKdqYX)4Lo8WE3Sn3S(?mB~LpKy@VU<}a*kKKM_ZI%+4 zAlN`7YWRA`Q6nxC{;Lm%{#)O02;)S0+&0_$XB&J|848Av+skR6IWC2_xMy0*PdUAUIVj zBZ6?5Viu69U6NIsv{)Hpn#Pk{DQOGlCxiWEIVP3ZW`2ZeFYgBftp^B|w;GOep8p)d zZDuL?XOCk3U}u8Y8_p~JgUx#%;%zJzJX8vG^G~HP;*A~wRM275@E;B#_d7mPzH`jbTu;laT;8KrTuRKf9Y6=27 z`dsF-T_!KI*k*Nc_(5{u%uX3s7O5B^W=I}%QepwSTSf@ASE~VFyTaOnOMTINoGemL};Q*>m~h( zV@kF&SpELy8AHg}XAxe0n~H&+-I}_XA^wX+hqrH5;^w3?KPB1ytQp_Vs;J;8+syE+ zaH5!_Xd^nd&18potEH~mPx~ZlG8%?F82&NP8!=RjiKQ1?$yYu`aVK1Zgk0xuYFNh#ZejJGOS_{x>oiJyS>fdt_f4_~LbOE*b9U-3^yD z`o2Y`O*CE7>#;vAA1MEnV|j_~zW)ByNC7YlB?x9(#iPbj1cDU5)DOB@jq9J9UZcY2 z#R6Ac69p6DPtS5`Ph7Dvi4$Ibo~_ugw&*>gK1`^#%-S6&E9`nI^gTDX>W6@y_^O?C zg^w+;8QO?&yH7+SU1*pmEq8#$C;gy?DkIA)J(rp)>rk(WxabGBJS-ux){}u+?QAu$ zH_*~6iCCm&O{l_vi%UsSX?a!L-jeuys5dr0?=(|aye2Ghar|`ae9Mb9L{Yq7p`Ej_ zsky@^xlcx%3tcBCNw(u{)()_MJvZ`&?tGqUbN~k9-NWl#GKSW!*536*n?@Xuuw{!;0yb#bbA}Ilo5CN1K7bJbu{OYhn?!gs93Vjn~wVjcCilKh@%u3*-w0CI}=gH(t=8Kt|DA2GAe|46-Qm-PMAOM}lN zVcyI3pBDxj*EpX0FBwC_Z_?m$_0~}Rc|EQ9@b!w_0yd}il68|jA_gAyvLoJh%x&84#L!p zG^>gX9`T79e(o=?>4-t;x3!&LhM9~i5|>mIi6)QzYih*0ITKXxplndQ6~oS zi&zNxXD7x8)R_%(5+vZNd&@oO&jB`IYXJ7*e{(Da18lc`J2jY=d-8w%p}_ipw+0~I zzYQqB8&wZ(K?4Eu4ART79`_&uT@6Wt1rOHR=){rf$|k^Bp$pyhOaLedB7L(sPBY#` zQiJ7!f4BOD0>J-6@b?&A2j0nFW`sZY48AF`4fdY@X23aP1hi2I7uuR3<=dN_ToI*c z=9OtkxsL#-@;SdHa%`QI-$dVhT9?1P)4G~a3f%njRwkCAxcdI-T5^q3K7eg%Z$1x(BKhtbq^y%zy@ z&6WVRYI%(&BOC{S$Rb9@&=@83C^={e`oRIYP%Ata7q5!tOSv{Uk5aVdXPtUMb*8N} z(5z$r4)W~;iTWXSu6_W6Zg^cso#lX7G_nTQ$A^MV!S+ZvuemyNJU8ak>yQf%cr&~-2N;b zf%CA*N_0GE&u5RHP$AlAa_&N6oPPMP(!CL3HD?Dk$vM6i@xDMnJc6DvCnOf2_`p?)4G z?mN%l$xVR}vk7YX>k@E8n&r4leNmQ7Muwj1GNt$ZMXqQ`cLDLhJF=OQ(T|I!yECko zs)iLqorm;zMO<xTUSA{- z#Y~x*S)TwzBFwjk!ImFwX%$4ycm?rmhqTLoUpr>xCRF_YSBrA34?!sd` zsfjoAoDa~5G%~zl;$Gy&ip0r6wOAn? zf}5bg;%=<@74&y#!5-0&?05ha!cdp+1o6Q(l8WVSqwg4GCyWV&rw5SbyTWzS*=tCnEw4%}s&W@C~{DD%kK;5pXTc_VFiaQeIP&L$1VkLld?&xTlghnNvw0eaizDF;=VW;OjfvBZ%3|3MSvhzH`mbN~J2McR$N~Yi)Px3uYe3tm{d+M}j`O z=SK3Qa{2+nY8~aev+`va80e-}RHNvjU0lL74-VWh}{oH}BX7A=2W)>fHx~?%mr*lf5IXOeVKb1f- zzCq{@CDUzJRM39RHkMOo$~R>`o5LWTcj}z9zyEvqr0r~VlGavkR_Vdr4oMXu{pENL z;T#i(P;XYrnf?bRj$;qs>6u+;GU2RT)tzRzd!JPAz%HG4(rzJSdXU1QTAfDPQ)?t( zi=)oVUyx9e1a#n@T{J5>Ykr`C#djLBjNP6=)v`b(V&rh5IN~2^16&1tA2|9MH3}-Okdf4OHnTkD+g=zDHjdX0m`y?(Z1%-L1w+!7~iCs1( zokL>J|3Q{ekOrR#R3%9pnS$FA0#t($P~57b$#B^Z2BnlO=iIQ=SuBT2Fq7d%vM>2w z4+X|nlST}$7l1-cg_b$d+AD=x^>t6~@>3!Ad}a$-06&i~0r(jjwGO{XVkL-UWwMad zxOA3_N_llaYDFu0X}jx1_T$Aj!ro0UYZd}$gPB=*_|0dtUkOU-Wbsdphqli?bl!yG z?Mwnr2V_J%ENFgxBK`XFVxBFs1?C^xzHHtsFuHZ&HCOGpa<^`N*Ms2{8=LPRTTPC= zFV}LUU_Yt7s=tWXz~)F#WKX5;oHfBrf#A)MjUv+vq&Z2j` zT@hjzE~n={>gqvcDUk=pIL3-ktrs(SVJc>Aliy={^WMUoCj#pc8nBDss*{9;3u@@9 zf7EVfsj>0s!P+wzj@O+Lq<4ommEW)>7G*22B+8oy!{n+ZuNyz$YY8p(ZsOv*vs~b@ zmxC8EQueag8~>KV)@K}W`+emXOPOxXyNT`>$w=0At~RHpN|FRc%b;UOv$y=tJ<7HM zmp0g_T7#SSY;EoKNS?wHTkkUvb+HXs18Hd;L~`>qV_dhk44C;D`KzC(p-hd3xKr)9 z^UpQ@RuCNj?e||SfdAY$j0hJ};jOK3b2OgZ@RtnEIjEJPvsaOW+)+as@)h@oiEo6?D~Lo50Y^;Q(*Y@K#-l17EBFSk9}v zy-=Hhbw48LjV#jbBld3UfM98WA~0+OfY|W4o@+cSlE54O7z17Xp_*p3LGg1+%DyA7 zS-xE(KvKs;M0kQ?P^u;2dV`eRQn4Ke?;O>OwewHo+DKepDl$K2d|k4+-^3^2js-PThF^JuTLWPbtNJR5O(IF=AUYB<5-C+XBA%;!qRoGS9iZo=-lxZhV)+ zu$7wQH)3BVdEUO}YeJFYpCw(I2-5gCW562?Io_V>%;bvisu_^Z?Y@#@o1A2pnf|I+ zxI2$n*u*Z`#*nUfcd&gDwJzZ+^3lOP$~|WU*A+(7nVi$Z%!oUC*DNt?e`tRh@$j` z!aLlsNMaBW@lJn4oB&Z;2HvSuPX=;-f&HT{#?T2wz4PxY>^2JX1aVNO`hRX9yz3yo za;p-ivx#9OHqbRKnDTxNg5Nm2(@y3%IJwG^U$L^=`(wngKKaXJe_2iZzx+H#03f0l zYEkGHm7~X!K*i5%SXPsiPF%jw!Y)d|ApUh*Pc7&4qaTsN zn?=h@?)nedB1;;FowMMW{B@J#`A8w_TCccbmE~MdaNQc6uDC=Z?shQ9nl7Xc;CxdW4%$^f18RI z2s7aL`vk*A1X;E+@86I@n}l7{-kFcO+d-TUyccFx=1W5`Md3o{RL{$O*0UVHrr z(PqisS33l!>G0bJSy-ucsRBP%s-*G^3~uaE(8jFu2fr@y!y-l{Gc}18M=t z{M4CXlQ&`?nc+7NKHfbDk{Yh7oAeAwx+TZwc4a3unt|OO+g{La`l5ki(B3L5IDOTT zM^R?q*NET6M{FbCGpcb!vo0fdd_;-YTBc%33oT zOE95iQsP{_s6h42m>$M&YAFHvXxx7Frbr2xUwVSwe(hqbZhK4Z`*Ob>lCN7Lyehcx zTurgZ=T~vuct1Y^*T3cupH>MzlCnkAUQ{+DHb0ztU!6lc9H+*DPBoi z6adWq$F;PZeq>AFVE?E{^?HSp z6np)jZ%LBYbIY%*z3tACpv;n!{P}AmLIRqOd5b+05L#L=6{Mh z7~w)5NnHpp1OFF6PY?eH-qGp~veZ^(1yI6dBBum#>_!lbTIAR^>1zez&#{O{zo+QY zMiUT{8XU9}j86i`c+kgeKxjMaz#G)09%DsY!3OP=6Bc<$_);ji*9J0OBSZLTgE=9< z1&y%~BV>^`qxMwFphP}kSi4%T>@cGK+O4(Y?Y;?lN2^E9{Ls6#=ND`v6PLdB*vklG zhXXM4vbGw{y2FvPn?eRJt$S4VcqQ#O_n&sK^K3~6I$AR|Kq1~Iv4Xm!ZVWoYn{JL@ zsmrpyEo(ilBA!)u-s!-hMzk*~ChTlT;d5zLWpy-OVxg>k?^$NCYFUc0yVEk6oBr1-?MF)a~& z#pu1Lw$z1I>mFNQPIo(eOG1P{&D&DSvQ5@wE}t!<)^3(r z>+Wp4E!nxrRp$8qLk}I@Es1p$a|i4W6FDJu0ZLnxzFvgZql`m&`D3cJ!OmS;HKc+}|*#sfl0RV!5SXjV=iT}{IhrR<^35)xCgJA_yF$%I7ZB6Orb|l|1HuXm_#PpJUOx7Z ziY)N>8N;V>|BaK-HTRzk*_*6>2+=t5!EYHh&j2?@u4DUZwog5c&~g2{itJGFrP{pb zKOwQt`Uc_Fx)|sP7tG<&qSGy02#(-{o%pR}g^^C~4&u&lRVDcW$btRd{6W^U_AkylSo9d%8t|Im1mPsd zD`@HV0T(IFEq0HBaG9M1(;&6N|MaR60zkPdeDOBqIDCT_e4jq8SCf(2;r}i4FpTVO zN;Z0O4rk}0pRIb@hM8F>c6IbmPmfV(c`yfP?sJ@3loG=$dEdsS)L3V&fR41(u{^8z z-o*)>G55f4b90N>ee%CNQ9XZqs&FYU$GcpiN@OUZEJyu!=VsWe7^huDn2qh@XV(Nny3 zCd;YRPEs4%>_bsU=867qm$FbpkxKY{6r1m|mJxG6DGogkM>i<^eXNJTQ3MqQ0saX^ z0o)3hk2gd1F=~GwYp8S-_{06b`#uFU(Z6o;^1lw%j^1GP-^n<-A~MgBzfb)4=dlo8 z=8&8rb#_0^wcMd}-algS*gE{boao);Vf=Hc%b9jjwNQbkMOYX?6!A%`PwZRvG{|#-y}wY zz@G3x>fUTsp%l$$cfsaryF{eBC)!|erV3M-bFOaEmL=&f<+-ZK?@904(Y($gyUXF; zmomK{V9K^a3s=i^%i}-a|K4lsc3he1)CqIzPkKYB@ z=iJNmiIA31vOw~^__3*Bch%!!pDDL2Hw?iap-kq(wV_WF#O89geFd!~Z0I1DMb-<<@6`4w(01p zHc9;n*&b1L*(h<-fiTAbG0;DU$7Jrzz-Q$+}l`fQ(^0C=N$gX$Aohj0W(<(6k*l5 zQQL55oSG*2hk3$&i*4BHHEMYWxf!ik+VGZ4Mr3FKU!ksc`3$ILUS7)sX} z&+n%S+QJR-v&4uRW2>|>aa;31$`5nb?2W&^taA<89HD(J);y&?(TP_MQ)k)gEVr3O zbj3aUs50YJnR?Z0KBa7YOfS-|O$5KHTIzgnRShj@B9cS;GlMmPPtS zao5=O42nz1#Ft}_KcMFb%aN}9(K|k}S20pgGl>hj+h58#Bw*AeCc`!W%P-^%qf&Y( zK%LquuXUm4a+gKav1GK3tU{;tO4;3vU5 z!c`Jex&MQB?Z_UzZ1er^n(~Q{86>udqb?V;&>J-@hy2HV$ zRBAenz;Ron<^t&Z{?B3eO`yUAbW;i?K(*7cGBFQNq$x1AV}UsP$O( z!@i2nXRQzXluX_>?oE2+iAwD=*qtm_nep)UPRz^cs~j$Xu2;iXWOD(; zO_CEu?2bWyUb_ov4%)l{8rKZ-V04f{1VZGAMmYnBCmg;L^>>PjZ0sG^AgSB}JMW&b z74%S(6Lb%bh(DleKSG&c(4TD{0A+gmI|jgkE{77*4}YOd3%mfS^}mN&SFbIvhx$(H&BwK8;z8Yh_V2NY@Qg@|^F~wm*CN>@jhhqiE<03Z4_)nCro_&3&7@ zAR5YNQCZ|?mPhQgLQ3^opX3WGvZS}SdzViASS;#DrAaU2q!jr|PIiTiddiB1CcVS_ zWx>9#c*EiIrxnz8XWtN)zxjSjFMc&XCdbeq)cX11_UjNbjM3=GEKOjok~y?xO75}W z@|;_Uo@RfoLe3+%$GH`YOv)}&rwdw2g)&WE$i{@Vw^Y-NEz6hSys+7G@&2_?Mm=|h z`|(QkrC)+b(xrM6m7LLQ!?df+CLEUzxej&5b>J5RL88GQ%BQlVyy67+hZLYNq zGEZ?f`T1x|p2TO(IE#>4Gg}ZAbBoWD@!1OvcnjkU(g>`W1dDn|iD;a!bNnr-66uzf zg&mfDRjGau6_a+pZ9Kz%15q(8T&jZ>Uh7~;o}-KNZ|rx4|5BL6QHLhsroA}F1-9REd# zu76|n=GWcSbIRszz6wovWzT8u3_aYY+5IYS4&FPF|4(z@9o5vf^_x(oi6BL4L_koQ z3Wy34ltULODj-p!(iEgw05N0(iXe!nDA*_pNGCQr5;`I(OeXxa_XKQW*5?X3$OZb%A$T6T- zz9_OXceq%WQMcG4b1~M5W2eGMknA(}*GN+vgy`-IV^xaywi2>1e%+C&X7PAZk&x%U z&Y@km^NXc*93hXm*;)Rfs&@jGhocp5A>Fy2E=t5as@0av z*G=k&91Pz(h7i29pJ$tmQX8*Owz1FloMDfLe{`zVD{e#GGiBn+#IRL$eg)xC!Wy(jf;`jcu7j{zjX1u=ke`%K|Y)<+_&vB>|J(no2A$F)Pj|x#znTf6IfcAI>cva0_;b~9}s)>2}1>1mP7g-1eEcW*#M@WZE zwY{ENOaT5jytMS5IupDnz`|8!AN{0kflHldv=d6|-;A#j+M6;&{DYlISOUHUY3I%4Sa z1yPmlSN_0$Dn;#FFUuKjBwxVTHRXs`Vx=&V*^`pnK4B;2r8|8K3zdC3j#w@})2@)8 zeruufp~os6Y66VA@HsT@V;ihhn}|nJ1LM;sS~g6O8;sxO^}Z-kx6&51DLCcI91h!YiM9(i zSGX_ZEfBw5E$^O2x~F!(I=}GkIyj^_pbgo|EBg|6pyJA;(#eJXQiGAWLiLXsYb8wF zuj{HPKkv7~)!>hWCtM#os3wZwdU%Uhsbf`FK%`xXvcKVM$Z(j!EU5St^1dq3%2VSq zv}^x7MoLO%`xndgt`BD&Oa}Bn`|olXV{Y7)#8f2d+{BPt&*to|+&G@PVBfJx-N+t0 z(qtT8aDMY6Uc~CN)pJI+=?KJbMA~YO*5TR5#Q|35pJ0INq=vIm!BgM;p}9ibbNy!d z4yfNnt+J>TbC*-CN#&4+)SFpZS^WABj^ziXFE4iNd+;tJ<(zQBsR>d( zGTcZu@s)TbysM1ic>7Jc_wtDYwZ+=i2A&h|wD-n*5|)}Ed(0;VK1?|lO>J^TJ&@ZU z3Ia;lT4{WRzk7LjMxbrnRjECkI|gNgbne?+dO5RtNVzCHJ@`W|OuMV9D96`ii73j0 za--lXMRw~}=WIWpxDHb!r(5=zVc6)CwAD_*WS3o%B;pWX7kAI%0W2$)VcPkYVH^6m zDUg+N95j_}O}Z}N88az1Vzy4nE#A^um2+7FcxTvr=ooYoT-MSg-s-8ssiJ6+kP!NZ zEiDWSusKlpFI$>LeUREq7|Qx#OQYDfwCgWhx~rA0tL0SM26WRb>HO|#QR6{tyKRmJ zQU#k+XRtu4cm~q0^#J>OIcY=JO@Qr>g8ON)K+hbXvP8hw&_l;3$zMoXj0IKTK#j_S zT2B(^+VU+`Ih`59cNUXeb-TJ|GK-4Jr9AGtn^PhY%^t4Ri1QmWu+imt*&BkR71u{6 z-2}OrA9_A*{{RFxmT%nA+2*olm9$HPOt0p%yd!<2Dd+JUw~JnF#k|>`n_DTeUG$Xp zt+z3ErVRPJ@XAN&ack>IlHuy-9v8YjuLv=kf5Vjt@yT>xIm4+{ouJx(%id3J6NzzTx=j1l5 zI`H$L>t4 zUClpLUUerVb7ppi-%7Ar zboIJ`8+*9UbFH}`{sk1#HdLv}#P?Fk6R>;_)7x*zZ*@z?WRJA+jY^2m#m3<5h8cAM zD}(iX5^^1;SEc;L8_q*7h*yeatT9b^#fo-K0}Xe|ZXaDWAqmQf0nB5J3FpAuXv-$u zmPR)>uAB3T`Yj0LH2K$3#XZgFSM!8idY0OuLYrkbbfwyZJZUsDvH+TT4sA6;HTlhm zj{1>!oA!m2M4#t?s2eR=AVv_O2fZ;NdJ-8N;EpQjj>89?JRTp9-wBe_BG_S6OE!_~oNCJq4aRR#MuK>G44pnK#)Z_Jp+;OdpcBarD9co4|~3dXO)v-|zvoNn9l z0Ag>@pV`>xotHOdg~7OOv(|ZYvq^My{#$>9{F5gr5nX$9PXi!`#HvHACv%m4x%du4 z$+p>rc;1h=9pzUxos0e&=REqp$GJzmMc`tq<|o^IUb)o0pOpxu$?sz>bu&eBndX%= z(X6WrXpY`fCbE?zhmxS6GbofQpK`u;L`ZU<{FSiX=zoWx{~_?QOyDB?M|+#-VU6>gT*#hE>tu^ztS@mlq+xp)HHBpoayQfc4Q!hD1Me^3#TuY_Kq>8LV7cI1+8HbMxRWz6Ozi2@p8S9rD=lt6Ae|gD|!xZUJ z469z8QpW}&Xw$P0$KNrG-5{m8_$Xzc=Ls$Knd|1Z=CTU~!U9ZRKiS}r9*1@iN_FU% zOL$vS@p6;8wx+qhlfVBS-nIzg4OKXrO@r#W)P9Apa_G9M^|XSlE4Uq`jafmD`UD!O znF}QXJ7Q(RPi>6#yZdxDxZchWdBhRJ*hzP_>nz0i5nN8b2zKdgbYAW{eeQ5E-!w&{ zt@aDRotbX^O`Z2)$rX*1(jvq~t>0LVQwM&7SKYy4)&h3Q5k4$zcVxsS6M7B8jOBzc zpg(v3)9b8Oqm9I~$@33tp*cp+oE}q@7q)l&aaYQwO>_2`xJ6@+N?U|7iIaz~~F@8F$!CG}^M zN$wU>-w=00+X#U54W_ZsKA<8v8)jLUaykgJr~yHGmJa+l$Mp%U^<`U(c;2}>P0(26#UDFtISNN)&x;|afVurYVDSH5EIi6%x+c|8FO**)WS*i8 z7Bg}-Tt3EO(IQffNLbK)L+4%Wrp7lwk{{_%EqP6)X;hXqFjhR>J;#)$ z8mvZp&qbrCu_y@{BHbAC9`3>fNVFFBd-^2?`M%%%EY%CaPMi6qcclM*I?q(ogoyu; z_5aXR)I?(t|LG|{rYmg()D%4vip6#>yppjjA}Lo?ZW1$h8ZxzUPzg)F6^!^Gk7T85 z;5Uz>NGZ}Zo;!u7h8-faUXq4)^6;6-*@dm2IktKgO6ul1y zTDsjYa>vUL@&yEB^jrJ3)#Ple*z9Maryel&HbALhoxYF{Q@OK9SezM1^SmA(^%X5} za-}%IHKTzib5%)I_gI8QhWEsAuDi7vdHj<4eTS|h_qOqt{6muet1#f52f6}x(W?ZI zRvqyi7m{KxZDDZu%v+OQU9@3U5}0;0RD*=PD3w_y zLVRj9Rey(a>T_amMsS?e^Syef1G+2xNENW%@jU29Bxj5p0okWg8R$M^I5sL0O_gAP zyi~9R;TNpi=<(9v1K$uxKO(&W(m2;+(8l{!Xc+WR!A@VKK&wAaNCPhk_hiV?l?y=< zB@&JV*_IooW;c7o_DrtgIu=uf9xR5Qhh(Ful?H0nP0SE7M2mr)RRN5#Fz5uR0?Hx! zQwcB!`*ZZrV(N2D#hOkU-kk~^JXTG!p^|FY6`9ci(%hT8vd%+mfbvj5Enw|>tQy7xLpSn-# z5@Jw7U!x1xG;PM7Op@d{xI-Be`t0>-7xZ1*Jgc zdjp9l&RC!RyS>_f*5c>Jg4E&PcHDIzAn5^obK9iDELpZvRovY{Wx8YlVaD1*7>Nw& z9OulW_vMr5@f69}^8!+dqi?<;oGZ&p?(OMU_tSs=v~|b&ORWX?d7zESqDMABFUa40 z?#&mlt?8j8_!4^XIw!~}LI21pajQ%d{zUqhoDxac?n2OyoDvZ3tf@qSB=91E7isgw$z9B9xEOq^($9ZM;@Y!e9gk+GfrX|w7YZvD>wzRY3bIY=K(-0q z9}qc^IR8rjC@RC|PmDl+V#IO2$NKC$1Z4YZGuVU%d{fm9>P&Y+KJEn7CF_Yx_TiaA zbwbL{Ej3AsuP4`WtopoW)%qABc=5~cz@j_;0+yI9?^mtwUnBstt~B`PH{X8}&4%T# zpX}hV-n5S&0cS#gflK;dAobrsEr-WMQBWEIr&a>MbNjMlac58INRz?NTp_*H;~ROK zL{e_3zH?@EH`(jVHe}5#Z>Ad#065|<51^CsQ$6eS2=i(_LI7q`2ID z=E9{G49$3mi4WWFgLN`F!8*^g;$R87Wsh+iervGt{*LJ-odD&kw2|cA7q4gA5--SI z^#}q*6D&3s0W0;d{3&Z^#!p_R3jKqXrGos=a-D{0D?hG~U&`k@pd)1&PT3UnFaDM~iez?x$M=-uN#tK{(d9YtToAo^ z2pAp;h$W++W2t|fiMc~L{(6@2g!q_((+ z(B8>#{|p{TW4&9)bTycT<6nUBce3Vj3_#W2obunn>V`+u zI`Co{3^?a{xXEQ>tVb5juUh)nolUW?HjYBKBUUXJ#B+%XKhu4~+yw^3z|~}4rhCvZ ziZ8fjNGr1Fg|L5GG{lD1`HkaA@i~am! zGMuo0Cqq?ux$qZquq~!10bjGJ5(YCb!#Bc+&_fHU*YKjn4~`N;ZR{S_WLxOY)KOi` zPFk_su<6?!+#JTE=E>gX-(dhdpS=%URDZXr;IqHdOn7&ykv!X^=RQEs86pD{9JHv2 zg*B*&1%8EeKP*jbDJ1X_M|o4wTJE}R|AOoKVct_(mx=R0F%Sez7QU-TL~R>OmNwlS zP2q!qY0(o7e1Go{9{8@*`4|=kt_uXY%)}jP3(#UdfRUpY`A5FWa*Yu;mq(1ZtTf{2 z!}g~Kf~57N5rJEcLrK0Ai|@5ah4P&@X;$-3wG8Spq>`L4ApG2wx z@;OszqWR|Jj`V;u?oFn37NzZ_ZJc)ktgIcHvpm8?s%D@)M5-BT**tz4;QJVc2rkDt ze)&ueB&N;L6_c15X5ZZx%4GPS7PwGd_`59y+!y~Wqa4RUQ3eq5P%Q&2;Mo=6q+kxF zaYSgF=w25>Xudz$yQzXbLH%`);2FJuj5PKQ4BjkD(<4ROZ*Nyc^qy?^-!Gs%t}#qD zFUHxc*jir)5x3;MvKkP?Ug(VlyKo7En|)1Vg_tVAC}Qyfj-wF8JpEu1VuyWxn1i{$ zFM(|i^8Ml{M0N#?SV|_o4XW9L9{mcgZF$m!;bh+_T39Fvp{lqc25=BgPo2|Z9~;3u zFv1VrEIvd1D*EK8a3KiYdj2r{koen6J*-`v`W*skrH6;E$8&`*9K+xx>kS zo&;wHaUU!SHQ!=tgSi6c+V&3bA%ADZn|cju6lHGv`60p`-!V=iGesX9zSSpfCy|#m zVA%e~6i2uVx`r5kA-r2*R4mG~9)Bfp1`J3(y)M-d>6XG_F&lA z6uxnESJ2E982`a>0$>x22Od?;#1jew|qo_8h@Y5rvaWuy> zVU|PBkrPdKrlHN~p^rpPBA5gA=NuLs$G-q7G{EyTnx6BEi7lNuGAk3G#_Dkf3Juo` zT><2w*u)SMAX+YhIrx}p#>-sWGI%ke#FYM|e}8u)<>dI~@n?Gn}pOt}W1n z9D8$cOmWl~EhbQyU#BvC!_Yey69)wo+W6rs#KCxHxh?`zOlDB*d95qPM|1Ym(E*O*&5%2@1tr%h8iN{4zt?x&e;$ zr1Ai*6&CQL3R{#=i;0=RW)`JAg|mdha}$GB&8<;ib@m2jlVU3bDsH`N^9QDf**|5a zs<84!isI?YR~~7Uzl@bAb2qq)3Rqpux4>vw?imFQWf-FP_WQ)kl}Nn^+{M9A5bQN3 zmPlyV1!Wx3eYLQzcBFVsq2x&OU|3~@S}D*T#aSu36C)|Yf;j6E!M-g<^UrHi_RfQz zhTz&0ayic$U$k;ac$$}Cc*Lw~H}CMn*jsuEH?NrS-bjwyhNY`C0liMW!qJ%i^qQo; zWMIJ5B`F=`a)Al{Hk!G%X;5^NYdQ|Y&ttX5h!bYnYq395)HJTJ zIPUfRB74yE^-Ve~*H6`l!%~3>JeLRz-h;?xq6t3!`$n90^E9Pr>&fLM*99z~$}`c_ z{p1ML0vA1RSr2GbX~OUM)fW6AfDhiPz;Uuz|0z;H>5O62($SOOheBXz4oD0u`E&3t zwT06FP5O9#sBP^qXgWw{dfi}uP{mJyjZy&=e$L>1@~N&B^;D{jR>bQ*xR#zaaPAnm z*}IF4x@9`Ba`%2i)VDHY0Z$p{{F0_{W5(8MYc*$%E=vfiQ9Osq0~dG6)rT{qAMZJS z!AHRrbRjy9O(wbsfA$_E2;o~$JTTAH7J3Z12G%0J>g<14ES-PAipzJW&{LJSW_ER< zYU7|L#n_D6FyT7jI2dx+E;mC78c)KIoOEc&?C|2${uHjts)eJ##D zWD~yCKM{TwtKw!+OMJhJ%)wJn3{_~FBBoB$U4B6Uz)VBm!E0T=vl2zaF2>SqstNSX zs2RoMIdn|DBwntPo;jSl0h-PkEiR3)b{W4rkc+yJQ0BzJv)@$6eG>hwX_`h`d+32Z zmWOH7;a^_3o^_XZ0m?4;?u=U#EvF``<0L5I} zIw${qo1?;?&nO8+GklUEd!+_w&UfKiyT@Fx_2DOdq>18RaK&>Pv*4AoUsaRYI@ zcDU*LGQ!Y$0J^|T?7DfNRXJ6_<97oCBZ#hm|pECj)F6skcPU>LsHJzuwrP<}J4+R!%f;I$Lt0f|)VaqxhxJqiIor zt~}WP`s*eGWl9CjtG`~d_JHr_bE`S7#h-?GN>lqWi|I7K`Z;7t1XF6Tb?u%f@6>&Q tLU|I-iY^Ci*;=!vceUQ;TfLkk2*Id= zWZuNGnT3UMZDD0+-Li#k3kwSyCmS0(2Y9itZsp?S*vj~u(Fx;r#$Dha#}<|?j28db zUi428_ZDWM4b992h_R^OUQ8R9H*VStro_e$8su*S(`RPh z04BR><3`Zh1AGo`&yf?Gcj#SX+3Ua~>lK=~Mf7BL1+RW9K}_zt<6~B~oqYTP zg8RfJB=;YXS5Q<^KB{u+w1%eE8SS$Mmo6I`T`@MXym9lE)op7Vr+d!#U0mHBct7#+ z^?T|c5ElL-A~NdbtLQgL$tkI6Z`0r9Myt2ARS|>Bs#RM_`TGoG7_P2F$gLQ2HXRwilu`Z?!F5qJ3-nePc zk90`GOlR<@mD@^}?p zV_m%v2Qw2mJZ5eP4Xxu=50g?T7u`>hF58YYqmXutkn|nrjY=l>W6NbreFS@~XnTjK zU!LsV&cpqwUTwI<8XnAgKAEHN-m~L}^8H5<*Q4jC4LZ4_^W@QPFQi*=Y{HKY4aOLS zntX2*tar9d%{C}h9F&+RO{U%cyo_t=g=n#8!j-4!$tg8AI^^wf@;O{_eZ(R@9~F!z z*u$8>7rHF73siLtcyhAT3ADg25K`f)Q6e2uIx&Ky3SnR$PubSvs9ZE*U5*ZEX^h1G zd{dqdRopa1f*;nQNlN8(h>d#t%_H>95b93jX6ko3#OU4w;pw77j~g4{@dr~~*g6bJxg1v~lZ#)wfU<(;qaoTed(y$N z%8>P=co9#*vNe){4t1yRB;3^Gxlb)anCZ-GIqZko*@CO~D?#C0zSUN;L zssr8_25(3a=K~;`w>?Q(GZ{TT`g5zE(IG;r5_Km|AHC$b>nIqh28?7hLgQf~Q{ln< z2Wd26zhIc)1S34{bZAp%Cw_8-%Gl%>a3}7wiX`*OAh^pW-xBP$5ZG-IOaKq@Q>hzHgT`N3fxk`k|RozZDN)u*FpdbcL9 zdtMxP4Z$bn^)w)!-!52DU7qAmIp=%={VSjmBma}c81}=8F z`^wWD1grSDo@NeTzQm+;hr_n%)LSsprI?{PYVU=$xpO1&1;&L@D!8W$^Q%RJ-s0mM z1D%>po~X{RJuUR`kY#VcEp-x0ouL`pPfd|5J8nt{c zP7U;0o~T7tKcs+`nbR7<)fwS&wP4p*oe-2be)*n-3TTnPM$!iY??)5i3PuxbJrG_} zy$0m@C7yIJ9<_LHm+~KN`jB96hWz{#cdP#@?w=Xr&N${@;ttg(aD79Q+^YwcoqjNS zV+b%8b?2=SB-sAH2z&o0)S{E83RMAgks42u=4_!uG10^UgcC=HD)A!aKjqxxH61Fx z&AiG3I=yX2hbG6>To}Uw=}JOS+Td?3=@C3t7(<7AJdgcq{Zr~&SZ0Ob3Tyi ztdgMyxH>YBQxdq(W<`g5luH<((l|qp(hzpj_i$?+iE*zILs6gK(`A`yWVHM#_5#1e z{u+?*j%gbH_Mhc`=>m8+ixfZHwERFlhN9tq5<3%^yx)GfgmN@C?sH$1^yE?X&S@0k zjD0WHs_!#|{W8I*N?npPLNutua8l2czdKD8Pdv@C8*?`cE zMDQvQ^5pHC07&w;3$b;_j?kfA(_wgSf^rJ;!?R^TKuw0QRz-()P_>g>VXa?suVw$v zOf$Qdd05Id!tgMU)!3&`W}W7z5Vp5JAbhxX87*DSd9_4yag2Rfl~R_ay!*3&mndEV zMddLtD9dsc_`%>>x&hp>yu(IJW7A>C6}@4w(YKOJgnW*p(>wSgf_ z5D(}p8|+Xc5R{nspYnreh)+%%+}g~Ll3&djL&j6puiKN4E(il$rBL^SA?1J}&{6`Y zE{ri6iTXA`Ney8jJ>*#fEP~x2*Z%{M*P}yR$t83sDH3SPRvCt-?E0&waN-B^3ZKCB z4Wt>yEP*_p`HR&50`Sh?q~7Bc608I4n=->-SW(q+`k?RU#OB}nMolJgbuR&6f8WUj z6zS&&_P-Pb&DXuS%aVLH-`M3IYf;J<1eQj6li z!aT?YjmllU>-dgLMdI_Uf|1s{eWJ|OYpW?Q36NuBbDF|%eE!;82;~xWYk|4b30iWw zve|9fGoo=qA$&j73J%qct$PQ3ey~CF#HXWQu}hzpaVIj@hZ>QX?Gi#QBpI!> z(_+BxsR3*#-z2l@fu|Du5E2g)l?`m^vA1w@&;)JW9zY%U+$qG}9=*^A`@kNUZ>w}@ zsS-sQ)T6~SZr{VW9fCLD2_ZJ9r4cteVnA%H8UoQ88G@!|FBgb9ctbJ zFL)hCeZo;id;NYcB>+^L#8k8JchD3;H4QqH zhJ8oHp0{JB{B@hi(G;!`FRc1ToR3LvP~BINons z`Ev8%zIC_JB#*iK5pyYXP8_#Hdvsqv#6(K>l|_8z&A0^wTNWM=_qut64n^w21H9xD z1pJWF({cq;TX$9Yj#hhxrt2%6dkYGlIS9Shl`HH&{e7A}n@x!$GD>zaKN)v~5TyIRDEc`=U15B8nCL15z8tffFv&|$f|JabUB?&0D$M{F-0 z+F3V|P27Sz&6cLxy!bqLl^zrC}&+uG&8nGOjT6X~dd4hHTvMVF!9oM_#9P#sbJ$ANZtc3$eN^zxG~!(nA^=;Y_c1D`Ly zHVZj&xhy+?;DqP6>vlFU`(Lu)C7B_)cO;*NDl^fNL)nn^}A`SnQ5j56jR zs9vRX`v%w?PESBfE6(Gu4R9jWadNHlcrMq+=xzI^UP;8vojdH9U9mT3lb+8m2ZQ=C zt+T{|Z*@aiF+}@epK|Z?XDN@#ior*vlNWy+)nN_kFV2>J#9Odm;?*`M^Oxu?lh^NJ zMYQ<83*sv>%Z>&=pt|V?x%kGReq0>j1N+U<^M&Q7tRMdn6aW3^#?Y=17AjtIs&QJT z+pLnmIGRs8nD&~i%P0AYt^6s=~Z3V)zjdCz{Nym?CC{xmuC-ZRbgg;>|BJaeLG^E+?$a5fQ<&M z(&HG8!Z`qfmKK1srn+*CVaW}2V7#GC$^=%(eT zp{Ax9C3X{+IOf*$lvEzio(!rIFM*%pb5FTTk&dZnztb7Vp7Y==4Btj;D$ag>SORrq z-6-zxiJ30^?exKZ{!5oElz!ZA4>yPB=0cjU4Reg~DfqTJ16SdZr$Oe6FZk)33?-B3 z0i@w4lHyI!w@}~8tA=g8XC6#9DZZY_&(D0ZF|qhY-?-|BiXQeiJ{&Rrju!I%z3+{w zQY{m-RJF^A1GjTctyT7=Cf+N)er{j3=Hu_hqN+PXja($eVqF%lG*+@5NS?|twL7rz zovJR~#D}_2D|=5qJZB9*hbVDWR;#=iM} zWm<4PBsu7OesI#kMk^!=%jVC_r@1v3uep(zcgarbJeT)9;@t_~{V5ad@La8H$hLi& zX1R&D7hr&R{C^+>D9%q5QXp>%IAR`8WJXWR&>?^`bAj-%7;YVyp#Sfq6&g*4a>p%^ zR19Ub&BOO9-0@34nV+1N&{37zIyBCsdqv#y4wsn~FWG}&fNZHJw67)-mg6J~h`do= z_g+!+KIEw2V^&|T+V4PC43C@dl5J?%P)_)$%TIFa_9;4_%H~>XspoN7b+vsMZ_&@C zB{O2v^G&%WA?6oU0d=%PGfZGbGSVD_p8f?^0}RE&55A7$rTH$GaZ=I4FWt2i6CJa^ z%(#Z{H`2bcNw-w?rKe>{vVV+FU&f<$ntL*GeZ+MD78i!hZsTOtoB6?^+<;dyv!>GF~VWcGj zxo#+`dZtO@qIGh6O<87VNyG5TdWBL)Lf^KWvCsOS1CMWf7bo>5%KOE;b7A~|Za=zT zxK{e*ovWAR`{G}SB|UQFqv2;wklV$n(8_+^)6J@F2>!-ib+9n;*S_Hof2L(Pd`26dSlfX&yhT zU`3PaL=S#Jub-U=K+ne5V91!%?nuvGcrmCCN8vQ4LuXgeBsnfb|Ko57MZ7l(iJHo< zy#wpz{VAUGdtB+i{f0NAQNXenle&?r?g6siKF=YzVmmx0h6iM^cI_8gd90biK&X4ee@)l>3gX;A)_IiE(;bwi~cM1h-}@ly7BYq`B3J_K$Fh3lH< z`~fbbpW>HioH3GcMc%+-%)lcg-mU}0Sz0~J`OP%Uj$JWIo>R_ipKULGF!k}Z&EfQm zmr`*8;_*q}X$1rfRp^K_Va5;(TwBl9UHe-WlAl&~3wl10PPyGE#d9!f_uTh)4%10( z$wV!x(5bhsJ^0n;If3CO(=P{_SDUu!6uqqsFCJYM<~o6S_vEVXQ55X~d4crw`>EzR z^=zEy6$~BHR)=W@4IkY+;^K1XklbPjU?kp_x7zM_Hd<3ox<+^PVP(R%K7RYsw$FFd z*Q4J7iE|})z6BwkUXQafg66KF@a=(}z$epiZIdUzYGo=dlI6^@z~s%_R(Xeip258H zP+>bVr%ifREnPqqqC@vl)TbkrZYI4^BQi^98Fx$Ii%*ff>xxyad(-AbhE;=9P6r>g z<*V9OwW+p}U;b(MyU&zI*Js(~IKp%k>QN*G%L}L_(|jGO_+B6Z0W>>i9^v-1VKjHU z*@tRlH%)drWXnU+IuKKu?kUSyk`}VZs2!dxw23F32XwHW2d+LqcA@Q@GoVAPPx0$} z@n%YT#d(09#Z=>$K|GDX4=;+r=^wSIWGZGoK9mj-*~&qbQ z@{)&&gF4{q3&R*P8%*LruWtin*D+*$g@j*1i_)QCUJq5|+5L3jc~)bnp<2|FxHP!c zt`kjo`3z7_sg){cA+V``p1~d@bquvMLxjgYwdl~_rW``@!CVBcN&h=|=m;RKVn#E* z(@J`Pw<`I=ll#H(03Unw6zxI-dZHV|u)k1&em}juyg-)jO+$8Y!;2cIzb^{c&Dmj> zgzUB7PKR2+-h8@7hd%p}V_v|`xEeb2Y8`0YwhZeu1baX2w{@6nfGmL@&bTi_&$Hb^ zF<74Ru2>UVphM`({!Jx-dL+_k2321J9RM!Vas~qi}6E#bZ9Tv6UWr`*U}z05vwtCkg_=Sw)X_b zU8HT7oUgLkx$WX%m#;f~y18Kn8Y#+ng&you6?&E{A1|!npX?%gW?`u4Tk>^BZSe`Q zcmqu4^(c9*>R?gR>llQY3ptJM6b6Ubh^xhn!<*xGQN_z4(%6XfCOgiy$>_1UM=w*W z4hIa4^cPA9^u=10dG-T4!-*f;i)O;l^10EWRMiIR62mXjVTHyy%W6^Uy0ALJ%5kC?; zvSo%Mt3kO52Gl|XsR}VB;Z;P^8*GQ|N!4qPUC3phraJCO-EWHpEByU&oofKD6&pp3Ce_44&_u-`nc&di*9SU&NPoV;Z02*F4WU@dz~i8wPouJ35;VQ zCq?xBXw)$Rr>PhN;G*_ia*s!3_o_EhA+w+hBQCOW@3q{bt7apwo8ryux-w;`LOSUZ zL8(L;s=Ujym};YgbBd|GyRr3+S=}=GKYs6v0?0Iszoa&MKdE^&k>p=};ZM*c0HEoo z##9hts?hskE}_ZHG#fb2&;OA8y6BnId>xJ|4y8R;4qIQA&=Z}9qTF-0v5I+_0krov zyw^&H6n?=38aadOs!-hjJzvFB)Img{QHT5H7z0@vpE#zgevLpJ|M%d8`vDFXy$PM+;?z(Isgc^; z5WfSi$So|FFYpzyTn!)^zUM4?wKsU-)DE%p$2YxDsE3|I%?a;RWT=7*DBlH*t{CD{ zwV+2^`iWyWziQb{q8sf@pWoH8z^**su60&#ISsX4IrzwEu!IhQF%s+DVEwT#Q`i|` z4-Xs!(EaUUlS<=k7ahv83Y4C!(BBiHCB-illy4)`T!=rE6zMJSo+3PR*S8v3u33|!`oc(5?*bPQ%;M{KX>C>S$nqq10Y6r+PJhn53du*D?MgU|h zUc!qJ%{=fo#SZ*3{zArC^xIy^H;>r0PPOoYML_I20dS9byG*5)s@#)WK&J_2Hf`$*h$$bt_~zFwZdHF+pNGGW7S z7uWbhgbhd+3SA&W3q$}9Y0vC*2Ml3zD_GZEMhKvL6)ZFL*)+KhVLR!fL$QQ=nuld* zD*ZyrEaU^j`DT z)YAU1caQEZzhfWZ@)Af49Rft8Dku>w@0f?ryD7!u{ut9Ard7@xU-t8~`g4D9l;sk^ zN+7(juNJkDEQ3HbfI)O8KB+ZG*=k%lkHAS|Wzno<*YUF1Xe=x7hG`(5s`r@Lhkg>$8F6C?bi>ksKb!D~HUnb}01y_FC0#psi5)%Ns@;qiyr<*BFa6H^y&)E3`cikSK;k%O4kp`*)ln{>V?9iRZGI zId01POnaAD!H42}U-PuN{nCM5?YV_t@VB3HY}#Cg)+Y@Ru{HP)aD`BrQnisT$-9;g zZQo5mKBhOAuy=2Iwj=h7R+;!;542O~&NfVLmInv_L9{j@B6GJjW z*kXw6LpnarT-(kiPb2&N4D(wK&PuP8RG%{!G>$Q~PAw{097dHDdNsyUSpcQ)QPrUwmbOp-b25>KeZHV(Zr=m)8#47Pp@eUpYK_M$xWHiWzfG zd!u8b;pLllY!RR3wb)J@M_fK9oXsp0QU+=NDHQ#CNc#8REQC;s1zg`l1-XdqLPH>Z z_1M*T5F`Tnd2UdK_ILrkT;qm$hRUCyz7DD3q6j(L(+)=BZSaGB%qW5$>QVeE8^|oQ zi;O|=i9fqfupD5q1{U}N6fMYP4S8)RHHIcBVh{r#;QEy3V`y>%MxF5l1HEtx(8Qij z96Z%ETn;#&_f7nmGQ5Ef&CFZ|9UohP;A=aA4;*PcGI@%LoDo!awSDCfX zlHXWesQ4DrtURyM=|jmk$9ESFQQuY4dQ;CGurZQ7m3LYoX5sl}R}s7*pZ;cx>~+(} z^UW7oL3${!%~q<;ASC6aJtQ%<5O6vIpKn%)YBW=X>L<@m#EXm#)x|y;vD^fG0>V58Q?^sW@Phb8OS$DNm5t z>-e*W{JW?8-+rSiLh9(y`k`_#y$>sE$O~;uQ9R-F2;i0bNIQOqQ(P7P@6hak9t=P& zhQVH_RW872+j)WHow)R;h`>*g)<>=23zU9?-26^=1{?e*Si z9lX!FL+<<8&lgvkugx7t-Gy!XK+3QhwMNkUqX*13T5e7JGFJ__73*W`*Jf* z=iJ;X%Zkg-#EqQ1_(!T=bGIQMOTD|5%6Nhl38KHq)7+ zT#8r4IQE{;zU~Ry`Qn5odiPn+O z@G+2o;GkkG^pKZ#d@VjdzN$=pahSDK@7At1>Qp#yfZ>@5Gy6@I5xp@{4=1kMn}1Q_ z=x(7ySkx9$)Uf8qgeyOUo~j*7YRte)?-8+mb0+n6?EV94pV-jN0yo#UeAR#+`0$RC zo9E6AzE(LMFi>q`KG%+^yV_ExZlC^grRfBHn0OPa_$cvOgRf4&BKxQ}Oq~1`-oSv&@kd#Mo3DA*3*4ha1xi&yrf#D!zx5mThkC9{ zOnaWzp5=Z*=_t&olqDt9J z9dzqZ`#-Uy=$Qc%zTht?Q-j$`hioSK8sVGcWhF|HL^atxRhq;iBTZEQRj%F3dyCor zaQwETvCZqMr~uTe;`9L7SlY7_@FZ~m*j^N%F|)kCd6<`IIP_l}OyJIKRAulhe|JDm zK3ryan3Bw7jyD04&~F#>dII=7nl{kKh18Y-dUUan7v$H3q(RD}iUeW|7!w@wYT^C# z0BQfL2G5@O-yKH~*ZyX|ei8KvPbPQ5%grFF)^nP+=^Ez3=yYIR&In2`pg%t0U0ZK* z+QEPUy)M61nU-V{ zP}1k`#J^SvfC4|2zjjUIkBH(Qeyst?*QOQb@Afg`*Q-10!2=EKhl}@LKDo@3_eZjr z2r%~VusVlgQ>KMdIYH8<8bn5B0GAs4h+m9a=#@h1z&_EomZc5pP@~aazXGMu65WIC zW!}%ANs<%ffj-e+dGxON^7Fu)+y)z=jA8SaHNeE4<_XU!;-aal zfPPC<$FDSW)1l)E%V~4xnx8BWkbwdJCRmOoOwyre;ln!QF)VN!1ygpe^2w^49alf_ z`NM6)?Pu=S?M%BfU-w4RQ+t`Wy~{pG)L2dAov*Iew|#?wA;q`HqOOi>Vk)N$J@|AZ zwoZAj@=Ro;-e(3>sx2m zJ)FIZ5k$6H!vf-Mc{D4tj?9CG&0D^^`efK2 zwCEBsI44(@k*gIe|6F^UQ1K)7_rlISQa(hM*#VdLU*1Tc?BZWud3;Pd;%4v}%OFkt zlYvS*!)2p3Zg22T7-Ndb^sEPA;#-~a{1Y7;%&lFb3L{(1wXu#?rUe1mr-4qIgNcW0 zKfUEhbiK2~Bz}wfW)gZRvXGXUN(x)Ll#kSg>tq*{;2&epNh_PlXJpUm8uRwqt=-yl zGF{DJ1@}lLEnxX+rh@dvTKjzY_JPmWEXAVsoxXcMV@q?CV90Z7%E#FQ4;Q`>^I^{K zr;ha}yR3!wv;OGa9IV#lz=4pidERXbkyRTvbvS@40abT*J4UTn>Zsx~re?fYS!T08Bbxgl3Q zZeMWMw#z5WJ40W1Eh$!n$A))LW40uBmvSagJ@8Fvx3ETTV+UmJC1`VGZwsvc@aZ|E zE%rp9Ucry$(`#*cd``Xdn|gZ>50UYd4ZZck2Ja*<2OXZcKE@q<)Us&TR!L^5E3_D@ z(8xobr`weR@;A3qG5d=;Me|GZHQMbWuGUl=v7=t|_>XEf7N30Qc)$G+Y#Hz8;QGv@ zJowD4;UZQs?guI-ttTz8cinW~kylASqzBDoRzFz!tiR7BqAF0NvufPwx1FXf^s&7$ z7B)FGb}3m`WkMm&2t&z?3J9FxN zDU+g(4i#1gAciTa=8V|ob!_k3 zgsqq%`zj&Slk)8$+8=C*{uXZgC?wjP3pADQMhzIkokD6F z*C2-GVS^`ImE+!{2UA7Re`*2$twjRY?BQ75t=8efOnP>Ah_N*5o-EV%k&-p1C=~#x zQgda=$i0jU&v-5gHCz%jeRf#v_ zGP!(ry@Ev;Wdk|$^7V=?-M1RAb?|PBG>+tH6y{o#+;H~5{zHa}Y&sIpp*ej!9w<*Q z&N^fIeb{k}k4=zD!12DQfE!L3B?Zs#*64KTZhWD8aT8PS@lCu;<&3jm=e>{6&tyo4?5Qb~)c|n30Nok6yW1pyu;QVEm|y;Z%)b~iG+Q0@y3(UR z+=D#ym|zrURX7(pS#}EHr~>{(mTMAHUyuR}6WP`co=ZTFnEVedpueZ>PADgA9+3~K zaUY{t0>hz?a3R%BF4 zYH+0^(&jGCV|Y`r;jR?@oy=23H0-1-!rSEVVYTRibX`e~PTL%2)a^>f%qG96eP;t` zh18HPSx3pQQcG#8p1|OQAUxDlo!34P>-^kL5LUHc?k>A!ezt;jeu00xKPIY0X6MNMnC_ zE&IT-c>Khg5J*V6rCrt2y#1eG5F;qWHCQ(SDxRY-g20YGpnw#o816ev+MCb^PC@)< zy~oS|s7*5(s{6Zp^btkSuwU0kGwig*PdohxonZ5)7#I2#sKy4SwYg8?H`6*@4m^{8 znpO{MFqjY+yuj!;&nL6rJ?h^)B!~vAt9OW}JPALTHd{Zay1+t;Hz(xJO$7LqE={?F z*ow8%f`PZloz#@Jj{ut5@D-hjZ zq1ZDM;jK5nnce;NLPmcP|FJ3QfsLm_^{bt>{P)*pgmVlNw&4%55-%@>h+pDT?(l}mkD{K zJGTc2Ipxx@<@$j2PIRv#-fBAxTZI;?lW?uJD)sj$l2`SOuLW6dT-nWGG^Peu3mD!= zhi@f+G>chtyLUflDgV`)uuR0r-C)>sIwHUP-P*FWo(AuF#Y)Bh)tFKtvc z@UuI9a}f-FC85;+NJ5!{vpmj7Lb(IJ_Td6>5f*@p!1@;#ArWj)l*d4y5K^1@@Ry4a z@-HsJ0%^Y=8OLb#yCd<>R&SXpTV7nV!T0JP-8|0T>|`i0hTXczt(b9Xxi9Y6$E4`b zlS#Z%shF}(p46Tj=HJ6kOc|Jb_aFV_PK-6w2$Xb2A3SoiLO_I+`QG$W{@2bsamgJT z{Wce_NUEOR(mQ)h<+4}XdnNKJ6&+zLa^TB1Ly#N4n8EM)yzP4BFUYQDTekWV&;@s?cdxL75V|tE4eL10due`tN=bZpexnjr!f-xTaD0ln{LyBZIK;GlP&% zl~$%bFJ<}7wVK=j_W=p4%|C>nJ!(budEoa?*Jz2WPYcmYat1;DMvzR1|F>kqqd#W~ zngkLy2VZbE0^k@6r1!a*XBB=^<~$7`;DtYlmq>D_mv)a@ZlgY(_nV< zo-=3@*O_5IUxeSfa;CZ%2}&@Dor}^f3+^=C<?d&~R09C=@kv-j054}Ofd!itrzxr~Oq9#(6g z?lDZqKQM8_$&K4u8J7~pb6ws}E4i5XCc#o>=H_M%H>1Zjk6O8?_-ot>uTss$t6}0eb}7bnjM=*=4h18ivpELdhOPd*I^`oso|RNPI&D-f2@d z4m`zkqlHScTnju;-bl1Nd0@{Cx=@AN-=E6VV5tuACA&x83FKW+Q@uYU&s^fRV>@b6 z%!G>jdK(w(&K#y<(WJNDKd|s|=8)KzOY0xO?%RJx-k@)R$7Qe;==_i>Rm@ITKC^wLiMmm001Yu0z z3N3X|{}%z$`dUxnuJ}`wmcrlg>=+FucB*muQkRPG5;sY?;z#y7TDRyHlmEv#5 z)c1;gD;$$JTCtoZsMA}s=VbGnIlYejK?oknPoe0;pHosnPHF;aw^CdE6$CQ0f%BtMegxR2Z(CY^fm6#OZLOA&7kbe>ao_*&9#;E zcul*gC0}TAwAA~YUllpyL79KpF~$9@9C)jsWLP1jL2x)t$aUbLXYq)h+VxI2W zON^?(bIhQ=$(h>-dfzEGKPPx2J0Y|+^^)H1tM`46Z~2jt8Sz!>v$~k8_i%6sS-COqv?7D9H_-F!Gx+E^tlhxgV_>w8NQ?=3~{zw>Pyn_u&;7a>lN0EPoRl9-SZPTLOIW@>d zdn|)qu5-f#pz{Z)ul@c=!-0U*;8V;ZP>o0E)h(qUyv4}F9bf))(n20XFxXrT7ocfD z4;Fsr;kZbOrig*xA9=Vg6hVLBBjpC%)13wM8|2}10KfgWJe+VqJ-+=`G@;mXoL_iw zIn#Q3%;-X5a_6gjmDuPci3{!G1!ab}5i{ZE8a6&7^T>--4&B{N`*;diJDglBO=*@M zT8ru7DVlrw^!KEG>6w;%^Z4YSvf2zs=Fb<`a23K1Nb!D8+8g|=3!V}C?DO17#pj?N z!Lx#RP!bUJcY|K&egKp$pCEA2ya9TgN??U;QR|u!zlS>E{}X#YDh1B_Z?&T>EGt3` z!h1p)RB3XGNR7mkq|&H7z384DLqTydL!>$Ta#7cGVQbxsN;PSfc&Q&}@zqSbLFQ+N zm70`MPl_wKd#MrFpL|k`3sDMT(-~PQvZA1Uk;XT@nsrY{g8N0XSHiS~h`0}f?qP9O zuO6z9E2Um#k&~l-tf*}j{bKc`(#e37JX>1Y99u5!Zcfyyix)6+^{$OxO&_+knabVQ zNgdb6&%TL|;JJSp;yOEV$(CQ34cKdyOV(`xJ_^HM|y?h?;o7~1>r~D(>ML2OJT=q-)RqKZj z*2ao2q&&pDUo^*@x^rl!tN-H3?x~5<(&ixS6mW5 zKmSw__fl#@P~(oW#cHPEkzA9a2E1;=7_KjFnss$@w5u_7cKI+#xy7%`0ZTnHBSGHR z8RrDLWFyrP@FOgBH|?KTaOM)?z1`8bqAz3+-fNNvpLyLQ#+QVCl9;&G7#qt4+!3glETxh!Jccdr-IH5;)2qWh<;5cpskQJ`WcA7(F(Wz*vNb=1eMQQ;AQn>Hk^(M*o ztX_w*=*fYJ?8%!)%kFH_I$$lob{@&;%ni_0?5@BQjxY2{7}9`Yy-7P&_+_%_^=Z z`X>nzz6HPW(zyHj1Q7Lq3+EeAxv_};1p*&ZQOKxB!Bt^G{#M=MgdTk64Zs8g$^tll z&!HawOAb{YP0-82{Ny1?)flq#f8ikj{50v%_#y}tSrNIA*I6^8IFe!rV&FwUA^3bW zO&&aDx8ltxTl|AqP!nmX?tDbmRbN^W)p~GXlWU`H8$5&}EI;VX4_VFVy8G2o@I`m8m!hX(R#po5;XAiCN=Tc~T%W6vY8E5At8srPH-J4=CMzT?529Mnb`;+H-?fg8J@$p_&ql z@@qw?SOJ|c$AUaQ+JXoDTH#`JgquXuOZ9`qCvm)8c@dGS@GNEGwVjpQ*?fEy^Or4V z+p4$=-1ygUszj|hiFd9KD&3M=Gv2yRQq>m z7MF!Ua0~f3DykQJ7>M^w=qiE!1wW&*@*ikG&zz zSsmGX=5xJRtn>SAuJ$^G?K>M(*%flHL~knGCh2c!U+U!$lvXr(n>n<@Q>H$RgwpKZ zn;$^#UHi&+LLkYtSNW!6b|Q{6hthhF}8wHfHAAlZTau-==vjUy1BAI@8W$ z{NdqUY0(XvH$FEAdGYv*Bf8Y%HuG1IFz&stjqqVjmW$0!l53|`P1(8SZmo}By1n^+ z7_4pTeYswvUk;q_4PCLXKNK;5kL zU$e#_*u#FS@4}Lg7;TeQ(3hki(fdu)Wnv|ld}Oab7azBM6Mgb?m375T^8Hq3uww9P9Fa=aY7?{@h%_`()Ygzga~1tz=XT@v;8n3Y4sZ{B%Kl8gXW%nQxq_C zX&w8}Ua(63G#z?qQ%jl`CJWNOi+WjDQ!XP7<=bf42p5JVRom-U+HSukQXt9x&~UBu z*ZM?w$hm%X_wy4Q1IQP5G~;ueHu;B@3XVk-=FUyd(jn&huZsg&L*@!ZX`^)NCq0Y{ z(h8!#_93+cJ}R_!SMg&?!-`&|G1k)amO1!K%^S|#yjqgoZTZ}TRwhy`RBYNT;5}`)1y~s{{C%hR+d3v+96|usP6;AA+cD43JZlUbz#?% z3q%&b6`>}SS(}9Ed#M>?4kyzyrM?E#x|6b8o6BYp5njq!xOFd)j|PI}bZ8_Gu6l#F z)**{o0M>|K9iZONPk(*WDMW0>0N4dL_|=g{VyH{dQIBS7kbNJh{p=)4t&WheL%_n! z?Cn0)x=eBXn!Po)#t2h_S+|u$cm}z*HTc#~uosRMlU4t9Joqo;6%mwY!#ADl8M3K7 zGMijXZF1mu_i%ISdXh{-t)rA%F`9+c?Q*Lx<_OQK;k8x9ezd_=Nx*#sv)&~JX59s5 zU4k#n8CVBtU@9y83OwvBgLpK~!=vsK8Xf|4XlpPn1rRtfzv}ok^3NU3@oXF**f-bO zKZ_I353g(Kr5+`GzT2&T!HKsk<$zU00Dt3wY-BkQn(=P?NEE&h(ULlSvGh)fw$kF+ zxoEwHBl-L41sy5TRO4mvIEN@9SGT>Cg?O$uio1SSOa{hyO7Xl_qpE3g$o^eLa&Kr( zn0KeV&FnwvczFuZV$^rs_GBeQ#ueLnC-gm)e#7E~)^AgFwifZfW!VvK{#1e5S1pjX z8hOoNXT*!RIDfJ7`&u)`hMYrpKP2?`4s_0|2T0}ZAmnYk0IFi%GLxD9gtE-*ZvapR2^Y?Rh{k`SGT>>h zzXfH=^Fgy`v4wN5em?Z|D|qwIW{=Pr_PzJpu+3~!mHanfKKl|XxO4X%`?G{hY-KNS ziq#C$OxmrEvN~afLmPLUV8JqlRveR>6_jKiGWKM1jU4hu2b8+b;+>Cfl+AkuT`qe$d*um@Y`tdfFp9b{d%tD{NHU6Ff2d6ox#uZ zPo@aC$S?llBEtmz=4jMU`vJg=QFZiB`|*B;i?rYBF!Buzs*doC=b*!ZqxjFVqbi#& z^B-AV-Kske_uYNam0Yz&YU}h(Z=-`wkI<=-;npI`u4xb72dg}Zj;%1(f}ZmTwzQW{ zp=1wr)(KyYZfX~oo31F{&UNv-VV9%l+O(9iYUU~KUB+U0EtW9OzH0r_#QY^`B)dFm z{Zie$p)c39+`T)^8-(Im1!@#_9Tm7+c0$*oH|55_c~j?;M{18U=Wh(n_)wj+1?u{YMFEc`sftr7JhYQB>yaVvWY3})IzZXbSs=va0|!p6l; zVa}wI4SZz>zOs)9$A&b-YQj-GorRZ}agFWbkAzku20+aRequ3w?~C&>emW1ZCo>Lf z>1(IGd-8u!_vZ0XuK)k|NTsBtkW!|k$dVFCmLUhpk)@<8O{KDhBq7XQ3S~(VN@Wz1 z#Dpv%ldLJpzQr)Ig^X7S8_xpYykMH*n56s;6bzk>&z4q7h^}0kj zY3aF+UWhQ3W<{Acm>L!WY6e#V@TT3gTpPLu0~lydhZU254)zy!UH=0UqW0${{ahej zJy`Kup}$NvQu_+`4+-YLVIUx>_xZqmlYl_wL_YpY1nR;$P}E<|n7;py@)2-guGl*vH}!gc^mkj#Mzwjo6;7vee} zQZfOrb{V3)5Yd9-SE1R$*Oi>t3#rk>LPkU|g{?OmfIbQjgN6drICNy2nj5NuP80pZkC#1#?39vS zRczJF!H~FRl*sjA8~?zh>R#UB=J4SF)uRlzge96;x3$15&AxSMVNSAEe6zlnREYJ_ z-}jZyo5^2(Rz2m}(#woP7xKG&l}lVL%by%RLP>l!;KuuDPsXA|?c2AsxdRT=1d6}d z_t{LpJo1R@>h7Ns)Su*6Q7g zczq7xEgtn4Hi~0NmQAfO>?NkkJ$UeCz+?C8z2-*Qh2AbN5;J$~O}?I?0vE52@%;lu_1KKFZk&yEC%{C=1B z@TCRz7K9E|xNiNplBKnS>Jrc54u^r0$u`c_>)zMs9;~d5I+-2uH3ieAwef5m|HVhS z#H+~aI7X&M))_^0@8X%Tz%=okg3Jb+>!-A37w=wvB3x&ELNM{(`p*Klth4@X(Y93l9JQKdsv?e?j5r1>Hg z>?A?Z;O_-Hr0r~=ww~3>c)Az|V50gf|NjCX`KzPg_o@E)`_~jrA3PPDogN7a2AQj` zgcQv-1_u%Ix0)VpbWz22;7Liw0uW&N(0c3&^Ovb!!Nxehu?Yod=2w|pIdW$yFxKjW-R|GoxOU-7w!`u zElj0N(UF{n3H3eQzt=yT47LsM_S%`d%O~utt`?8q;`strBibZnOA9-yLGca zvUHn+L<@#8>qX;ML+cG(yQIDPA_+Odc@z8rgUhsc3nndUdn4OS_f_E^f9;=+DX_gZ z)7NOP7qwHrG(X8DJQH`e{B1whPiUdR&aX1J?20U+%en4eQ;m3Re~P z{rf6Mz4ZY-@pc-UaB{jAyDh0oztzC=RTGPU$20`H{epc*+Eo7=IVd#1v_<}<7$k|% z`TvK4a3dX_ACdkyK}cc=Kx!Gwg#20a8lcwSJt7&AzgE{Yp^IXX?&Flq5%%S@?^2NK z?3Jka4_3ZCtii5ohHMeLubB8a5tLWt=mOsl21Q2OipqtCy}U?Ca&#vb_h!a@N{B{$ zP?Ttk+qpK&w)3%#zSWK7HoRr-NAfAks*dJ%BU^7Lhj1OW6(XOnmpsvyS*9iSs9*_w z4=mdQ?G&gAL?sM`Qkw*{(vHa<5W8f>^#)5XfA?ioI6>f1VGhr0hTZW^{v`%?bKGT) zq^_tlZ>y`AwlZIRLNe&a<`6H_L$0st8fW_Ri80$Hya!H53>g-GNuB zjRnfd+E0$W9m_o`kwX{|7c&WbI9LyP*m0lnK-VKc2%aRK7f}?A>KVwQ$}c}YzQ{Yq z=ouiEw)Ugvah-{{(GgDV@xM)C_#Wr5AoM_DoiVEzA9w!>4h06D&bm4&@SX-}5y zmsWD=kZ(+R_=w@W+J#QucVNesJ~ie+^O>+)VjHEcn07JbYC6-lt8@SI>Qt*u_`*av-Ad9=#$vYJBCABGo(-SM2>!ErL$DCa&K#G;Cw|$xqPOJ}>CQ_&6;qL8m$c?D z*G$_pNH=4+xyuqAXv3+!gKjR{@?XZdO5bT+SIcuw%t)?ferPoBSrN>Fi}SQ3?~tX; zblxm)X)CXbIg`yVe?O^Lf3I53y38{5C)}6v*b#-IFN~j|qAwzbYVU=ge0ew4e1}9^ z;)&_#sr2};ZP}~OsiaKdGRc>}Dh3COuyFCx?}ZIBG&hBv)01`0+_39disBU>zqK<> z$Fk4;_P!@)$JX~(u7r$M*G($6Jd=nN()ij;w^b8UT}H9MjAO50GmiSxs`uBgp;Dbr zKuO^%%eQG8!yWDF6O47%NH0E;{nWC2s=fNCrmAE8i?&7QopyJ8z_u4dq+ms6l6ULd@%G7xoW#p}=bqzb=iPT#sh%jO+RZE8A0#SEmh9+D zYP`Ka?cS9wcw>iK>91m&t<*!^AIZ-Hwl)x{5Co^Y5wF!;y@6lU~JK7_`>}QjSlSjJ!6OT^Gz2ow?0k0 zBJ0`NRTHq^HNZ$H@0YXEZxTN?Ot(khpw1oC7j0|Yt8wylZm zqWoh1_R&7t(swbuznQ=N7z+w(c_w3{%@J9^a4 z(+=-F?i;2ooi&|`MBb&nj9&2U=;p&=j?T8;kVATkwz8x8%dm0SyXu!Dnnao6NRc8WM*@kER0!Lc(~y-_a?`#*-~Pl!KX#%k zv|8e)=N_Lt@7c{q!&{_^9kEUn{MueGh#}?%GKW;U?bP-9!-}f|*I?fuyq5ii*gB_)DusH& zR}sAf?RR32gk3nH|JBj`fL(Wx>j3^v-w{+&A-T$|RmLtgdYZgrBIKTUanHxBOxoaBk~;Ai4b$rJM+Z$0{^|KN9X zeDCi+|LB8L&_&=1Y~f?a!lRag>&)pb@k>0|1=h&~FxBgr>L8tkXI0~Et{G*J#CQI{ z9HI3MBqPI#K3e!(LlNhA#aQrX&ST#c_HF7mzw}0L$&lAe7m`wr)37b&<){jo$Jbj( z)+no|H#@5Et=!jqY+$|lpx$u)U08I+VKi z(`x2CC$>=I10HU5OnGVX*0IUFnFcvi1G>nl^018ex{2V;*SpM+jxVO=<5o6LHIqhS z+Y0;p!gcFrv}yQG^MFDwPhE9vvBkwBMa4#2RFm>tS?9=yTs}grvP^Q_1mk@EE~nw+ zK^+}}i`SaO9SqfcZOnt=YBme~WZpYHvf_l>77N1AZXLoa%0$@5jHB4%p3wr|fyoHA z>c(j>5d0trQ9c*)IsG5pB_gU$K2yyURibcE>u*6``~+JkYFt9!Y*sNj>~WJFe{jov zSK`r@0n700gNKwRZ&zKc6_3^Bnt##lz=5va&p$LZmK-{Cg=zk-y=>7Zo-D^!i^O|A ziFdD?ZXBRC&$_d9=0L%085w8-RGMB zm?u$D)vefL*T^BMINr_*f#ROqUd4?&IqG8!~^R#*1-H#d> z;9NP_yLfxs1^r2S%C}}qoD$N15XN~vJ3$yLF@T=u0u65<(DPHdRZ|xbeuyFi;!d;I zaHKK0M`Q}2V>!Z@{EI9mb7Zkn-#1z8@^59aovLFg;yBXA>_Ud*mR*)FNj*2HgI}pO zI?%grH+B5OwyO%ZmAY-0#of!?%J_vuO6K|dw4O`t}SLK#mNGnJh=$M2Y%#J>Cpe85h&_vFT7cq zJ$ZCFZU`cZ+JAlKIJ&c(ez?}hfY!0jMSpaqsHd8`MyB`E4;3?>`2k$AF}Bgm?c;Jy z_bxocW41Le$d2u=W_~Qs=>zGhrw8OR1z)&&c*yowIBzX{pFX{L!-kvsZFcjI1(a{3 zS2O%S?Z`|uQEfYvGfW%lc{xp)>AQdaDjvx6E)zl-0`pO5bZ47t0P*fBZCLs`gt{JS z0UY;VA2oIHq90|Xb~A=(^i#dA2N&A3yo+RX*1gYBc5>uif9gY>II9IKHJNr# zpM8yG=9}C$koe-I(mK=D)z3ma5}l|Dl%msxXCAAEj=$%YJ!7G;jGegefwbp=Vq->1 zl~aSeJ``l%-QN9s`|y688!Q?9Gf3bfTt@Ricd8LguAMWvTBJk^o6&*$e6gNPyI+rE zR1ww>VAGARXT3a6${Zx{@9Yp4S6?we`h3{^?uC6Lf-1omCYI+qb?NTI?C(1A2ZpbZ z-_zy@E&8f_fx%NpdL~P=adWNW)jGLHw`5BU`JB|t#-rIo{qyw$TA#JOG&W-Rt0_A^ z&BDeTPNE|b%q#5kRU@{GND*V>IJYp?S^=h<4XXFoO4S15OAD9L0*gC%0E&a%j3EV~ z#JII;2#SrW?Cj|t8e;V>Hd0MzE!y>EV|?WK#uLV#gsEDn+V5ZKeUd9jc1NoGkV}#$ z!HK&#?`vjq3!|;1{Ez`Iqf~IlO8%sB+|BTe;mC{6F=a;Y3%0F(_XZWQkZuqiv(LAf z%8@^L(DR)Na$;`%f>H6soIaBM7oio^1I}7);1DG4)FaOFfs~s4jIbWEQ|ZyyUoaOx z%#P4+Q1UjYvv*q>`UfV4`$XM#={xl=Zr!U0zFE2_A}qHddeob~f7G@J%iYYlVu8MA zE?|vnV_UwirmQF%D_&pee?DAMmRI<-Ouqdw84H3St)3$5xPQdy5P5pbz3wv|TXGf+ zz`njmA85>Dou^TTWoThKqvcm!B*-+%wGH+|X<|H=6E%mf-afmUa7tazVd&ahQY1); z>q%Ie0df^f=b)DMC6S(Tl_F}r&4-V>HaxFKMfRJRcT^h65L1phR%WkxaAZW{-t@zI z6P>f`v}VKHzXk*$x)#p~2=bss9-M$6=?x|9C(y-ta%U*?VgS$uj=qG00fWMI0?H|% z6o~njNyR}HRVtd*5eQWou)1|nl>vI=AL`cIP+o|9DT4&~cLv5KT)OlRIoki!4h45L ztaTjSUrvR`=jEVL2KXGPIKfWu^%$B0@o7M2Z|^Xt;)X$%O4^KSqh;-uP=dON)J9~8 z-zjGas?xn7I4eh)tp=Eyfruq0q~?2j(i&hteR4gah5WC>^7zA?i;(U%I+&^HB#2Sg zrIyY%OL>P>o<$b`F10ZQj2G`O81#)q*txpj=5utG_E?ax*5IC(<`*`Og{2VAd)YRS zcSlqSdOf;SA69|;Tz^?=g?#Gn%c}mMNBsUxAoZVMZ0+b8uWD#;wU3 z9J582-K2FSQsq{4#th6j$3O8h-(3_jl$~LixxLj!RjbTvu-|d=&V4!MckNA+LSN5z zoF5A*i?R_JKZiGHoicQ>rKI=vtv*){fr4{jj%62C;Xa~=0iJIZ+ajJAya>yXQPkZZaxsUsscBzbYTbgGn00ls zWv*Mss8(YNG;9G^KxY^s_Vh&$!HN&nEv=y%)hG&Gtmd-imZv({=Q z_2^Puh=rAKO)K)o(stc_vR$atg!ZCwpZ+9;>}K6*zMFeW+hl#R=69YTCqEBDt`e-J zwr?eTK@S>~+2wd#3PTsP>CktdUqM6l?XO3-gN2D6FI>X%VT97$^mYz*k%SzoYy`se z41!e_q(zlVTBAoU-wm7jEl|3D|Aq8Z)ZFSoRFV--%iQCntd%vY6H0tQf6~2sqaod% zK7YrXlh;EOhA}Q7DL(PB3vo}Y<#2g8Y5W$=9`mu}qY668@=wYw@sy4>U!w9f=Tw1Z!Gal&8|QCx%U4n) z3TVjTt|onKq?Fto@L2fy#ZDBv{I;bZU;mApfj3mPDT{AAP$xqAa!Hrmj;{=pGoq1t z4zf-Md(2#QL2+n(WEXSayXEKzLvrk;P4`G}jB|mz!G+O;HJ5W=<}>%$hX;;3AG7qL zu<_>pX8ai;$3hzQuJf1huk!RZsGU^bSfU&iBdhOXOV&QFXd*tm_x+;{8=sOYpAPN0 zu@FQ0LM!1s_A(T;xg*j~70X(M)dz#W8!B zL5w>t<-KNky!TiFss9;-<uxIa<|CtoEF$jWa?V zIQ00StzoysPV*Z9j|BES)zo^iB56svq~v76Udr$$1t+u9#mBnWZS!Jpp-x(~pX4of z<;9e_88X!iPKL%E5AaeGqr9){ysTTA3oTq&;(;(B)Q^bj@>bDv`&$WpB}8g>dr&L;i>16gE#rR4#nO3 zAdkK~M$r5NV{v`>_zpKQOVK>6g^%to^Cc|2^13RFp^mPtS;)%!V!MsE3IwH%yt?n* zo%(0;^|_8^i6plf*^Lwq?Z&kE6wOq{6J4 zp%h3bF+7-Sks{p!Eh_PPtW-LU82D9<2T9WLa$B1r5zX&)Y*0iXWo_gQ?K!g+s62=3*mAF_U}}H?vi29W)P>p`hFKSh##TnB`yHp99^E+Bi%XXO zx>*u)GhTlk0X9wMEu zh#8_-82tMXF!*ly$>7QOJ1SwZ1Vx9&nUOMiVf>NzIl|E~RiA15UY1;|%a`FBuUOyo zb%Z5AK~1e^^XjwM<=1lN=$;(>WCOTBB+3Y5V>v4!r*jqi3N&Rd_dRIB9R9yTREII~ z$lDelaL>|n%;vhYfudQ&X`cuu#(*uT#Ho>$8Re!I0;grn<)c87Lt_3b&n%WeZZ03i z(Ni9`xtODWdoA#$7eE9t%!QLidj;~H1AT$cDsrF;er&iiD9_j;$?_(&Q2sQsp;hZI z9e0Wyc#HFHooMh-7Qxo$Y*rD{?K8MRHGD4`o2!^`&tjd3msCg3y4^0yhxk@GcY0#? zwZ6lS5F&Lc`);(liodvj@>obi^$yl>qR5LZ-rA6a`@hYFi!yebo%wpsp<>|R`@>B} zJ9z4D88Uat&~2<7jv#)xmfE=K^<=fuCP7S77{Rw}OQ=Jd%HaLp#7CDl zFt@2!pYc9%|JZ_^OfFLsO+HWUi#N8HZpc~s2^E4HsyFRWs7YO1yl2cdNL5_lnoeN?+~S7?k_M>+gHCxhQI^KUFw7<`+1 zIlS3o-`BDEPD5hs+Yc%~Y?w9|DaCjmSJgEVT=+>rMQ8*!k7ZADd!wy&AL*{MjauHE6T3omyYT_tR0Jfv0`ls1|N?k%jB-CP%% zppf|b^1Rd%gEc1<`M5T{m7UjR7JMJ$=_E8n5hiT(Q7dG)dq4I(pk4E#?XLAhilDi| z{x0W7ktdHlUi;8Q+<(J5y-E*0+p<5i65q2EfBsI=LDLB@TF>JLR}E@nWxtTeg!2Bt zq>)%vh$fb%=NiV?;__M^5)mA@$_$yv{y`e_bEAtUE`Y~qP{;*)xOIxdIt>pWG6(*~ zJ7B#mSk5G8NB`wh-}*oZ7ae5y8rynlXMzo1Cb^$+&rbaku>epbGZX+_9bB36pZXE$%&|%&M#SI`OBu~wH z)#kHa^(QQ2qX@_kOS;c@`60zU)$xP-%HJD-^6G$bM$AUop)s>XW1mNUGS18!ad2u8 zV=l{ZrU}r7u6RkLD1$O~AG%OYPCkW|jfFzd=h?=^F-Fqi=B-;|y|C!hi?<{C^?OK( zViq$832qmad$jIf8JHAwSQGB$II#bTPjB+=&!!#=V?IeeityMKcgrqbt=2`)3D(k9RKYl_YrT;e}LoIwamiAn~^C$gdo|&yv?t ztVKug;PM}FBmeU6esZIH=SG|?w$uf(II0yP?`K(UJbf;P|QJ&!^&118btHR z<4SBUq(}_rvWd*Wo_KTY_Aehlvd13%*i$V52qOR*CK&yNl-T=^h%py<79UVF@jp;B z1}*tsw)h?K_V0e9;Nv)sOsmSzw&Iz^f^{K9tC1dYawdg+nS|q%HU^TjrdSW6XG_t8L3O|hN>WCO^(;)J0ZT(HZotNZ%?m_O1RVd+3fEP zMzy8C2#20~oAWi>CgQ$N5^0R>ASLH4=tnRuU#2z0dwGU?x*_@G$w(ycV!e~%-EL;b z?G?W@p4<0yFS}E3kA5G|*V=oB!W(tW#-{c@6YLzugfK5CDQ4`w(Y*HLvF^BT#la)1 zshjfp>IAt=WxVg)vHALB7dK{m-&pm!+=TE(>fsC7^uDk=7jKaLt?u46TDNPsF2?14 zi9G3d8&WF9e9ZZh#7pS>KJ$U9WZGp z@=S`iPwVPqY?`>$?RGXTUHvY-qOEDI6Y7zl-2UlEi z7CCoTbTu~8NC$+$uOL!(C$N-=HLVRT0tx<*mxledj}bzXWZiWs#xoa4qF1Hnk%l4U zD)kydZ|Q#3)4U81x+_#~f9*yKAQ8J~A2Whp0n!}bfixFE#|R%~<}TpSDY)h+i1vq@ zww&2=#`~0@iLvH?A=oho0PKC3Y%yos#_>nFOt|KvTVc5*rxg#6b?G&&+zq!JNit;nZ5HXo}a4?7a!gLjAOg z){1Fi{Vl5G4ut@W^f6b6Nl1ezdHLby-)&;)wX0pj!+(GJ+IMmCGbI_{{aA$#Pv@1p zf*o(WR1CY|t#96AiLOiJnzr}NLd4Mq(M1Kra4=`#(T?F+8v zq$k!FH=K}rN#?SQ>kSmn*<)&S4DJ?z*Z&872}wP_9Z01P*_O`Xt@1t2i;UiGA6HBd9d7g}46(9VgRFv5ax{3*68*CAb+D^CvA>m;ukaiIfwELG9ao z&(kXZ3TvH%s~*}K&v(Um>$Uc6i&hT@wcYjL4X%{JR`2H z*)zz@z(bLX=pXfr2O|tf#LB%vjkxjn9@v{{9w1)O&CKpcekL zl)in&&3F!T{26Tt-HVX7Q5$PXYHY)!6;mc>vIh^!a|tC22wnZY+4P`nx@g z`_Y~y0a2ZCBQiGiP&lf!!n~N68O93pz)pUKfcpy5s5epN+0YYXJ|{E#*N=HUo@PM0 z3gG|sR4K49rbmvL9u1G6-Nc8l@h$c}Z-Bn9vb?j<_O`KYX z6QWZtu5NsqT->VIp0~+kOmC@<^{C*^Lxmg2VTLi54|c2G6>hX&<@j#-34v>qGC_%l zE7eH1KZ4f0`DgNE)>bu~GhDgGK7bRq!ICud1+q|06Of^p57yf4C>B_x&&}pIpZz1} zU&eLbgyzL$4&#HMnqz#%|0l-J{>J#T_5yU}{#pov@>hU4@I9|r8jdO%>|@q7yr%=l z&(OuKuzb7P{;|_hRosTmH^Zk?GgPWBtkZiX(r&ijL7~?kCyCS~F(P(lKYI}N067sR z%4k9PJr8{_;?j0Wcq{ihiskt6V7B{@+m<*t-*ksgs#kNarQ#E7(aZw}>&MP+OX zjRIM`x2M_Vf?N1S)_X^fSLbcgm#12oZ4eS{^Swyk`Tp#Sp8YXbAG8|e^xyolRM33O zM;{#XH&5yDqod{}gUtjiV^xU>DXc)Pw#Fee!ESlya_8Mm&!H>9OLlIeNbw2r{X{THUf zr>7R%&MVm*VP{=+Bgx@%L^JP{%;|$k0d#%U7J2zhb|33i6q{cY+^ zto`^=kW8_<>EmZO>Jhj1#Z!i8Jln35O`*S1hbrli6<>DC2ePE|evjQ%dpxFm3F}jjj^~SC&n;XGKdb`?Pr{Kk0hu2}VR$@0D(uYmXZy3?&an32hPWu+UQ# zkKMcA^6Rvrg$ld8#`h`XYgJqidmP%yY36v+JNO;>N{#wt>2O1N>*Iw6`N?S~H+pdU zWd6>eQ^GW5>a#x+g!GD0k-CCSNx{}z-&F6<;i}O8X1KMHx z8slRI4OeadWN0U`MX0wpS8p43P+ZQhf^evnYyQc#4;|B-@*=l7+WEZe;$LoebUQWa(^meeeA?O{h_OA$YR`21~RlO z55;;()8Zwxil-sBQ)MIRr@zjFB%$^gQtgN zLvD7~({ubK3~%0urhj!r3fD&&jiUc%j0_f5%}b?H{+ zAagFAIk~gJ1{%g=NBP;;ECSKU7Gs_-9;{s?I+&Rc@g;bMi8T_6rBTT(`KUi4fOP4& zqe_#Lf?T6L(1daM2px_uJDrzLqvtp}It1uHzE{#DP`+Z>v-gKFJjuy=tmT<>=Z&Zi zvK*Qnac*rw>pVJ?8*uj6CH)>3^{#v^Tx+c@nD^VovQ#%)$5h9l9{*Q;(JoS(mCQUh zoLgc3X@8%N)*xX~13}`b=k)_6GuX>#6d&C<>Lg>CpZ}6S?DqWdMx`S4{X=2enpg$3RE?kluR!V8k zkl2024&4zod8WNcDy`-v=H@faY8yO+&a!2R{F}k-atIstB5cSSYyaZ+S-`=@4E>Zv zUDv1T;nYU#nj*b|qqUT1PZ;`eMyP8-V;oUxPM`btUcqxls@Uk7e&$M}k@!kIO zdg%SU*}lFy7@sTuTQAcCY~~_1Q-UQ?D^4C&PelFgUFC1_MZ?K{+G=+`lvqVwD3_3u zSa#9u56lv+-qa$&w7$JX(g^>R4z?G&0zw;py? z0YqDl->YVeO){(CBG`=Ek+Y2=IlbgZo^Vg){Vdv6PvM-5{*1dZGSQ{OjbAxwk_90Q zNiT=Wh*AW3p7E7?_bF7+4PgvB7a^p&CkN%;@QW0FQ_$V>81wQxF6vRf>gcSB@C zft_4~F<;cCiq2(^UxEau8NZV3-kF~~5X;Z-?<5O3tdX_f`p_l5-Lm6VxQcXuk?hU5 z$YVSD9j7OOfF8WW&=v*y3`N1s)!!Ci>3K%tKp_WLe0=(VQrBu>13tsm1 z$+XQum|^k{8+RKi*7i(65jiq#waoQLmsDLCcKGkFiT!cAsdjNoNm#UX6_)q>_NSiF zC9PWnPt;yp;aE{KKV$jc->_b7mPTSq2!FDjb%zv+O;A;rWRF@ip%4XTZ^1!J&H=wSN7SQt`BS=v~F;+}-K%NQFfc znwK;V9hNCDIy=}f?m_WWp9YzMXNIoU>B ziWJ!pmK<$WNG(ymc;n5xT)qL1AkUeVcw1;tNbatqLlom%M6b#RvRL!MFS?!YBMLFv zSK1Iyk3P@EHv3^yA(QzRF_^E^!CXjXYI`OgjPQ2A%nx^p05h}x5cUP}T9$!`vy;1w zXo}<26*`LBbw?|&o>X|=>8CQ^ofLsMTicWgPsOgNOC4f?*~CjWi`lDY?)BtLv@maN zc#5OFtHid7nj^oLT$d2x+oL;l?Q>3?r|t;VH;r`MHrW&3m3H@G$vZ(xOH9w_@U}e* zF#(%1f7^utE(ImzUH0O^p-N~P2-D0mC)s$(ele>9J zAiXvJ+S(~4#wHM-t`SB2@GFdQEpH-rH~JCJZ|I*R+*^786)0=(@e0IwXta&D=7%wq zN<1aeHNjMKmUt>P-VM6#g#+2NrZ{hGp*IsoqTKFxlSHbsFoX%PJ^tjuU$^Vu%iMn} zqO`h=TBnQ|Ze1;tVaq)O^=i)NpGeu%K-Cj;cz-q}qTza{)LY3oB~FjnGbyB?qhe@1 zjdESl$<0tfaWnOU;w@91vd_mGtWKUf%w5qPGhIi&JUX-+85X5|6T+Fd%X8X|E3Tb`?HV#|C6V3U zfw?bEg$cy(+*j83SmQvIJ26|5_2|nuS|$qS_jtf1T(S|vH+m=@U<}1?5XKVUZ!m~f zLM0Zk4l>W=qw!x*omLN4f|ybnQ6QK$>0fVO}7=r@ellgDaFwajWp+!?~Kq&W$kA;Ju5yN zYxUOmk(JeA^Yz0{^rVgJ*NSysJcNVw*@6s7(pG1=Ftk{{wDO|Cw0#i{OXB-;4mo=E zFVb~4IJ=nZ&N9^)^i+Qw{}()pwPi{|o!D7g4myv5j0WMl=tu^_Ud6uz>6C+bya=g> zgI3bM zv1*8|8;gO=^?Qky!Ph>U93S@ML<%-0*X>OvLIgVGfV z#0<*W9e-e~WTsCTy)uehIudj-u`p|NM~O$2n`~oF%!Bu|ia6?T_D3QEygn~?oXSKO z^8koJdNy^I0!`qrCOYE}m2Zy$dBKs@hK0O0_pYC*wa3wpP+G8>wQ^_9 zph}+mJ3f>N=Hy&=B2@$_8b6KSW{bh#cu_0PHvd+I;`q@)kght@>p`?@>r zo+oS<+tngs%d=pw+Kox(OR%0Gs__lgIU76fK{Udq9A}n%H{oy`6Aqkn$dO#ac|ZA^ z4TtNDr;PS7?Z3x{sI%wQEBe?0vw%InK$d~;#)>*#;4n+D+r_EY(8_$BGh%Ogl_bP7 z&wY)*M3@B402i*q^%FU%=a@bySaci>`j-mirw!mJkQgXros?(Dts1)ZY#?W+IdP2| z*2C6oWs&RrMsw2I(Ol_@N+;SuKP{d#`xtqaup?cU_BGT#shQK)4)T;sUY5J=;_??&YIZV@>K4QTn(kfP&c8=~Nw0|y!DG$@wVJ+wz& z@!s9BXS}z@+r$=02=p7Cn}f_f0?~#mA`4R-JC=_|zj5Imv`8dFJo$X+Lh1+0J03jE zy{gA}zhWl7$V?OeC#sFZ1OFrD0%iKM34oD>ic#Y;#kD{Fs(5=A z{WHOQ5%SW(N$QL-*YjG_uZqr!7$?Q6PKlrFm&_GtuT8n7TWNO&zQQC*wdm*8f^Oy@bJ{UlqRxz{Kpc;!dfCuOoL8#{7*yb`u7{cV= z6Gljp7CQ1xht0MV3(-#G+)%U!*MPQC;4rp84rI`s@p?BjM_w&xy5q#9m9~oc3zS{s zUE_Fam1PV+*>m1gimT=$+y2GFbj^juy2ZNPy4{)!>-OrlT9@6-o&|AnRlXEF^EjY% zYqut^Y3S{HoaIn4cal@G-26au(X8ICW^D9eC8*AMot#=AndxyPAOF#XB|t_^MVV@V z-dQp74dw{=o4+cT$H53*0Ip#ej)Q@z^5D!_iBXKt1gD40$=yN-c{X|Lh7VE180+c? zhBU{`Z>ic^WcbPMlO5MYXl0$pntiiJAf7+J>+R!@qJo(GrJ_qkInxw1+#qW2v1U&T zV3MTb7MQggWWEV4jmd?)#L);wiG z$y^kh2vKal>eeFB!>}`l9aglZ>`ix!I`H=L)bb$=(Wrp@fZ)>9fuze13#BmhUa$0& zERW@B%38{AoFlxW*dxJ8>D7eDo1X0DX{&nPc3vv*lgY(BCl8I2J{hWMtY+MEUY&95 za?hzNYW_WkZ}6{Hm*O5bjbS@ZJmqg*N%x6WAMM8pCRp8i$rqxqOYQ2AeFp5b24XvX zsx=Q=diB`L=KRbsE0MQx{8bh*6JUOK#^Nxy4AzNKn~fC?`(dzCUv43tv3RZ{$mb=a zXKuv#!q zuo*7a5s1)%%nd#00t$`6;Jtb!!RO%oqMZ7`)Ef*am{!^(HkMy89mO^XBaR|5CA3BtYDaHKlk`U zDm>w}|UXC#2s$a_~V3#ni z=+mM?T}jrTj#>?jzmAT`37k~aRjqf@Y4>0HcB|Ws1sFvC{NI5TIet5Hw_g91iy&1 z>RZPXw+{F~N-*->$7{*?(0GYsKO z4L+fqvsZk3S23~F4^)L!JQBWYPk|~pM^yGN9(6;fT~H;URYmgw84eB3D|zX(iu$^5 z^)b!9BvuA^bb%f$5Q%Y;r6dmh{yAv-kKAFl7OJAcE~PuS$Ft0=xI)sM-g}6t^7_Rn~NYlHzQ!J8$oPQ9Bu!IA2KnYk^GH4 z6J|fj1+X->6vynDT>&@Aj-;mk49;>b*@#pup0&5jb>*9$x1ThTT-hx>o?NzQtF* zFV@lWo|k*@Bb#$i2v*^huLZ`Jdn$$cGS{Hh8tM(3>o?Mn5;XYS3RqxSU^K>m#BIe{GkA}s0kwk{+cm2+Ny zbCJq=Z!f&jhcJdmAe=)p@6REOd3vjaW(*}cR3&Q=RYQ=Knmncn;R$GS021Hz56m{B zVEoj(S;5)@8U`qhGLJ)PwzCBMdo;RulqS5q?FAB)oaK>C)oqx>kiR!P({H&EZ|3Lo0?H5=pXSv;Ime?g(s^m@*8-s57O9kE4nA9Nan4^n(Xh%e_ zL%5)&L)zohIz~8}5z#Lm1?hF2IK2vV<42x8l>z({F|Lm;E9n~;7peq8Ec$5$i61C( z*3tGVlNGE|w>*y_Lz+?1s`M{mUD&k_*ptV_iwK(>JvQDdSg=~GoxSudl1&*_rH%y0 z@@Oofgu>RIYuPvt{4zQ}RUEQqTAR5-Xte3^~x z@=UR_$^v+jJL?nS<57up_Jcx6LPP9^tU8~34iNKllDwF{vh2m{=Es~o*8O(48AIw0m&AF^#WH)9C`vMAqoU3 z_Nzj9&rGXaazwdB&pj)Z;|p$6Z2gvBloqF91_r+vf+tXH?*q2dBY!H1#eWfl5^>ZG zOO3JjI(4L5z~nWrAev_;2p~EU9R~#`fcAXJ3Jj8nX$aZ2l`?a_Y!7JgtQcI-@_%GYL9# z$3&o_JE&lD#ayO_v6ec_P2?VBM%;tKFd;!%-$$ggE5GOujN*O>y74N3EqM`z*Y3(F zltF4VNA=K!S&C3vBZTxLv;V+6plQh@=-wDfaK`-Ca2^Zx*OhBq16ef&BP^*VnA+ep zD29M?jylnvx(-gb(i2>^e5p3H^7!^I_sm5&!0}qz4>!U4xXM+)z%t(72S&Ep0s$l- zy}qN$=t8BXOgzivILx~5IvIwX8{<0EVAWVs<{r!$<6t*xm(_;~f;m<($tuFO4pJ|J zavCqiGS*HIX-(LbWdu%ACUiz{v;;h=2WrpNCmyvcrTlq2Y^9~o{%Tej z0Whbp`@nQHVmRWi6DQO?@4*Tmy@X4uW?ZY(f+ai+j?vr_8ZoZbz$S#WBVBvRtT6n0 zEK4c6q!?bmi8FJcfq>_XD5TeOR1y{#rh$wK0V&)B!Ye-vOQG!kjqYG; z5n2Oz1-XCj9v*rMBOK}V_&$Ihx=j5wG`&`K`+kEGx$`q0QYA_p9fdqP5bm~edNSiC z(tCk(kJ1KqGAec_~W5) z&nLP`qryqk=HsA>m+Fs-0BUlOD$n9`$a+L*!mm)2+b{EkWu5X#QC76_W%P$2qtk~v zuV`XxT;7lwyIZHqkgSnn{MEdXp`K)hb2n8lNRhI%&4En2Qx4~Y6%+)uRU2mqNi6OS z*z(dyMAa>ZeU;QxOTOi@PS)7qi9dX88KGLyA}jf9!gv5zQ@>s! zVlwB@b9`&_9^!B{^y-oPg3B;s3F?*MGs~gmtKEjWGplP;hT9Vh#sgWK2U``HjSZpgmk9hUp#(ES8^QIW{T6l406AR_WAtw504*U zw-;5{GkGyH(Xgeovwhc;L>GjQcgjX(Jn!A*b4ZfcJCt(LnDB^%W$aQl<3acOj?B?h z1FMDwPJ>?n%banY%B33nvovZG5O$fdNT z6weTw;9_eaC41Jy4bn8GzEc^Vam~Q^2Z1m+?FWSQk?|bqedw9;js0=da<(8=5Nu^P zh?cT|-BoGG=WAcE3=?_aq*|Dw1p}#CL55xD$R&;xIztKSLmha6kU1%&A%mTMA|?go z-v}9(aa4TuD-dmeu|E&GOtb*zF+!%r0~3*Y`B71MY7SeFUl8eZJYY0@YZQE|_mB(! zCWDMvYgI4cdaqNEE?r=cy+|i@$wOcu)4$80bW|Go$fhD7xcG;IM?p@$pZgDk##Xb| z>YT^*26cd}`aXswu({%)KbHqRRz2)Lx)<(ZQeA*b`G+r$>IbsIVmXY=d6N-TTrw9s zuHynnC46K4pJWH|Z?dC~Y2~vYH?H9c$uI6$V0;SWT87Jv_!N<0`h6`6O<)cuID$au zPg$B;D2aTWf;lWhMnT&IykLOj(4Lb7+%rBP2SecFM>{;ei#TXU7C>Z;1~{+ z>-dRpH(X(wvGj4{s*LZq#{;v7fz)iTo+HzVMvw(JK{+WpBjqJPNfiyOVr**?RSTxj zRzhTm)Cba&=48qLV(-o4q1^lbaUGSSQcAK;McG2x6{b>zB!sL}AzMfYVXh)evK$m8 zOj$!r_Oea(5VB5)!PvK%v5r};^Ly(o_kEvpe)sot-{0Tw``7n89_K;VxUP9$@8$J+ zzMiiQ0b~gfU|(xXU|732VEOfx7)!yECm#5q1V=um#f@|&L@$d+wIv_C|qVuO)nuePa3 z$QjHYZpSLAztxD`i?4?cI9BtQ^&&@4MJ*2R^Y!J%4jhn5eex5p#)0oy5rQAF-<)7e z=+=uov^w00E8=-_yfkWf20lVHHQN**5>9=YXS4FzLs4ioNm|qoYH5>R`mg@Sy(Ce^ z*?2Ie2xbHV<154DPI&(GH{D#q@ZO?#`bwhzb(ONJV9`2gkCFD!#VjW|_WwyM|OaFQ?{ ztT63F>6uOk+&@>NlHz{;dJ_Ip0`b+D3q+;my+zWZS_d^)Wqk=;`w3Xu{v6ejtLu2iX%Z+Ey|vO5 zEY!(gSSY}V#zUOY^szAhN5BeNe|;2QprV2v1Rv21V7v!sGKMVk@(Nv_DHpwjt^UjRfOo0*@h&m|-;7*F zGMu7Uo1_=v5paGCFwhAkSp*c8jHcNmCbR~inI!1>kN5xcJyb739f7vf2Mb;kY*gYk zC|||fd!3DOK7zghE<6$*fr`QMDT9rw-VK;eA|sa+{nxwd@?jxBs_8aB)cu?Q6{IoU zTPtuMkYfkz39X-JXytyc=A!ZGTL`qYKuR|l3 zs5}8%Hn7#WKkW_EMxeSMo~S!unz3qXDYd~<* zHP2}!Pi#)X2!(Ciq?y7YeB;}t=6*ARg%S;sg(6>CR6hc@;?|TLP&BU)TsAvw0k%La z2PO!GgJFLUt2M4Nj88FpC z%rxXY2aqS3l6)-i1J)acq`Zz`^r13JSv_ITG~Px2etBtzo4wqHvtHUF*KVZ;$^|u^ z!nWQWx_fi!u?X3YlOK4+Zt++2npx8F5hL?WDp{vL9OJ*(KQw5X zO_pBPq|u46pxfpw4xa$C7>1E)^0x*#C-)ECXda-wCxub z7BIE^b0qA4u>pS~r3IiPd_3SC9dD?0ms~Woi>N`_*VAidsB+pPFhVU4nsmW^L2A}X<&7lpB344C@os}jv@lCE< zNL6WjmYXfmFnbR!Es48IjczD)2wbd>3TobXzU$t0;YSmt5BN}X_gU#6x2HGH1@wlC95D73ti7d^+$q;5z>xhv7IA8W=v z2RtJ9I`Gg)Y|0*TD7q4`V zgVpKWSYE^YDoBuy{sPZaO?AE|Tq{QjTFm6#UAr}_6?s$c$dR<6 z37fkTbwW8>Anv^Kz&M&MOj$;@`E6sh zf>!*MmUh|zh~%OHTYqaZaZF~u3%Vf18EzPyGAe{T(+0=-(Qx50$``3A!*MHVX;UZeS-Nm>sB31g2Ex4?MwwM!~hH zrTgezAOiCxv~r;YL?OHc9?}FxGA0N)H;H2IlS02Ro%rq!(>cj9?OH3|LAWI`0N_vv zI1ac7C5fDUfxnB$fAG8^gaF1^a{3j2HB_7hf^S8iCrtuOD5Y0o*pmC za9#raW=(4`g&=M7tYAVdDm;cETM=$w;8%ALdo$;zEk}%#-7yt5l5g^ZT|yu8Q|E|H zA**!XtR7Fb+jyfMsXWiY?o9oyiXdP<>~L(~kj^hGY3UVP&fGgUa`PT%Y^O!jKEqQJ z76M);kJuMHzOwbGIsYF@kZLQiW#pB#Y$54+-du!h5Z+t4+d#fCe4`dDwpRtp;#c* z^l~y@s^HvXPPuKP^|3629bcR!i9C%}$T9tBsntOgr`ZVtE|wy5Ga~PM?B{mY6GygO z54xj?RAJ}X-&Hv?WMlQ^JT_at_haOs)8`2N8@;j(*WAb5G%ne#*dU$a%U1)uVO+CC zH_Yqr(aGQ;FA;0Y6GEc0)8~wI6^o8q6`Sr~=6$Hq5nqjZo>czvOLXMN{8#nJlFS$) z-9EvR+`F2RE^}hBa|Nhr2_*}ae37!qh{2)zc{O@1KG)8^w&5NvHrC=bk$kSE*bkw| z^X-|Yp-CI#$)o^a7DBP~1e;z}9=eWbu#4M-3l~qXm!P?ej>X%0NJ7uUQLeV)+0PX& z6IZH4)i?A*3B`M&M{u08_f3WN7WSmfE=~HWBxTNtr4Nc2L}Yg)xC`i~%uI@I$!)GC zurby`VLG>n(TTZdcJAF09)<@-6Fy>XnyO^+a54C&`wSpW8jr z``zxqu8oZR@B-DFvg(wk#IJ3|wq!Ps3kAk@ez?O~@uQ=z*XKzULr`77=tTt)Gt+y8 zg|whVFOTG!iw9T}StOU%*BU{|qBKeeGdKg=Bf+R*7U0IG86IHEIyx_WKrk1xsL(aE z1`)w{DhA;@n59}Xq6{uSOc+$y0i+xPNV#|1OfAzTA~@G6#4(=vq8~yLn5T2wAcJ0- zJ7f0m#M=M#8aLxBu#g}kX>*_jn0jclK;H}+m&i#KBQXNd-w11R)acD%0^n2%pzj2Q zny7McHIPM}T=Y!9ZZxNG6RhF`CZa%#>X4`RBO{p9a-Ue@q@wwMbZt)b9p2 zE^vTh|BPQ1M73fVTpF+z0aQ|MTmXo1^C~YY3)BAQ_XrA95RPmDvIs#b8Q#rmttjTH z>v$438jQcj95(^PX0biT4RsS*z-j?@6jpu6EBK9RkmCWO~S5+3(`Fv7`bw9YiaXF~X zzHk^af{+4L9PqP(Aks~#Nk zzi{MYO_diTnn&Qrfldn{=+5%2>SP&n++Uk_IE%MNAWAH?a(O`g+bg0{J$9du zX(Px`TBwifpBYfYhwe!jZ9C{JemUlKg>$?E#^#;elu(#29<>ukCp^|sqV zhIL9`OIIV&+)8N8MabnmcY^-=s%zUNpC*qq#>jk8`m88fZ1;hC!mB8qO1j#q%9-zj z?oW-@rw9)!zCMp$vwQS1R*JCvrO4H8x?wM-Tr&1Ckv-fHi1hB6kFz%7SMqp`LP+|$ zi;VelN08;=(F-{f*k)lNGX4>^(vY@|^t40_yWgOv*f-Cvtm2~2z*g^4W>3OS{^a?f z#mXD8E$(9qLvzStY$R}SJT^&TE5}RQl2?@^ZauEPmVtQrxZC9=**ynmiYc=E8Krh+ ziBfew=Luo~A8SAaEapv&NAkP$++ECb*jCISKYS&+ z3AuJK9(VOg^LVVjNL;M*zbb|IBhY#|W|V2LVH$y2I`IZzMdVsPA{|54CT)lz|D*+` zfEK_Y0H@Fj3Ic6*0KD?vbW@Ze+JVOTBN%MUfBHMBjgxV}16GIbxc$MC!3nt=U^IbI z9`1A-5O&rvh6LGyU)d%|^T&W7wjb%BZ2*aUK^K+Dy@C0wX0U2PkN~Un6Js3G@;L(_ zYB+8c5MnbYfd;5P$#nR4)s%k!OmdlRv-w$E7Nv<9Yzsf91)yFaOHqtuWE652Rjo2QIA4(E6GiaoOT}8W1xi^E!%oi?1r43Fd%^qTY+H1A*8A z{*EB(WDuf&u-|8BfH=MqiTd=(LBQ)_3*V;waXa$=-u-`P?H{{^n*oGTjfpx>KjQ!p z6OjyCatg-7%h&F;PvT@d@8VAzg*h>SgJ*eZ>~MAN2JnFf4nr*#kOP7);D&sWUnyk# zxVE{2bKAj{uBn%a?#Jz48eJ>sO&Uw?x=(PPj#<-Za0P9GHWb`Q0HAHAj~z~v-0%d? zxe8Dvoh}K4(%>lQvw6A()noO5E#!ZSdH?S301gIkqZvxmT8IGvTPbW4V0)vwRv~#{ z4`ZoRW+60x8`KdStq;=EFe zlLm0^8}tZ$51Cd8tmv4FC>j+!_yvd%K^;OD|J^|Te2x20mOoP+`voy517E>3A=bF# zXr=>XBz;Jq48LWBHX=8;!O_NI=y#&K^r<2VjOZTQkT3?mv**u;$d zf1k;hWd~GjhzgI+2vr|S_`n5 zUeyCq9N0_`aES=2SQ8ESi6r4hw|$#Mg&rbhpqnxqXOP<={1+VUs5$c__6yjyy6}~b z8qDgl3>+4ZyDYi12)rEup;VqJVcMA*!o~q(u!z9u(tZfaL{UQL&i#`2qi!$i*q%-R`s z_wJrYJD;zgI>f8;iIkF>dbR9YTXx@6X9Ly7lor9$1&11M)aA_c5?tow%2q`9K?+vWT8qZ znMLcL7VqBzGgLE34qb)~2kF2+_>JhxXn@R17|)>^H{^sAu9y>KwPLV3sik+8W{>&J(m5Ah9p?u%k92p4Kj~~ zB&bKm;!=I;>S$RZt8U`<2g|;0xOSG_o$G%#5)r6*PB1qr^I(-io8fL5`Odk~8oALWt&t(~;+2d(o5b+gHF{YTUdlEGyPYw2(5dnVBLn)m(=rM4;kO=EJ;SnVTnn#oIct@uR7j57*bv zAkNC_L4vryAac2S1cmq(!t>%*4(3GV*Txlo91(@tr#(ILda0AQu#AB!S2R0K%eHExDm@RkE zywv;cG<^Z8z2U2Cz*3!ek-AaEHFQq6Q1U0Tgm{a}krx6oAFwmCDZ9z5r(?1tO0ZHT zPZ`E%5MK^d+Kov(n=m=>cHqo3eqYgM%7sO1_)C zYNgngf9vCu!vS%XXwOT9?`*jS5B>bQbjQ|+Tpy*nV%s-{CD#Z^{_)uUey6^*?*pL` zN!sSp*QO2cFD2YwvF;*W7!IAWXQ)Yz*faMSLL)gq8$<#~^rso|+SpQQ&&!*3x5K~+ zL1A5z*`S*OQ#JG#mc#czD#_grXsTC+u^nQ(1nT@RcmH)hHL2d(fY}JGe}GOZJR$Yg z>f#;2kn_9(Vj_OGGbxym!I~7=-WA{D7Ek1#_PR{2yXCxA%6JDX62(|kA@PFE+4k$BB# zTKADH!WER zxRQuI=`JvmBXR8xZ8i^Y(bKhdzY6=62~fR#iR8TEy*fL9p^iUqm_v!*zWpm~*HXZdgmpxmhp zBMMgta+^1?_YH8ddV1;nKV!ZB^mp85Kevxe(r;MfH-l^fl849!ZaDgF=v&(lSOO?1 z!r#D+{|!ot3D9Ja2Q+R)Ed$nEqCNcd1GdY`=z3A7ROQ@YuAj2*Hcr(*h317=_e2J; zk^cO*dSDa5y9ot*UIClKDgh4vfbEm@H>$IBuRn%17ImZhV!nJgi$Bp6G4<%)#9C}% z71p^{O`g&5ZjdhevhRQ3~h%}gS#3EoX-z9}K` zQ$-uCS^E_DlXaSEL9x85F7>aITE!u5r>yrjB|rLEHs9y_x3OHAG4@{fy>FgmG=o&M z?y6qw22{suU&#?%cSF+V9z(xmjcX#CN5}+N>i9Htq;-cz7vvBfb{bKOrAlHR`JWrp zGikcm=}8DNe^#cHa4&4^3A*P&Tu;g;+qkcMU#V|^vPh*`j6grl2#IyhuadZ_-dFLW zUo$I;%jjn;S`VE1VrA%(c~SCk<0+IdR8z<5y`VJ$(Yd4H=WQqze`K#e8!@{7R!2>> z2&K+P$)t;6=9PDxxo7HX)Z|W=Bad&?tzVaSsadd=mQ%04S>Q$PIZ@)eI5=?Hsp}hk zS5_dIH^eOH%c-QL^=pCtOHgSX@UjW9U#cZ5NRPY|r?#YrP7!GXODVCUBWFTuo7 z#81%tYY=dDHxT!}V=vSc1-{<$Hee^sa}Zp|Ar9mgK$DsiNPINsI&+f*FD%v6peH#k zp$@k*B=<&bjoTORecvyq8nDW~3lZ@>RwuwJG`7Ri^h+U>=e8c{;z-!LV?Q(LNpFUQt%aygdqJ^yaX7atoB4Y+IFS{|HPlD)K` z?rLMn+TPE*rHU4$A8YWCVyUPPBKM1 zzn@@kW$ldL?QyHC`9Q(N1Dw^@zuY@>s8_e>h=f_;CD9b;4!Ge}mV}Ge@YC=LD*t3f zWNLh6%bGz+c}luRi_<$NaqW98vYq~p_huxUt4=Ij$(3bJ#t7hb_xZ=4Jr=A;>?w@G%FIWnE_)w+8k8*FS&d>)(3|J3ZN!Hb;xMFe$ z7S3``=7GavUHQ@j9Jx;~TL*q*1)g199nT3`RSO>@1y&_=xc5IxS?I@=#_7#@eW`HB3y4lrm+?PK#?%o6 zsC6}_=96XaqgJQ;NSBMqU(kHPQlpX_0f`gGmY@0t>Py?WN49g=OMJ`n;kZ&>%txq8 z_N(VHuODy=THU!=dB*0=1^FSBvF_nX73-10vZN?s8`(F<+K0Yys&jkM&-%2i*WkYG z_X%9mlbKI#vXS7`dq1<~m0RL1R@R#?9}YDtXWwR~`Fp4b?@1g!-V>azNU*7WZYC1c zdTK}d&%2inM}`OAKfGuANy%tB=iY2Tc_NzT8XrfM_aiK*sWBB6KoQcD?YVDz@;aT1 z9@G(gUEB&w))mxDI>y+-)DQUIpgNCovcE%qQ|c?{#(y(uJ04ws&nlg(L*!Go+lN$~ zGJb)LsLuvM+b?yiUJS6ev9Fka^OJAs%~u{LWS=h|HS9lT@K7X0MWyenx~Mr7Ihqij zRo17#LE`nH31`kqj?257^}p=%ZPl*eYCfZN=#!-cskxckShjp+AY1R48dq$EOWC`O zRNWz$+2IPs`6pSguIBPwNps~ZA%+g}%dD8$9!)_`i>$Sr=KXZ6w29H%~CweXO#*F}b{KS-$W2;)K7cam1Omz8#V ze%Er(ZQ~QADOAsg-3XE6D$c8Luw@sFK9sT#ER5TT{;t940sSy(DbEU}n32+x8nWjt z7XvCf!@hq{@=|cBTYF0l%4l*I5IX+h`eMHI(xtZIT`3+pxynYo?AMR77PH(BpQpu3 zD~(TdU)V@=5={6oKcGW08E!LIB+}N{wN;iOIm_%Ub<(h@&SL9@_?aO>GW8{eYi z|3GU&UE!QMEX;>Y9QwEuatF>%P|32}?fCmd!qu)Wvs;n2Hv15#AAX9uE4cxz+`yOA zxT}=tg>{OJaqsbX;?*A2b87WVpSMrlu4x`@%F=-WUp(>-#j~QOG=d66BWCpi?0v^X zih4$?FI|WyYjL*Jz&GxBq{w~3P66{YAQhy+oS~x`Mn(HGx@z*2&91tbZMksd;re#m z7e1c{*zmbqN2@w)Q-?7;ryacq=6_)^aqssRBMY(ZGd!5AvnpU!Ehcu+VWBWVml2J_ zjXc9Gokq7nze3eO+*@-PaGE2}h_IwgKd6&2#QLiXbtlReedo{A`+xFpZU(S2Yc582 z`~#QbS3aWJ5TJ({(|+OQ51+zsbQ$#jAzjA0$_ejo19YeN7=ej)#L%S2s?NY1tDsKH z#Z15j;_ZNcB46?gH1eIW!Go3pq}wDIOzNU!FPMi)n!@5o`hn|OHuk;&B51Lqn682C zFJms4^4>bY#qxP7OM&LfW6ckZCcw`+rjnX7#&%i24b3Qh)3xC z_frG*kcLzrmg90l#opYN~QF>%}k=8YNsq$OpxBTxpm)OqmyKjxsdNYGkr=s8; z3X}>HO5nFyZ=ro%@^6ld^fbQ4a}?2=x!&FjV0BqPTAj}<_LLFu0VFAwyo4W}dQuGS zpgvJ0}qT$_E&4gVB$B(04(j42hQ2tj(R(vJ69y~ zbc(Z%XRbaC*E4fi?50;QfB!@|elua>o715?dJ^uQ-NikF`ibWG*A=j@{OZ=Q8{SVTiTJ8ny4R8KArCo!@tSVl9;%k)bL-1wl)7 z5S_&enmLcR-v_4AMq!7t$XM+C&f^t|xc$u|(%ud3&vkO%rDuMBK0o->ZOi})%?zE& z1KzFYn65{^6W@RG*>}(WnIjCqf@4?(_7dl8^k;t?u$!$Av<*=H`ZIHr2?kXE=Rvvz z^o@`T{R%)gK+;y=We8jq2QT;A<=1onic5iy2KPHIW&I784r6P9UB1ppk6ViYxODe# zxK!!?4_xYUT7NYUrexx22cVQA7X_=6;%3YgtyMc$1?^U-Ui`k&MB)wCL$vMF`tRRO z8SZt|&IqV%4?lEzl_+iy6dPVq=-OIQ+S-=b>#X&4ah2XsR#X-{rqQp(uBJWB)|V3# zWTo{`!NRsn!9~$|t^0V-a})j~!MBJX5qVMI61<(ChXYL_?5#|f{2*WpgR)0HH z351-5w2LO1wYNu&kSLld9AAe&}-nRd(*U zSbt!gyl~Q<57>G@ZA#<-jS%>lVQ8rMy!YB(KlGRcvl3hxVi?4ILLGwl3^w9hEb8p9 z*2_K9-fGmy{+_LRv_ox~JzsEOWG#k6S`>9jA19av|fRKM5T=18k`@SPKD4ApW6X z*ifw`23HoW#re-yw^@b~f1SSnGI-~Qf-wRLW|L|7)gOcE`jsL<;^_9jdv5*@Q6vMf zr#dUT7utus&0o=6$u<>aCcB-5p-*qTctMs6ewvr_z|E5%F5S!(7v-OG&a((0;R~n`pN~i4ZIxup zx}9Rm?E{M4UE*FQGvAqs;Rnj}3UX4XlnowT!L~tw$|bui#+`0Lgje&<#z!(d9Ler{Nu3l3PmChyi>f-g= zn1ZP=m z@e8+Fi_h%MI^iqmyu1$Y;iBx0$^+&odtcwuz~op{-7^1+v7gVJs~$Np6!j{wfMt!F zj9d%uU@)y9!Wu}sdNP!8@5`6@A+r|+$S3&%bz#|KC*9aI!ymh*M7Pt;gsL?@8NXM_ zX)Cy1X6~r)?#@teiL1WtF`yiz(NVu+tN%K@p@S;Y!HC3c5{@*{AK?w`xCBu46ohev z7p(zew*YtHSD)~?e|7ziax%F6fVW6=;TUl7^8bkRU0g-)1?tiiIU#~8PGCNC`ORJQ z@0~$dV#nX=4d*(q_}6Sk2VR33KgNhB`;ozzhrhB8iq*+L82LdpDhix~XNW>?(&iHI z!`z*o76y>7?4a9+a--ul2P~?MZJ3jvSqpNIWeCRpTom&e(m_lW@uoF^D5+*XaHdVs zCy%}TLTsfo$J>$5yr-UzEDG!iqUX6QS};?WuufHl(Q@Vk!xh#819U_!YPQs#nN)GV8o-^0t~=oVDI?96 z-}XG4)sV+3R-c+cm+&d_a8wr|Lr>%@-U<|EG^EEbpC?8{eu9GCo7S#Sm|ym3plRvl z!g3NjMkT#YTH0Bz2}IrVXtN8yn`~+*A!np5>NS{0^D6(i^3v-5`)dwwisF# znO1ZeOqe&z-0zxLEm^>jqn3ce4lU)I~8Q8+!Y9A6@#X zS6@tn+UO=y-&E(6lD@iZnGgQeox>_E!?L(rY|BE_B?khW+ zS7*91scB;i8l&D}F7nQKTr*f~8qbbc$&A)4p4z@n! zZ@%pMNa?ZHy~vW#yB?phLw#~vvrKnBew$`ItZ$t^Ft_fQiab>}z7Z^T)8oz{r}(J! z>pU03iiysw0RBF_)tz>WQMc%E%36%O$lA>AhO`_Njiu(8q(_4@R%)Im$fBs+QJ32; z2yHTRDDQ2hv!^c)3xlrld5YXB#L|q-#5uW9kL6)LL4o(xkCRFDBo6AJdCA^}Jcm-F z#%__qeQo)DQb(mVHG@?9}xy zIYGhf5BiG}t+gwvjP9EjsvDEN`d-xp!jNMrv#oW+oVEfZ7tViw zqDP5u#@(&;x$jn+Vf>VBa`eQkTVx9>W>=h;`?3w)Z{jRTyC@@!w z(Okeul|02<22?e-B_~4y+7Er@1VR>fJeqn9J`RFPg))9&LF+x}zi%2+bMsAbmi3jB zCZ@?lRsN;c=7=*%0rs+uJx#_>BXZ7^93UQGBEOZy3s0|Q854Cos@=>|(gFCZS{ zmZy9{I4Uq{8%%*!z>cXWtg!arNX=<5H}VN?nk^e5#90kDCNP)~b>Aeg>v~DZs?9*4 ze|=WsKtiom7IV)!ya7;1cs}Pp-LBy;MiDdmg@sE^7iJ`?MapadH!t}J^!uY$MHxK& z7s$-@M$X6H=EdGp(Ysq+__chF>^r~QXcqqL*5Li16ifzs7d%w1ml8_9;eWoQdqA@= z)b!`GwgK~3A8KCN{(#2L1bRDg#G#Pk#7wQ`pMkk!o6LLs8VR79k_-5y0gty;6*ZEttGpl~HgHAJi7xUBi_wHfyI58{{+g&>%k27< zA#)~Ye-1UP7C|<2#s)*hN)eTk#Nb$Z-TmsLxY8or6D3Q>g1j%`IW5S(3$M2{wZC?+ zc&L5`$o&OkG)-W$OHGh-G%WqGg1)h;JCmQEnK(8%rWtQ$cW+5&9^e&UkyvffSm$}! zYSxU4*Ft1Q`KnMcxFW3u56~m)sr9n_tLW0{%(EkqMyr5?6ZWaacYA1I14@__G8GUqEhHi zKVS>L^jx)4yAM5D^X1upbD8@ya{$vy=*DHvQPhNfxJDBQ%px2}S>23DougS|C!=9@ z;dRj80o1|et-QDy=~%wuF{9s#`*XbEGV*WYS1Y2Bgq!fTjn8lt*&Dvd4b2e&(!BwI zn*UAO*WV-Oe*d{8{O|I&HVyj?X7-Q#w*M&h#|>mi!mieamPEg0-%g53i@0HDNrRS%)sF|a(*X-^gi?@ID9>qKyR_rOJKap}P zX8uH*9I#b(u+{bDz3vyn0&{POg3AAcO^6kh&5AzT@d$?1MTmlFal}b_*eUCvMGYelxfzra19^;_jkLoqf6QDe#X|7(`?qjrNF0i z7}nkS!DCP{HK^A4aYX!(Zzh&0C&HLUPQ4OR9?(4LH73nwSS>7N{T^h`L9L7Pc0aqP znbb{kUWo-4a2=#YbiC;%0QP_l_2}Brx9#{}BOgP_>tl+c6pPx@0YYerq>Itza)ij& z(z|}SdvfZ^-*5HirUI$F%>tBAk3)B%)>ujaw&spRqm*^H?j{ylWTKz%Y;-paDh~ja z+dzZ>cK3F2?-(o5@Llk{e{KY7aqra?iBp0dmHWQ zBS~a?f@X8#;ad;(a*h->Dht%8R+ZIZkt)5QVru#D?x%1RFXI{oQBOLcH74a@-XpV` z%_qupTdzMq?V9eT#>yS*Hxc?zCEC+)fdg@a}Tkr&F%p5 z{#nkgnDS9A(HT@(H|2~l@b)KcJH4Ma7np!Np#uJcrCkGx%cNm*OouYe3Y1chM3PCt zURutxwB|N-wBHg#wK8E2?NYgN0{)8RT^*7fy`PusoVfn9Qo|*^QIxK*mLbwYI31-F z%Vz$i+)!2R*0(d}W*?i_7EKTfD8SOrjFDmu;E>9M4n~RogEc7+gAbUxveS2du3=)f z?yod>deJ!Y;hmFbwsTfP`z?n>eO~U_(=Y+dVq@d*w_^*(_FVXA6l+;H>77^{&}++_ z$bg~R6i&=uyBFV$brxmQ0=g5F$`j3-%^X&HXNy%!KOU+y@Je-{S)SCmGkb@4&+ax` zQq)P#46nKjU&4T`lAe%${G%96_1TBt1j_@Q2^5J;d;KGMs+fKAk_{f>OWBTy2RiL@ z!`kWd3m!8J(Y!dVC*-dkWXQZuZ>dFKk+0=z1eRZ^Wjr|_>nsS>5e{0;35kY)Xp}Tm z<*v*1s|M|7;nn-qQf1EiyB$=B3xRW2X-_gw?Dn0iEncp4blrm{?#CBI{78Y(S%LNw z6tN@7t(L0N@5-+k$UU!ZeQvr9{VI$Wgler8q-feCQ|$Ll@@AMCz9WVi#u=b?x$C4n zIaYSM6XhmHGi{36*W%;N_G-fS*f!0_cIO(!n{%75dU(gh5n@Q+sitci2uiFqFW>@g zEp6b$X6t1-KQ4|eciE;>CjZH&l@Cr-;#f-c0Cr(Zo>ZN_DrGLNQOIPdz{Hg0C*Q`C zr@q>R)A`pF@8PzbFgqX5qxATv3fx4+eeBE~dYHIvulvj1>ne>=LPqZ9ifNL?ueuhS zCX~^oJ->1hu)x9>jQ)z>mrHt2&eq+~@HcI$=nKT&Y5if_MtG4e~~ z(sXe#fH!K4;!w52}R*KDx++LOHRDHOtD3;i8vf)8`JjVxlVTAIYK31Ar(3kW@jqVmAw{=}weECW zr1)yUtx4^?eDiBRi=F-akn?%_81&Fv8G9zgXKG*lOA}7@Pez{89WOsLH~7mXpHUom z>e|+Dyu`6;-;%#+%?ov&_5y!}7d^)ArzUj!8$Hk~M~q&cKjoqAVXpstI?>ccl-Tnv zQ}(4Yt8>h!x$ZcUwTtf<;Shqwr)&9Yv{qm{UORD0v$yzZhl+Icvnij?8#<%4-l-<2aQLK_(K8FE@rk|yP)ns7`hi>n>e8TwzylX@0mgPDJxNsJraKE z>^4RH502l`fA$Ya@@Acg9@H2UdW#{O{KE3|fx}Ca_LdRVOK%S>T1cvLX^8~ZPxawW z{=(v>3l*Zj5%vjx?})r*Xcna{!rF#jglf$Ew~QczaK!+d_-kZQO)o^(4=Z+N^sK(> zcNs8KVCBEK@5GmSX=8)CuRS~P=0M>Lqe7I?w0qImse$V;4Jv zBdEC$2#)w8 zK71P_1Msa*yQnklmjtQaW?ABv-N2wEJK*jjmbI>kwBbLa6r}`ic<@@tFGJQrtyrwUJdrnDDEpT?(SFmI_xfQt2f~1TllQVD6{?~5U<^#E zect0Gq|>)abyKU90(z&i`JERE^A+pHo@?Wyiz2uehe+rrW={UDjx`@5%L%kHVz|GsD}ZVa*dowr`ae@7_I~#P>OdkJntuMEk&VyPF|~%7>$!@=c!i zOSroMg(rtR{9lp z&J3?#F6}90rVevNz8sv?S8dwqoO=>ROC1b0lP71?rBc=y{j zo|H?%Pe1d&5UCTBH7|8P0hB@=QfDt?X-QVmADn+h^@9eRh^r5#=5cg>YVI1QPviPU z=BrUE%B2r`H?%pr*G7OB*j2W7m76WY*Kqxy>i$#Tv5rFO(=mCY8Jf+lOY)X47F|QH z-d3|gt+BQHEs)mZgI|B6qBKjpR|a+c`1zIVuUga`ic)^&$)5I55`C2D;lK6U92aMrDqmG4AQIh)jv2mL18f{+D_Gk4~u_8pt}-c~-g zcJ|cAjw>p)4_TT&jmJ@eO}x!)3T6lJ6NsXpe#4(tsK+2|9$?;5TDc zR?uH@Cus!>AZ(yNy05%xftO-o-RWA)f96)T-}HR?QIwE91-V zJBxT+7~DB{^!*(-H*06gFDyJC;&`7?Ya-k3C04hWsESzH#=0o&XqXY{Ys)iIpQ=sS zQ+r#LEpU_p$7bu~OX%F4bktFd)1f%#8TO~OBORZ1XTx9M6R(;j_`Y)Dl5W{zZe!p|7wtp;AY9tEr$xgta{-vgco>5(A{fF~> z#i`F@D_^-hC}niWSTqiL~!>yy-TN9A%-+<#6}9gmqo$%B2*Bmt-3$dFs3 zc|cWiZ(pcGVcqV}>XwBs7iz@^#)uG; z<^QSf%j2Q!-v37`Nl1}|rczNtWf!KBgb;-+nMx%lN%kza2xXfmlA?@~Y%$q)L$++m z9@%Ed5;B9vF!$Wg@6c0E&+=Kmzt89QeZ78v^ct_zxzBy>bFS+;*SVJWMc@jj>^p86 z958e@Y>z^sjl)f8h4FOJxm#mimuYzVk**RoqI+7chDpnntn9+VPW1+6$K!Fh&} z#i;peZ!V^cmIE1pA@&RBdg4{4&*ns)S+kLALp^fAGQuhUkW;uVAx9kkg#hrOwvOgA z4|YP6`LdQ?D%9-kXU4wR2=+;K#P=eg$46LOI& z%jS)xz)6Ro1@FDwiVbErixt!Die~B(cV!ffcLK0d^u}x*A;I7eldhKq*Bb9752vQh z^vFq6SHD|pbcZNd|HP$exa285%x6`<9hRD;zT3R7F2g&Vo5$2oc;bXq!o5(VF9+`4 z6H*d-J4X!n5~6WcI|3_JkwFk_kvt~*S@FiWwiE7VMklSYo_B4q&MwcfoGTte9!kFYjwjc7??D!U?Yf1N}jY!2? zqQtng>-7^_`R-gu`eKw5)fRiJ+R3N6mY~(URS+HOagu-g%BM=Xn{v)fd+1o!&nF{- zSDr_;6~O~knW!3o^`VI68B5 zm*&1ied9phb+@__-0}1&Mmj}ilO;}jNK{v=tSGP_+$FP&uU&j}IL=ZtVn2TtQ8+UO z>8!nw9Tjuh-Qe<9EA2fg$E{k<7~#c2BOPxz-ZawRQ=ObM{GuI--9tV&ul>f^C(C8q*X$p#JU)IUz=>Ug)M;yC3fjoOA=djggsjxWxiKOxt(hK;5w?dlv`S zoo8!jE3d0Lh`U3p4gZS2yExgCSDIpFxA@|7%C3$!!H0(vxC)D&@EpW_NYKg0Oj~co zO6GeXN*uA?$HUVBmhQft3TM`@ zKJv~RM+IeE*@2tjBGQA|Af-B7z*NuO>v1>Hm?7fp0Z-895w4`P-m|a)Lze$^gNWXs z*$WBIp0nC0Zu}|E(SFiKP=?R7&W7pWbv%5(vEZ4(jf90ufu!a-n}XoSmGuBEbhEOQ ze9;4NU8B#cH70Oqu`X9rjON?73lAi8IWS$&&#_dU3cP?%-2ey(#4Nh_k&-?m=b^zU z(u^EZNBX^yZcy?grvC2?o&Ty0vBeC6cy&)Yu*L&at#29P*GVx33<R?c^`Er1f3 z`0r}+x5O(UzN@zc-$-4^_4I5Q7o)8TXiCpbpXqtq_)D)>qfR#eN?%vsBNyIgBuwR% z$uQM3J*>&uWY)zuUzpgEOCeLI?09T0rdBPaenw7&2?iR;KFK6*td$F3v;QFUwc1&0 zeXAi(6S3hwx%R=6wrq#FyqK}MQs%r`yKUL(Xg%Dg{1y|6g)_~=zft&N*u|OHlk93I zKN4)t6?+=r1$W^!72sd5xMp5ai}V*cyfmw)RVk{QqG)BkdN$T=`hH7|pno~LI!Dee zx2E0I?_5LUN=yjm*!oZ?8wzjOiLY;V%UhcT)*7~C5O-!%7pSG9K|PZLJ2dE(X{w%g`v`K{^yj7x zH7)3CPF9M+dLhNGEyY~|XfxOBJ z-UeA~$kc&8kiNy$pqA*(SRKMONG$6GD}Zyh0xQ<&kaMea2Kw9xeH~dlSX?!A}krkX$zg4>v^s= zYECO=7mb7WCVYWaR+dhO7^Ph`;R#K@aIwDc%*X8}s2gQot*r2+``lct@~Jel?yUTka%+z)h8k|d+c+Q@_4TUjxbwye(7tK>MxRVx z@6o>YR#-R3!}@-@)Rq(aW4&(@6Vy{3fAOw1a6<^Z(T>Rdtxj3kerfL;Hzl5@)^`fZ zmexBl-1Lgro7$YaUFQaDg{@}=wlH*0n5-*O|K*kP%Cpt?e?^6N2JjElgfrx6DP7smvJG74h4qVpWes0-Eiz6565fba4o`hBLvV!8r|2} z*ciLHAC$2hvGcF^9nbr;tfwHxE;l#~ljQ&$lDtbPgX4=!#SfMm(LXiPegAVw zJm5)h{a+Tu-vgZf?)Uegr_p6J*Pk$5F#inGrA>yhlUjS1v~1g(GhnGyV%t7J`vFuK zNFLpcxirlb{;jpoCk|3s!c|?CA3l6gg)tB+e#@*Z)AJ40#SKRV9>a7HA}hg4#7ttp zxpYuIz#;#a46ICDB4Z(vH3U!mD_&md{4W4^zb}ZupP?;Gzoz{a0t4lp4NNw~%{0YH zK+e|J{l5XY5F{7wfbTiG&OMT@3wAdD2=GS%piH&*Y~Q1f|8IV=P2w=WB5?{RDb|>~ z&@uv0A0$Vjo@y>-g6h9b6!bR?wC4YA!s+*9y1)CCoMopsD6vvXoW7^@b&YT=B@~G3 z4H5n+7A6Va5T)QAMAxfjarX!T;rwDZDJdAah#8DR&m8cnTT0-C7M%h~Nw-+4h|3Q) zgT=tora|>O7+V9T;M7tq9JV-$0VKgHpjv%94}K#eUkr#0`KzrZu?zO9LuiN#?DEfu zX>5hczfz>W|No!iek2z={wh{{)%(EA&0jWeK_)J1DMMHm za3D|G18sJ0lpE6T_@kzXs*P46^Q2iWv}(+OC;#5WkmUZ4esMftRr^`rkFUr3*J zU{+uz|-pCQGaDKDW$}iAi)U;KcVdRkPNrR64`$wL}=2CJjit7>?aXz*&-J_blxjfRg{JK<`dYvUN|X(Had`b|}gfuD6`kaa1@8{Z-Uc?;r%S2m>ONdxP)h=QD+eFoWgrv84aVC8&0H~}X#^zDE_NYYK%Cb% zw@=oNi;qY&`b79#B<+L9v!qS4AnN(Y(`DIhBzrWU?EqE(BPL|N$LGE`QN>>>E3Lw= zyJWxf%GYlOzbfx2DQUPZ+gO&qMX6pjBj>^P=_CF6J)T*v18$dYc|anU+!y611~b<> zCTz9skrzm~GCh4%v3o27#=o3JzaTtHIIyU_5DX8tLxXw9-t59|UjLFku8%kx!$-!? zFfaIG5`oO-t)RKF)|3I^R9-mIYsE)9)b&9I=0T5u1P@sA-Dd0z3&J2xtYbfKp)|llt2^Q-n zd}-F*LlfTKn0cy#yth!_E$dT6w_=B@R=dzo`+gE>13KA_+A4?Jq+E2B3~C(9qb@RF zi*V7n-`(T>l9=9W-lTG@;#h=C-^$VFi(7^^B0T1docXP0jC0g`XHnV?{06>j#4-Ak z}t8#p4fdrN+z3`p$(h^6sd3_-&&I1v!(FCzosbykzMSWoj zUfZc#q&~HqdQ06t8z|H}yw)p($Q_I2dY#{nf@}LngzbR`$%w`FC-ow{gQ;}0HD{_0Y1ZhDiu02MS+cVvf&ICTB8n#bZbqSH zhQ*Mdx^ynB?3uUcr`j~_(LH?1X0J~xF+VKwl=-*j%D|44L%QSXHJKhaG&rn8pCho#O4N(;}*Lt_ttATUn4wnlN$)>UzyLaW-3-@jL-Je zCZB!x-eY7_xJA?C`kE??-Ya*y`b*NYY##Nx*9D;poAmTu5|t8#5AAh~d_r&$+^W6H z^+hYr6H@&Yhql?g=#qKXBK1s%yvI2!7t1qZKH=JhlHE!*=Edh|D)=frA7_SJg|JwH95 zwv|U)dW0=;hc4ac(ktrAtLpVCOCrffr*zj|cFa4Je0}DimDER%#oNXc*-@n)1Tvzv zF~Ki``lW4s=cau-?l30=Jgc>aXuY5&@3h-59{jZ z?Usq*3wDgiWepEG_jMJgnVNKnU-^=OpDb!0Zx6~Y?l_d2pf_NX(Q_ykD=^5okThmO zWyqfC%1ythdv`d3GO{|bUr9A`WV^|!k5!Kj@cQIV_@G#+WvX5v3^Y85>=4qw zyG2fFpLblderDW>!F;1CvS~wk-Oj~0Tze(unNA6AucMtp$>mh<>4{G>%8r}OjN`|g z3i8q$^RbxO(#76kjP1m)sC8G(sMEBNO1GfXa=B9S^j0)fFO+b;|xB3T<_=v#QXwqScNdep2WAr#INtwDKw$V*% z#0pHXG8m_bTemtlhib|jrCZ9csXi0wm6E%8R$E!FC$e=av5Q=Cx@aVvgKvxT9`B2K zZTWI9h(r*t*%+Pxj%*K$^NZ`YE-U95dDT6ngo-8`M$|y@x_}mo;4{`4U4g zgE`h1&N30NI2+gi8AoJ#c_hc0H++!JrpZ=Gc{mO2v3D*#baKDhRktoa^~*Tl$sPB) zoJ7+iJlMR`CTEEYyJwndAh5JG-rYbXnhG8~{!QUf`H ztZ-98qiGf4+Ok?v3~rZr`ibwiODAx<>?Az`khBAEC^k!r6}E(|-IiDi>Hl6R^?NY& z|K!(n7Mzr;Kv+U7h!OwcTCgLOoxaDNi0R-QvHM?6}c2H~L51 z$2$ovGbIIFN?(^UxpDJ1No#=AOGVE_H1}8_)f2w~xc(K0cz%dp!I(&7aM6nx z=?Qi%y%rvkADV3)w=BFNhw^PY8h_cOQS`gp+hYz@9QV@O z{mj9^<$O%Q?ZUvDZ}#k%xzI0c%bkDS$&cHMxcTDVwsMJ<$dCu*X>nW4H;yTSoAT_= zP^L?X_Ac0XcZZ0F}S5EUz=-31nouj8as7@j?h6{pB3hWgq@0>SZ1rfl)diXI3ua7}tmU z8ab%=1|#GJqWJvwf_uyRM_&!L*qPwyL4`%e8yjQ%RYP01$_9w5HTigSO*F$BWs#Gf z<)p9mqu@kMB(`J?2xgbeqBV!M>v?iai8Tnxc<3DJzgaY6GGp^e#GAbJ$o=8Aa5g

    ;LNKoY>9^L>^+UbpXWdd#KBSSpMEQ6M}a%dD;@DTC9kN*RK@*x@$=$4rS(-Vbp(?bVO|<=4v8uR&0K=2Hj<}D zfDE{;1>^u`7YLOA-U{JN0L6I@-1|B9Lt)-(fCbB0piK zoj#pVux~<|vgUNHXp?u8ria-;@Z)#5+bPi$Yl8?^{TAD?ww6Nmw9JW1KASETnka0B zB~zNYdS>+OVmfYS;0qbH%xh2u7htsMFiak)+CkLatpefgP{mN1H}u)vvdoX$71)p6 ztyQm#-~8R`Oi_YCY;V^WLXD8iU0B|Mb*IO-y{wDx zh+XK%_Wk|o6{pq?U#7;rOoJ^7+6Oy!AQeS{ZRY0`7A;mk6i!PHO@8)3t>p5>C~cGv zt>d=X6@A<+4xMn55GV;geH$wyK`(6(Vk2%w(@ZpG=7&a-fPrr1P8M-nn6cN!!6UEF zL)B)yL$EP(6=-J?hJc5F=W76?_o3^pb`}5Js23&)jq973tPz*{4>eb7tPe$5^Vwgl zU0u2uvI<|GCd1gCKjmn1P0S$(;u)PNsiU;BMqeKO#d*9&^56u*4YN|@9X8s|XL+eH zpd>k!JA$X1>?v=%yN%mlZ-3%n-psBnz*=dj>HlCM30Z5(lyfhpKW2CiPAR@oaE*>O zS5LnF$Ph~ zSVQdo{gRc z9UrhTA+ZOSR1jlg(&p`AvyQ+az2!|!je~$)tF5cze#`U-Gcyh0&535lH-8CSd+xaF zFSll~4TA6{DllL6Edy_VS_aQpIi=e2xwCB%e4sm>S17^@k@s4buqRMOu_G{&e%UE z6ivv2>X8tYL6lBg?IzwQrRkW zw*qN)nwLeDBrp|$DyN5s3GUGJ?QT;{WhDliI(T{;AbU6Z!-exEPn<&f0Ej zydg!d8^0sa{J~3;YLzY(>RJRA|N4s#X`AeBAiTk1UOBu@5sI$w? zC!oFlT$5sYom~uXSdOIkY0aY6T7S*G(tj#l6k&c5 z8WXpK4zuLX?3&BQHUWwAbK854k!Ev^mDDx%)k9|L2-9>7n>}14?Y}!czMD~5-5^6(H81Vzo}8kDT#ccV7Z>;(uu(o9 zqW1-b_LVs-#zsS)z^3o(Nuq7ao?ZkS=SxCPFs2bvQ`+gSHzbBEW(m981zT-^T?=jy zjZ2W)%+r8dr?jZkSZ}mOKI1VNyTRS>lXWilsz$?x6wC7~8a7Z9V|Pjn+K6-|8X_-0 z4fHd?vmCJID<<+3{3Qb{D;On++yM!wc>!VI4;Z&*3;rfm3b!oXsX3Z^ylm6Skoi~1yz|hlg0-S;FMVqqd5GF z&70y4P|3(7W5W7(Q-LmeSEj_wI&q9{-j_>{7qi#WlWmYY{_fMz88gK-ULQUrdxw^P zVbi4f+EskT#G8pAYcn@&=&u1*@ic>;`O*)|Rhz=^3i`RNu~r+ThM#@}!W` zRS+{^rl~{}GHC-yO&Vc1cl>f8k085Y`!mm6`*R@sznrpFp)os#uX4!4RnC~8imy2}#{omsfmJfe4qx%n6{_Eea{2Yja z#gapz6dVytHRWMlAW(6==>(WxWAJ42)B9eB-#>k=T;9G-o^{U>)@xI56Bop~|B7mm zfzlxn;0moEe4HM{v+%cMkmyQmXGbmUrH#-M zK*8EsY>y2+o;p8SOHP-zH=i&#hpXzc(SLuP+IIaTT>yzH-1pZN#rtCNP4K`_HyQwoI}I|^6?$eyjZ1y?Ze4n)EEJ`opSmI|)GJ7J<|_MF!GE+^ zq%A-oh7$6zKzN__`M4$UF%5qv07jz&Wu(cOdD)ryx3536a1{0#_ISLu)n%tsvmMJg z9-xQ)qX7%nO0biD{@kAzGh;9%4)oKaW;faZocNUp0~M4@v2G zT0FH{GvxWm+OK<*sYZGvw8kFxDG%Y`m#&+jHhPBWzX=57&Sfqc4e0p2ZIG1Nim=6=Wf z*!FY?yo_r044g4W3>q-6*$>R}v&{!BT~{;+Sr}H>Ee_5ieeF~y({ z9iVzpYd`7bBI@s=k^bE_$z@NczcVX$Db^W;_W_6sbK*!evX-mu4_BBV%%C4>CK}^M zpl<|J+R7D!5O56Ok)~N!4X~?kv-R0W^(jndI8?>R=H#hF-FYb-Vsh!yuFW?&O)kvs zF0Dk+oJ>Pdj@X?6^acON66}k~8K#ulH?dIg7QK}4nITQuYW$v}7MCt!VD*e+wVw7_qPa1^;>d}$X`6W{n{^_J9!S;H9>nxRE9%OBob0vMS?}@5IN|t z!x(EWcQg3+y8U6a1cZx|X@p)N{xqx8SOKI9L)9P#VRLJzv{JpS%4jyBau@--9*?$B zzi#`HOiB92ORxCeEA2SQJ5V8(hoge4NyP<>-H~5W^54D}*l;jp>OihIOAvn#Vkk$# zSJ~-92Ai?C^rvxvs#EFHPMEV&-vzjT#DEsh`#ClEKkJA5KAsK=Ne%GOCo&Z^Y0))qJ+)OI z=0Nm^nOP&v-Qnmx!la7awn3|nGuZ=gl@Eq`NX}@57L#VpK-ftTD+M!F;swr#ipB>) z2p8{9E4vE?84`GX1R0*>#Nr8=JY&z2bwEiSuNlxR8qI6&8o==n}`JYZ#V3XmIq{^Z83{M6D>0v!rkKaf2oM zcpooN7=eAf58D_GZy+K^p)3OsQ!9=fH@hs#cmKrhrfsEmxt}#6{{DMz*RqWzycDOv-Cgqs6{C=sszMI0J}``G(Ce{hKbyB7xK>=8ov%Rc+rN`@<)xn6 zM~LJe_Ii+NT--xCBDrAv7dA~m(13m+AXB54WGbe{7n7R$pLPU1_G3gKrBjKLU69RY zM3&LRG-gC^B@oA559U}2zqhtgP&s3b&nsLon;!lZ73aTV)q>b?asDir=f7lJh*y0R z!;P#SHwGunF{?7nGq#o6oaZT&moTRTnB#l1e3C^63q-t`Tl3gRyvmp zN}|eUi?`~c%~7ly->&&K^y7f1(tf+<>vh0&;F^yaKJfDa-1A>Jfc*fsa}$4xX6{%H zOEOp}g?@x3q2LRm5-&veTxHvQ{pHli6AS*>F;w@_3~u4Efx|o)*M!7@>Rl-QvGJT| znTNS{DLgG!yV|QJ!IpD6E9bJ79m<~n)lFLoRQ$RYo%CRoLd?n2`7LF>!a51Nquu3J z*Tr)fDe9OnVakVsZwCwaR(ClFH(LWp9}r`zU^=@85Ns-%c3{a!cn##JfDltXXViB) zc;4EM@gw6{Ge$JBriFI1 z(kxC*6qe1feU@$Sx#{IE_u8`gub&x89`=lR2Fy9G3_#7FA9M3`5&)_x@9M2m)Moemk!I3fK`zz|v)({{- zVj*O2BqGXAD~B3+!Ld@&1Qd6H!|44jSOcgszDx;#3I1r-f>n5jAQqb(@N<0xW|%W< zv)lr6qp-@xA-A7ep~`1viqQLwKb|{`KG1^I2VOF*nnBDk*V2qemS(i1&OI+v;9c+= zBQccof!Q>feZ*XHoXBvtscBwZF*fk6H3dU%84$*daV0>5ly9H%IGOkoLvBScw}SDO zo54XJr0rz~a%H5$z_*2fZ}U~Z`n>ERhN^84rh%L)8K6G z8a}SDZ=kFw($MUfWbc&aL-k&7O_cYiCDt1O36tR2%xrMRFR`RN2r^*Gcxg}_CdX;h z^ea^9SZ{|^J0oBn%?o%bCQ|>|1$RWPf<3;+A};n3TMY8>_jfOn$Lp^S$~Ylc5_T8(#QNwY~=8_}zeT zHgFpLM77vNg|Zj1$eLMNh3ThOIU(h-qDB#)OJ^YJ=s-ATj=cq2_5HJje{2pA>g5ZiJ@9r|y4=|ifYX$&${$CR< z2N(^4MJ$$hh(H~e34`WVwUDTe%QVE%#BbVKi*W9tB}0vZ;4rGFUgAlhI{4{&*`a5D z?kQ*58ia7l)8au-!1CXEo`41;30uCsL-;p7y}Xz8c~J`y#n1?dFQ9Jjsijrih;VAq zqHm3!Xo>FqOg#?`wX@BJZ6CvpV;C+RHQRqh?O#%0SGO3Kav+>CG<~K?Ai(A1>)Top zJ3sG`{Ng$Pm!rge-UW-nC}sn~=?20=47!Dpnx}yBmz-^KU9(zD1^77CZIa16j5PYJ zY@L?+Dy8Faw_o7>T)Xw-lh&p=8++HQa2E&O+H_;}4cwyTe<+a^k$q4_Iw9MjhPMZV zo^N#cDihoT1()D52HZnV#p=^UTxsb|eU-gBV%Tj_dNT_Aku_}M={~<09!3+2u&}Tj z6|Eh5JZ>i=cc)$P(L54rwChtIhgzvxwuvH zp6x7KcH0Mkw&204KB z1n*?81q(b1a~@;MoepkQbahy-8M$zH6*zbOoz+)PpJtWP&Z5?UUF2Npj#*&GAVtjn zU=%|f+1|nclKe<>FoAIjY<sgyI|H-!T`(Ky zy%Qw~;RoZ;f|)&F*sTT(Ma4ngFCQtq!F5qR2Z)t31S|VyjFno-0F4J<4lVL{od(nQ z`#$}ZpeCmZh7D9zSEhkuXzdz6R@LIL27xNx*azl*`uc%asl$`3M@|u7LC4u2UI1^d3ivMtFz7xhF7R%FjmCf;FB} zg%N)&KZy$c=;#AFI{e%K4fgW-=65!s>GRcB=b;S~ z@4uj*7NQfqS(+#xN3XqL7c5CvNOu4V$Q>VXv(E&9T$xSo;+B~-9)dy=MXn$$!(Ms= zg>T0KD#vrkGFdG2b}&oydGHUFQgRUcQ4--MvEoSA9eRjWkdW$S5895lnmBQsNl~O$ zSH!zDVYx39?l0hmvt_;vo`h?6W)3N#y_YChMI08krlOAqh=G)U!55k<`NZ#T+r_He zR6gwO(X5;X?pCWuV6F|>Xh6c3&+iYa;=7>ch~VSA>*&?qvzjO`o`EG2ekh4w?`3)} zNqpi8F1F2C!5&`5qdxFJ7z>oz<%%HE>u%jUr|oJ-{A^9S++B)mlMS?fXn)Dz_wC~IagN(UBx zkW6$r9?;$r>nzb8*ug}q7}yvA3^g7Pj$zaO_EQ|?(@VVM#c5qbqM7*^?U!d1EzUZ$ z`&h-dMI+qr8SD9NEE&nQB4CmWU@`*pxnPeCV2y+yd%Qf>X#-do(C;n6)O7Ie!`p~- z_^bn+{KPyQ!0>m@qevfV=b>S6(_T#bKK%az6$52viHzw#$QZXw#sc$S`PmjK zsYwX8BP#~sL*B>nF`n9_z$Wb_W`pUjwN)x!J<)etDGG%-1-f^Sg$%D~nGU-dAAS(v O=-&GG;Of|a?fyT)-REZj literal 0 HcmV?d00001 diff --git a/windows/manage/images/aadjppt.jpg b/windows/manage/images/aadjppt.jpg new file mode 100644 index 0000000000000000000000000000000000000000..268d5fe662106c73c03629399deea5b7b5631b1d GIT binary patch literal 43157 zcmeGEcT^Nh7d{F%f}kKGSwI*hD*{TCAY&qn2q-y-NEXRCw1DI!C~yP`k`;y#iIN5+ ziKs{r5G3b3Ll_1o-NqB%b3E_2zV~@q_z=N)BE>cnkVHc7*20 zL5csf54jm&JVNn^VvLf44>-g~LCHu#ZUbOYUk^hP9SHTuhvE<=)nRI=OSE)QfvOWw z_bDk4L7hEJMFo`(g1!f+7!Na@zHo(_S=Wk&&y7VgBPLS z|Hw509HXRwCXbR4fCGC-?0H-P{$}7c+#Tnc9vG?Ll1uD?7nPie_lqXUhH%bdJ0jl{ z;nQPYCKkr#E~V*u2XM0N$>Lj?lHh^yi{6h??xn90KI&A=uJ6wdg^-3g=N2N#z+{GD zlF5&5&Mq(O!gBo@*-7Db++vaahi&BN5rFstjy8&dFD@zhk%6$Ft53j|dovcpU z+6Anw&0$X%I161XhE@LlZgDMZ$ zKqEWq?r_Be!5?Y}Z1?VhvwwWC>;M(~^uvyH)2Y)Ecd-fCDN%vi)rQ%D>*)Y7)&+NN z?tS8(Jc>J*vvC)vuR~yqSOhINHQ?V_)8q8=M>`1B5du^u7}r z*q7IV9!x_IL^10z05Qx3C#ISYpP&6XRIy|LT_{IjL+Zh|+{aROT$ zy}l8-GqwPLek9TCisz%&&Yu~T{ zY~e-OgCjf)I5C$NOFA5KCaqnEJMbb#%E>`Cv&=VQewjlc_S%4u`a*n$b&7AF$^);< zuCzl_V~syj*)Q}Qi)Z;-n=GdvVL-zhwoD%k=|BrxidQ1;463=lK4e~Jc9~rEhG5-- z)DQUcCy`X)RIZXYkBh!bBhk(s59c?LThpG2baKBF<5aWt>JoZSvFV-6B)p2P!f&bv zC*({pNRwLUL^#@|SdRgB&djMFn}-=9 z(Qm9^lA$SkK?WkbkVI~FNFkjeg`B_zX2ItdmArn}b!3N$2qo4AHTl+#ln@5#vh0B_ zA1LF;3uGW88`A^TgnEzS6v<)ut`ALO%2QGTc%VcFm{TU zGBYS>v5|rBV8x(JGEis#Q)j=@te$}y{yIhmdO!VK0S7Os5tNfL;QU;JH@GeVl2~y& zSRc|--s%Ri|1#{29f?jW2x?#SU`y}`|;Nq_T(i_ zL3ZUp@y{S2p-To52|o^0+3lcWGN1wkqhL6(hp(UtP9IcoP@@cLvZ}5e5;+kXwBs&h z;5~|WF^6FYvQVJ|%b(!0Gl2(#UV=FgFVhmf>6WDcY1sTr%OvSrG%Gui1eTr-OP+Ld zi7UiBWns|%WS4G{Z`1ylxyvMh!;c;WF*F82i;Q}l;ETgd>)_62$19!2h)(aeNksFU zfI8p=mN@7-jeKjLrBiUMyM5)8yZoK!Y=&luQ%`0h+Jh+qFMN9_4UgJC{4F1GxV`Bm zCI8D7nolOASZK|gUhE;T=(kHfAkGE@C>58>BN5Mxf)&{}a~MXJMIg(TG%>1A(rtxS zuT_S`l4YiMwfne6^~wC_<(b6=32<5>E3tA9lGN249JcM=H!K8OGA@*&(03%5BdAnv)K^YFBIQs6pjqZDB`6iT zuZHfmNGuct4rn4S6@xwT3qPA9F|J)B1-iih-X7}r=6<&Q`#k_sgXly@*w&0683;Bd zh>(HD0k@#uaP{CfC#EdN?Y>(b^vwmojha&X+db6JYy$sCBmp-LPNYI&!>4!#;0qmF zBti|&aQ8XZ2wWH+B@rcXy8pSoMT52@14pos$}7ud|5x$;Cer^W-hZ1t4QGd=b&0!d zWWX2f7Tno~##Hm;o$@%w0iJL8Au>RvHbbJ-L5q?akf`nUAj`-Jo?6_@j1Hc`5?s1A zw9Zaob8`bH)VNCwKL^KZ5|$I#GRrwD zV3(yVb5YeaaJ0752A*~pTus^PAu#RE6LTas*-4jcxYh7(hT?LJJAq0iBZSx3OE;d1 z?UQ7)7&6i_3j!=AL`g+oY`<6yazqlS`h&aW2$-j&JsJGba&RG?3{3E)bz81?l7T>4 zT=vci=>-XnW*CM~9|H#rNg8Be6qXp;0WHdNLS)j8Y2C|sJ32M|`LKSHloH&#y z2G(WoHs=xj$v_c2kpPf^s0(C3*K$vo3_J){4vLr|`D#P;b1Jt&%T(#09{S*xJtyJ- zba$A?gbaAWH$v3*cgVm^5Qd{511GFWxu{JY(l8+qPv1#EXOM8x|EY!;wmF1{3}Yaz z(jPtequZ1u-cF(lIGar@$L(Rc68EO$h-mviYmmXy%prI6NjMh2KbnTE3=!oa96>|4 zlDHp32D;#QYs}WF9Bk{o3x2Zq&l;St4A2M_5z!)lwhJFZ?t4I1x|snN2HRmJ1IZw^ zb7o=qA$;NS#BNL8pH&R4!ctLVI`~Q5KUzi&q5jWayn|rAnW#7TU~Lvqb5l@lzkUBu z^QmAj&)Ttp^de4$>a_NW*)zVd zyOO_hG#MMxKM+#o4YyADa$$zHjHmZj-$zTPUK!8v3`p603ifTL9&$=y-8+oOCn&!a zc&B7xEA|$H=`)U2kaD4!|N6iVw%K8cpB!2FqQ?DkOAIN

    bHeFeVr{dLyI+Yh!^#)Rs;9Wo`}pH#S6 zrDQ&YQv^plXBQrkfmz>PGO)7GKs;GRgn=y$sLdx6Y~XNs0JMteB~dTnRAk@-F`oz>0yToL3>6Ky=)Vja8vV3=b8*;LK0^Ku+VyX<}wBjJN7`kBQ&PzsLd1| zX7IZ#^u>0K4pNF(Ne1S)YAmsw6{M7k;or9I6fUhe%hoV(HBDfOELSX zi{aD)7SL5;`LEaQ)HFS#F*RxJYIQROS*g(D zSBe*3$GxzW_O$2JHqK0oB*AgWRyiMLlV!Fq;v2%KcM%IWtLtj&Qf=rYGLDs3x{CtJ zs(O!#c@I&P45F%N;#NIlyH84Z{^qNC(&*e17f0quEr+VnvTxF$9uacU{IUw1$n8`+&IuiTSwJkr>cUi?-G z$)ef!p_`LZApFG|Ovcso_Umsf+=9X%zoj?D3*JYJjQHD|z47(CeaGg=mRM%WP>)9$ zW}#DpIZz8dpPj$LUR}ecV9`(8USw*jSl3p5RM0oiFkMHCQR{tZU#e z#%|F$yAcY`2KRxhrx{3bCZt5vy>?do5@kLgI)H5ri}&j}4X2 zfRoF2hG1d@u7=bm+C#kPP=){D4Ue|NNMVy>L<%(siKLP2&G=Cyp8h)-(A@69Ng0y# zUQN5;g+{VTsY^TaV0BI>f!Te9)M^0sHA<0=eS_5RwQmNgtGb8`6x0O);LT@$^UMD9 z&;HwAR>2}dP$vmT^5WKTAOkR{`%Q4ju{#R#pl09s_LEwNCiZXb;G-dh)qJWV8{Vo}}VK_iRJly*q^`(HM z8@Akx7bOFDI->)qfFdw$kZ%4zT`Iv(0=aQI#evS4HB@BfC_=Jh*(o5lx^_VL{OA>y z6AgX!wFbOLW~`epiRKT%ZN^MS-*cwEdx=YIQI@Ufy^A*}fJIhWdw5y7JUO;OneTow zgkL-)bk>d)fv0hJy8^G&Gj6tKHuv?h2$ecl!eW)7^^Ve`oHkE5S)KBg%u95|dwTqt zD@a^PyGdsRX>j}$s?YN?`;9@~fwC&&^|g_S1-8|dQ;ZP~9GMZCXNv_edpt1uqk8(u zz110O_fb6$>-qOR&VO>!Z`Vwb7cFit9$D9ZCse;}vRdQM!=(~n*A{_ZSgj~)ovbA= zPoda+!?Y`FTuwOpW3s#go?B^TjgN>F#NSIe%?BCQ=ikF*FE=ATb4?nC2f9s|mejUobN z3Eq}5^wmWfwz91B?-uwm`wYXy`o+Kvl>k`lM5w=96lCiXnSEoH?nBN&o!Zmez3c)K zSg+VtZj9&)CX>Yz>NBew{ppKMoWb37E{Ro^z#{y+f6AA9r85CDAfsAQxzpO!;d+_O z7iZns)Z+PCt@+muCwPbGpE_(Topw8Wd~J7U`)r|CWMRP>i(Y4Va(!^-B~NAl+@{<_ ztluC>0B7CK=D*tvaV`cc1&c%eWl5#Oqvlt|@~h*zu}(GVYR1X8)h^G9MvACWA>5io zEDr|?;ONjp`jPJy45O5EXPlYl=l6Ex?VJKG_HFv6UXK^hnYc)|#awm$8m$(yiI&6* zL+Q*EGa55n{FTY80T{Ip|G&cX+Fcb&IPk=^g~UIL)rd@XT2Y?VcXI6Bj@edSW^V| zxBULPV4W{3PKsIFh6p8@VoQ7Wx=L9?CI|lq<=4DCOMXMlrun3n2Cxkeb7RwYLE2^5 z@djhOiW>S01F+uOq#R5*RbWYcg-n9StqUH?udJ^WA>C~{PqSV zsbhkvRHA`-O55F;y{%5A;8TsZH@woUagj-5?o-}{wbS0tCxu>+957_gdFpok;aCyjvOb&5h;4b()jcY2lh-x6s6ha>j)9jxTco(RU3<_a2EQ zg{gQTCXJ=dnnH?o3QxH?T##cETbnEYk!>^_M6Z*BYeCAuR>y7*;Ux@5%&jDvxT?4< zj-Hnb8B;&j*dd=oUk7nTw0~a7{UqfX$P)w=67nHzn+Q3l6RmYZe`(1vTZ zvOyH_Cw4%HKp2MmF43I5kA~>#e%77fQv`p=bDR5*hb~88yhhT~LGzPZcK-mPXa502 z!+ru$`vV|q@)L+=q9)V8O;*NsS3l4!>IuB-tUbH*reo}k%PP@pZuP_(Ij7^@swTQ%x z5)xO!BSH~pi6&a>jVRdw!?u8)Bcy(X1|IP`O!f2031*9t(bj1?dXx9_>Nd3z0*}W` zx?E0$4Bk<(<~nTS-pq7FCUZt7(IAThGtr8|U7c;nR>SF)(@QR|!-bsnX4Zt3r+pHI zyNw0zy?&g`f2T)a=&7!0!~L=m4Y~Tk4P<~zS>!4A*A60|->J%JiVtd(cxp6qX|62> zF;1gKD4Q{)!I4uVXU!$v2g&xCQ_R>uw{@cHz0ma3&U|Wp?yTb8nKdH=u+lpjbU?AJ z_R3( z%_Lh*Bap4#0V_`9B*gNBM{k2J8vj0+^Xrc2V_b>T^cglO;&Z#grJ7u)PT|B#Kgj%r zBo8|r_XT!dgKUA$MZP7?mh`I+Y#qdv6mvAJf)O0LET4niL~iMfa|v8aT1oi!zEA4$ z@>QY}hoQ3!OR~S$Mld4tHd<3$+}+*H$FRn>PHVHL?fpjrrGgp2TTRA zt@qqAh$@aSmY9Ej^=T`ExQaYa?JH%fz{|a!TnsEY%XTIU6P!y2R@damgvqsq&jmlO zoKGKFR7slWtF`f@VoH{k2Vj?I_+pgH#e;oDCPYm!S9Ulp+WQQvMz^$^oRDg-2@eC{ zj~)_)@iLC=O(GST!i*USW)*7>yO+jGY=#$FU1ZuMDC*uN`_7E;C#Z=sQJ=%RU#5}7 z$<4?`dK!@dJFoQhJ1_<>#n^b46Xkem=T`;qQ%GcBJ>;SV!7#elq>2?uhz%i4(on2qrUo1P;`dh(os>Z3`9}@aT z)dW@-xC0DT(7PQxTo{Q*!NR`!2AIRB2yjYd@Z3(O+^xFG)Bp$N9+{5Cd`3|PwglIY z-bv4RXZRX|W72(JT`L0HjnfCa9R>#1;68U;-mcf^6yqNol?mJiW$t_|d8CSFpbz`d zW5#L2Vt8ipcUBEz*KBb^r0ek>q?Q`XeZdvYia;kaz^D3-4BQ<>5}9@iVAIzZI>18~ zafD2?;ZH~6@o8umh_&ovAaFta|CtjQJ7SdF@4iOUFGbi1T;mrY^UrwTkNjR{7q<$Y z=$W=#V`b63@pSL>?=CmHC6?>J<+l9A0dl70G#V=q9vCG@1`RqRpFz9UsBv-H@%hQeLaUQeOStc^2la zKKlC2DoEMFSK#wklbgJuJ;xkk z6jCEY#fC*bX-_oq0F86XSFf+>kQk~|mcCMG9o?orr3a$->G=ew@ zH(v}`Hk5&8Lj`B@UkX*3*Ox6NR`us)w7GsS?RGns<^ZIgzpYvDejRwEdga51o~i&< z6#mT8Nc?)E+skEUwOkX&tO!cwao`{=5}G_i-*?H zc_!YT1>G(<*wDDYSkG#KyL30=Dg&c~oWD)3QsKOStzm+M)Y`FH0mkFQK6f`C>Qikx zbv;`Lwr7e8?0@(oZ`W@%jOpBZV&>Om?-a?WBmL^BkJ853`bO_Ef7+hn5)nmrQTE7i z`-ze6jJdl=eH`=Q6<<;PAoK(UT3LeMh>7f(yu%AV5HTH{RPZCy) z(>Y|b^4y=ex?aR01Wo7*zpXW8fBWL-tB|BunO>*iIEL8sz9ia?stC`H@G_l%n`QM4 zj(hW{zj1oCHWTn&>@I!PBX4UCThZo|%WYyBZg~D>g`oU2!*pz-L(%Am>$^A0tRnWT0`&Yd*U&kB}X0(aM&RqSFFe`iJIC!E`&SjpNx-Bf_}-{Sj_sRi9%qTM9!c45|M0h((JB!g1(?qh9p- zbn4o7akIPBt~ZZ1a|hAnl*V+Fgn{)23gCA!6Ep|ANVKK zKMl4t!8Vg5{*LrBCjMOplpwHZwNGGq$HArG3`sgj1 zS+~7jN3^rbl7WF}pVghI6=%baVBR-qV*Fg6af@KL$GI}s zL&aUZUcx7JyV|{WCMRkZR>g8jqmUtE>TodB#u&s1q+J{MqWOMR**>3pIuHm5rQkk) z`O*ko)cV>?>KP^@+baU@{M5!QaS>FI<)9CQLPLi^Vndk{WkF(C6IGT2!D{-tk(b{C zl0)g;Gz#aZr}p~oPPwz}R|OK$awJ+U3_t1U#^eMWK^RjV?iN&v^JWi&Aozp8Od;#{ zCD0~p>J-*^VG)?btXrZrHimU{YrmP!pxU;x$Uu8AZ_-Akkwltjx!;SbZD=FtR_ply z5BFO?PqCVf)IvK#xn>Yg zWAQtUPT%xT8eNoh1OXujVH^VlZB`EG!&@}l^eQa3DE_!;Hm~8K-RPr~7XzN|Ac!~v zN2@}-Qj-v_AFt5Y-3 zE{ib8Uv-1>7g`J&F2k2!IHL9qt;}$r&bH~Ma44P;K5C+lQdI zFylgGhOer%)IG>)5iG879X!$j}k!0|nRbb2FKjmb=#hoMrds_^hgr1h{f0mO5 zTbqJqAs8x!(IHVLVvysGP=0`}>%`Wk7Aw_4$ zfap_TeDId8+I}nqGqRHjlq5b9oD|rKAp=rqyMLC0p*OPQQQJ2N5cTkAhTycD9s?gR zlOqt)CSe$M=#8y;SmIuG82q2*?0=mc%Z346QtlLLVHO4a|DDE_-*p1~sS^M5EOz1| z@l*u+KGG>%!t%@%DtfA>rq4w%Rkeo8S|z0W!a@#^P9&8{V4uM;@e_>jRfBKfc7kKE zt1_oV#)uYL3Nbye;OdG!KQu(>nVM*!@ky-A-iHJs1FB-6I*4{b67qEpY&C@bms+)v z^DE8ZrV=FT4w2>{2$6)EoUls7iPXfRRx&9zCODW3IH5}CrgZ8CIcN+ z;;2=5J3_d>&c8AJ7C5R#(#?bDC#!CV{z>|8^v@%Bk>;N?2lV&65`g4m%gsZVMQe0IZh*5lVpK5wHjp{B#kHr2}13J*@Ul2KX4m~NqL{SZ zml?gsoSh>B-staF?-xVx&np@wvns#54C{Nd-JOlo4%ER8boEL5_^z4aT*UnhpZS+s zixkzfUkdm1{EMf%otll=h2dxR2E6_ZqIgme1b=01ED4NeKcPE2sRatJ-)lm)>ioj~ ze1wqrIf(s{YqtE;fIfofIR0&T;mNQOJW2OyF*t1Tli9fnVYQ3!IngX$GVs>zHKYpW z;eNYoLC{A1VF11=VFf)l%z;ec3)p5#&k6ARMM%xc-ampDig|P>sD&@o#Oi&MUQ^Jj zh+>+b<8w&7A#zVHnALX3w4$lHGM%f$&#DO`tPC|MOcRdoF<@Me&U_tIOHh)Ki1uQj z?_#>zoxgIy^7Fjc=AiuTwV9`B7Rps~ChV)b(?~i8Sy|ci%xziA@AniJ*Q#u{v?tPh z3to$wNhb-f!E{??3(z594W??yv3WJtIEQ#IsW>-XpL+R4`gDOGh59sP_R|Nft z=mlHb3oLi(7#lCtpOoo#fLDNV(%LuMI!m-%oap;ai~Gw4<*KV{?DO7upeV4W`5{l| zTW|b0HG8Q3(t5zK^TV~tRHKHAbK@B#j}F0MlBjq)!p@NcvE^BEK@ zbAa#3ZbW5cMWG!^O~yN=ozw?zI{(Kg03`0f!#xSoF8d^COFLNpP}-;SaAmzIz5B)OQS52HXRvLpnHA=&IB+4uD$=<%eS-JZLQD*{gZt(et$^R| z)rRUu#@s%haH(Z-@GOo`Ths-siU12c8pS5qA(!>?Tbne}q2_>F)I`>BX=RaUxR=}1 z_fe(iceBKmV?Jw+fKg@rOpfX132I`__xsN8bHHHf>A>KC%n|7f4)KRY5hEjvbs9FV zQDHx_L^IQuH>S^@AEnDwy!=q8?(V(X0mHiM$2s^f&0Z9^F9P!~GY*8mP1qDIS*ROy zu~JM9*rUoa_0PY13fU7a zG&4jR{XqlM{(}mL#X?K>*?q@9serHGhD;{0>oQ_A20lgv=(7#I~qcP zM;i=#Q^t}g`X+~AsV_$KlS|WSr=%XF#Sh=7@0(zKoYV@s_&IB0WueG;+qIRji{wSt{l&WcKEE)8sTA!>rATGB&5>}+7cv0%%Eb-<-@~4`V1v9!c z;FOK;2kxS&rk8aqb5&NQ#=lKkZ&BANZk@8SIN!lq>$>F5%FV-GEBcRm2_)(6HA@KXTWpcG)(?Rr%&_+`g#k^EM?5M*LyxNhU@*K zTS}?^t4yY!lg)yj7ch1SuYdcx*V}@}hErQPh+Fwwn^#j)acg4747GDP-Fa$)zL^Qm z7e9wrY|K<8S+aWH=Zu{-H@Ofh1M+x?)*oF^$p4le|9w+hF0x!XBCXX1JKN?R6{Iohc2fiXs z?2n6w+#qHXWz!^&dwSkBpuqIBQQO?Xfp<%by4}b5Zb-qBj4vD&y1-Xoe^Hffjrp~P z;-!4!e&3a8+q_cAB@)e>s*q%{F#Umh>MeF#M;)yEj1ntKRHv+z@3h37eixo)-<_Dr z9nRYBTY`-oY@j<_nqJhJ&DhS}J}dijs;T_9n?nq5k65)$$aKudsVDon7JkR}hz~aq zb#OX?K~jE<1bF{U9lw1t$awa9kO*vmQ2P^IiEjd`&#S4|1$TjlFUpt z>&m!zl@^kE+}{6G32&-aNw>qp+dS z>sM;(_|~nZD~9s>|FX|M=|}?Dg#%BU!PbPyfY2C*nbhtK#a7hka};2$$bXsPgCJYt zf$JUeyCDW;Nf01UT7cXdCwu4o{HMma3kA3H}1P{uG2H z(g=Jr4v)kiH$F%NN&F?iwlhx#szE}Y@&>83`oA0W{}&QLG9gdP9Lgls{>%O#TVcQ8 znH~twNI<@v2I&x#NwfP$9thC;_dJlK;33pzocT3UD;ty$<Ci%;V@|Au<%qtj3Vopk3^X>PUk-4f=h?QpBgi|O0bG3Tzwzt8-!OJ!FONb*XZE@yr9CCngU*V*gl@`&91!N#82 zsnQk7(AJ@Xn7DWOjf2TS0;QuqnroL7c_L{Z??_Mv($p6QoRG>PQ)O%Z#rkLoHwqIbrqjYb z=k8=_Xn(J%aiXZ#Jv(}HP>Z0V~8zWE50##t z8aO^yb6#`FO*-i?UOw}+ zBObS%%M$R5RYijM*|?B<_h5C&8u||4eRH0kt4(kF2@W#|A?K^#ob3kAd3lEJVXN}? zvK%{~@@u&$m3GQM)f?bKw6we;bt*GAG!6(<4eTIz24@-G3_H}E7&W#x3cU`$7o`>( z)L&^B`Ow45!C7uRiq^5RUZPgHFnc6z+;*i&0Heg|oc$D|)gn8%mN)uA=FCH}89B!X z>&8_lGH74dva@T3d?|TQRQr2?ylr3bNtMzpJqy9vCimC z-#TZ%DtgVJd)ikosd9a{jV?Qv&+g*J8>5|(WD}iN@q{w1vO1K>?W8dLz2#dlGVn|p zU6)J`qtmV5492y@46vdZ8Z%DDck9#=yD3sJv+Q!b7@1GHAAgk5{yq)q6VHhYFIs1M zSjJ2o6XiO4sFvuDXS&P_>)Y4RyB+60sY}c#+O5$uEuB!=rE)c}WNF%Zg06`ssEMFQK4a>e z_fz7Aux_z9z0OZVA+_)54qZp_$#gMard4EBu)Qs%B@&sNriF{0@|CEfx9(Ktu8N*> z>Nc{A5xHv+5GBAye<6yIQ|;K-*!V&<_R@Jl`xA;vm+*XxB(8?ujnkOyg!zH(`tE>t zUPr4uoj&V-Of~c^v)OFbI`#3Z%GnowNk+zJcrRB?1YSYQWVgjjj(pkDZK@0%UsfzM z)fj{;z5MZd_SMIQHyy4b*u=N^nEg!BK+{(DmlO<4Wr$&fB!Y9?dG`H#CXap2TO#`Y z8Q~Y@&nd^b{7$sjFw(uF<+yP~UEm zhw(=l&oFhAwm*tnnsiq7c(%A6e8j#k;vL&dub?20OZnA(Ba{Lc)Es8j@85cL%JH~y zwqWb|<1LyIyq!U4uGYFZh0rb;td~Y%@+z_NUAp}JR1GoGgU636OTBr`Qp}RwHP(0r zEnUxX-X!#FC>)hJ;^kap(68p^>>7JcucIaT_F3AuZzf-zPk1E=F&hACj^9F@43r<*fFjY`BcGay8BlIGOYs@hBtBTEmW+G_u1z@Vr$&{f()gBw!Eg-zkAoayx54ocTY zB=OZ(KGQl@a4K)js-;!*xMG+EH(t$Y2*n7u=cb%8j4E4ifXK?W)L;+C6CbUgcI+BE zkDN6-1GAx^-qpMQ^pz+N;J=Gtzxo#46zfp9RP9|CoL%(38e3i6d*o$xG&L(D4Q&np zuuwSubm>I1>u`BF!^61rX|1(4IO#WoTwPCyak0MZI$Z8#;9U~e?AUJkzzI5tLjB+< zR?nZ4n^#evKzToP0rS}epM0t#L;&uvK-gZrLnc5kD4V@9tK^R4PubtYx{K3;NtA0 zXAX6*cDk+$<%b2wj_~h^mvio?$Epn=c8EfQq>n0f6;08?HP4k-izg-DV0ptXGxusX zm)s3ycv*^K!J%}}`bP1Z;M+`1@9OGL4+6WW^lqq8CXThA?jo%#Bwgn8yrXk`C3XDV z*9S6}E`4rKEpp)=s|-=!;!nDkcXv}V{}g8(pDl@PauW0PE2VvD?=(>iS&8==5VLSL zF4B@wo4}?%WHP%o7Ahsa6-E&=Z6@&>30`7s9YbwQOR};C3fxuS z8FLFIO=LZGW7(`j3}#aoR2v!0i#KFUovHgwSGqHt6cweVdfeQ26HfB$zRMh*Jp1UV zzzg6gk{%a?S6wz?Z_8L?Xfsqutt$B8r0c+@5YlTh9>5_Gb1A|*Tqz<{bQ+^R(ZdXx=anKZBO31gNo)P05 zJGDAdx$*b`awcMWUrWou*3~=H`dqoDDrY?3Rl9BKFe?XVW4b$RWoieM z*!>)z^f3J}?sV{ydEe2^_&o1^Tqp120+RZ?WrgXU~E~X}fGW0`Erx%nU={?OX^qg4Kz!b^s6xsn% z@-x%p>mR2Fr(0|BH}q8Bn%bVb&>%60tF5 z70GhrEtJ5ahClzTmby*y@CT19eZc{lm z!}xp2iq_bO)c((zSBuZCut>bsNKUktY--eT`8qUsz%x?gf)cY!^B&eDEDNh==41)S zX+9Mg-b@#YtB>~C3lLj>@y66NBDw;i*=gUVAU2d#3coMw&Qrf}dYnExc3j|X{5^5u zhWP4|(Pj%3$?LQvtRzkr#T{tosWD%RRv|X@jvqmccGW#!FYV3~+ej{FhOINLtJWl6 zQBbaW{((*@rlP{{qmTF9WFU$I-biHCkChUQ!ALk9f(Lt$W^R8b?>PC*1-9E{p zJ|YWpDcw-I=0-(2-VpI+5w=?Ll66MSZT_6<*B|$OG@^bp@p`5NE*6e1{1A%z4K`C0 zE5og-K803(S-2EzTIXnZ%d984LMn>XeTwg1&poPTby^{-2W^^1Xv%*J^3Trx@ufJ> z7ySyO0R`x)=q%`vB;?v1X6mk(yI zw6MwmJrpgZe>xR2+3Us5minOd>qm-e{d1p8#(2gkeAA7kQbI<`5hMlQ&r`hj~x%vGl;)Ik%YiJjF&X)*pT9lQelacy%{IPutqt((a7HV`QEht zgOIg2{nlBFJ@=!|g!#n#Nr=wxe9Xm+bz@37zpWMWVkKci#e2j~PAa%F!2`f;@H*pWnFe@5% zaNuorw22QKMjXUkPJJ6TvNT^#cP{wy^4^H~PJ4si597)bQ4{qKbl1&;4bEzqceiw? zxRHU%Y(j=ln+~3}%96;RUZE)A$?uCxON102@J^5tOcB{9AU#?LYW^OG2JF#P1LOcRI+ga}CM@7U??R z_jjO7jz!3?|JNBi16&5W^D3@uGPdWqZ<bhx3{xNUAdceRn<8~9pz4}Cf!MWehuNi)} zWNxB^4#_~I7|;4@pvsIh8@I~Ds=qB);DD;A_vJS~Yd4y#GG#rr6tkUt1cEJR&qo3T>ROt zH%8Nxl@AuHuwJZ1ayy$&n8pb|f$iZh*|pO{TEVb6C-JVTveZpfyd@)8-o*aHw?eC~ zsTPb>cxLFISxS+DOqD+B;kt!D@;u-=`~J| z=<&OstW8Q$Kkic=c%HYKiz>vV+dEmadx2kB^KB$ms6yx^2RU#Bsb|G=r+ajBX=~m0 z6lYOv>BbZq`^s+Gw9#>Krt7k)c)K=39U2M@>w5;K+m)d zW}`DL7o89-rxZG#+SpMEO-Ukf7xlA0# zX>f<9wPIb?7+7v10=xwGKAoVwZUeI8NGuMJkyJ<;ib`)SyP zFfB4*t(9jgmO_M*D}&y)GuBm0<>vxg(S7=^8P#=JtuXDdFxBb9Kp=D;O+N5UWJ}i+ zmluTeGmyt2dIfJ@^{r~))#=Rn&F{8>#n+fsKQ^zqtHWfS7HR*8?)=ZN5}b?!4T8XChw)0t zoOU^3^!>fFQhk84s(o&vtm}pMC4i&`T+gWk`ez{ixCv6E1S>c>G6Mxmkqymg?guw{ zPKMtRzn|6f8s#zN_QFMr!Q!^L?4GGd+BB=qQ7Y%cw^ytg`7v_3Q3DT$aqI{rj88x2;8(~HR*FWr-`w?6sU`b4c5nN!s4nMF4|khUSdCV--@%WFyFGBE0KK0;a>!MI>_ z^58B~pM}o*8@7RO*$FJ`isepI6VX!VB;8n>>Zlp<6s|O5@a?Z|#7TK;ECR8r5T5UG zh41sRkK6*P$I9~WpHQP>97joimV9yZ5b|xC>R7fKWDyI4<5TB{1HB|1u3D75-hn5h zMpj6=VSmAN2*UphrbCBl);u7~ih@G#QdU1h@8BwxglX@C!aoxZjWPPd^hrZeL7#zb_|=> zS~h6#!(P|O_KuHg9Q*KAMe^jVDu;J{udxtf(Zr!6; z5s|8ZfPg}1LO`ifBPt~#BB*qTNGH;}lqiby-UJk+2}rM@1R}kIbO+kJSOMz0OrJ*K>2-Eeh;J$TLq z5V+0y7KKY8^F00chzRwXntD{caTfoRD)wiTFTdToMfFQzeN&E9Y?2}kQ)P|V@wtj05v z-2vU#&u+?F)}O{aGRlAb$?>&Sgu-F*>rV!e^)=l^JS?b?mC}5Dn=h-U>}lP$j^`j<>QM-Xj>ZcD92g0G*&lG38c~ z#bC&zwAH2gXdU)&{JE3Y(66 zWl?=vUQ!bSr@k*aWgf~~6P|<~NcPg*6ed4!(ZRKuRobK@Oh@g7IgioKOT#qF6WX8D*80z^ z_a(P!(e&83_Ka?6fiBKUcRiGqqO*GXBjl5w3bqw;Oh({xz8q>T$|9N|!2?F?23e_6 zNDZA)!{`jdO!)+ZF!(iU+p(^n+I(@%q4AZ$cjpQ*)2R#nnUszF!5F$QaM7lZsbq`C z={5G?<+>OhWI*w7{)MdGn)pIc@(bmX+s19t`Nu(_=D)U?;If);QPREza5n$dWSzt_ zQ`6H^(-Mx8EpHOsUpi7y3{@zoKE`o|!gI%`p$eZjpz_*OS;lK?tkARm0PH|d#~mN# zoY`(ppuFXQP#rnYKKEY{{ zvsN7>;P^*SH}2z4J+XmE8gR2Ro0wsR&*%O|%}_SP`%F90Rw)m*;bgPPeyhAS-T5ZL zY48nmsG0kx)}_L3&|GG<&W9g>QP+N=$-XcT&$i|t6o@pEwX7>*CXEbG7zsm5N*xiD z-_dmPc5`V#9*k?8;OY^Q)NZGg$Rj&%=O${`AlU-yE4KPYp#`UJlfx~)JH%}C*5eGD zG20=oLf#4&@d~m~kxY2XJ13AB=v3L9lpt@!?Gev@?pm%5fMHYr=RJ{0RD}Hb;aHMQ ze3ut8h|EgpHo-w_1NH0_M+z6J4kbeacRP|S#Dfw*_Xtlpdjibu)f(wQe^5}N3_)yL zSQfPyxVBL<=V%(6Z$()zcZK)oQd!FI=W*P*k6z5O?Zf{5VZaIEvg{OZDenJ4@#pUt zxWs7#``zJ}9}I15<-qgv<(QmNqJiEB-((8=)_l&--P~|q$!ndvO z?b^`QHF&`9g~D+A4}i>b<_`*o4$rk`#s36Cm@*Knw?CaQ`%`Dv^ zX9esC2r_>%exT@`yJ?32?+0M>-TfPzulyFo@*W@`TODhxdavm{B~HzuY26^#2>qLEl@a;HM%MV(1&%hW z&UoxnC%Bxj%`!r_ZEa!KBJ+>)AG)oJsk48S?g;e1+e;ug@S0UvF{Tua)4k?=| z3tv6kAc2x=0}o0bgS^`Eo) z8Jo|lZuBxFOM*UtG%FTAg>BNzx6)I0m?E5sT zK#UB-{#%Ae;S2nH&T+~dm!m9xl>wli&}$sqab@+7SH)I)d=*s*Dr^1pW~;*?4kYd) zd&nY}8DO=gOA^|DMad;B#g@u7j*aH^-nOuBU#Xs<^bC8jPBe6p+O*#~?r-T5+J8sB z=(f|f*9M`Km(C`5sKR@7h%F`USEQn7w#nhnj~(x5g~fPMnD2i>mvNCU!_@)DEf~G$ zfL$e;p@=tRh<#&!dF>8l9mF*Q5l}ew-S$Y<$0^__ar9gM!%cyi&B?8@J;m2P?7^P> z--bLw%AG4?&{&T}PuK>)MLjz=s(35K&b#gO`n{d*muhynvOO)6Oo~4!^1}cJs<7w- zl?$dvEVEe3)dq^4)`-Z=iRPTuTAzDD-kyQoY>~yF6;Ny^D8?DCuX0XsQFm!#)H}H6 z+uo?Vx^-dVAzFMNmB!P&w0~$L)VVdYO{%9`jKtRf7Xh{g!?OYa*@Vy!$X{tqMgZ$T zw33T>>4ZW47hY5GHT(&)>7FBMEYKFqP(k$7ZDC6w_@}jc%51 z-e7g9un3j`r6#RDzZo6a(w95*3Gfa~-+IoQKIz8g@X3WR_J$z3Ko=rUjk}3&*BK(& z6?&Qw4c@7L*dlkrh(f(;F*4-A^s`Z@jgAgoXJ&0GR;KMyc<6XL(QId>^3hGf)`xPp z@>uUZX4J9XId&EWEGUx+G3(kXPYm4{q1^K43Z!!;F^g@{>F%8+!=%dxV8W?p46snGI6yEBc6jEBt*GK*S)Wr9<%g9sORsjcY>)V&B zV%-Wk5fB#w7q%NO}{XHx!!Eg}CYjs_j-qlDLd ze`H_iUWquWG&aGg~UQ8=LxrqGwkA zX*!9kasa#qLXYxP#B_1EU#3s6#%g+d=Lc;v3PvZ$Ih12yHz&W{%+fY$NoQVDTY6_4 zIBVR8wgR9c8>m^Ki7nEEqbix5inmU~n3E}HP6YH8V3iIwr?gslsfDLPF9{4B@dufY ziR|~@oFg-=vIQ(vzJHzNzPqNAH1vxKyv>(z*4^m5VNl^qagj4ASn(`T{Sw>Mn*;LR zISOfw9AW~7Cbff0BMYMiJjwkUdoL$*11742Q4>?&vt&Q^Ih$W8R_`&YBo+fdpQNrd zDj%-0VF}hE$z%Pt8oL~&%w}#V$VqZFZgtO)yyBJ>yl513)>5JZE1gi{)r*Eajhqw3 z3m*;B6Jp5>lix@4?HnREj_=UOIJ7oRsyVvkaJ&(dA&R`}x=`w15-T$XPK4_D(f{0L zZjitg2B6E8a(oN=+-PQtk2EKGo?Nc*BlYecH$OpGz>42&SOG4FqF;RL9z|zY3^q)f zRSir&ViCr5mfK$TIhXW83^BH1b%p;S@zzp{D|`#F>@w=a0NTUXS~R}O_3Vcys+4d?iK z++{gX0&5GEB^~yVpBxT^YY|=_O&vuIZIkJLl354r3pY0H`68cGd}d}XSWcan3Xwb) zLmidS`Wm`Yk-4aIb~&pSI1iD0;5?p}9oH&eGqM>QGO<07HNx0`KA-Pq=VB%fb+Cg( zFLpe#U7I8iQFdj2q&h!)v4n#;kf>_Sb`WvnhiT*!_0V9G35ys>2C9MWOzViNRht+$ z>>Z&X@R$2o9twN&VGryih#x!PsS^=8Lm!7q?;t=bXpSSVB+5 zCGi~R$#Xf)TMU7>S8Ai(1ouM|)%BUc_NLVU6??qo>@s}v*`>FM2k&E;^b_NDs?z7_ z=&frnjUi6E`pWA6y6|EcjD1>Wnh8qu;IjFwnQ(SSds4suJy$*P;U=gBx*vIkz@t&J z^D3bh@qXV|>&E+L=A^~@m$Z5ActkFM9%IRE=^!2H^VD!CkM$f1?uLx3Xp(4_9I5`!o7l5RQCy{P89%rqg-jR8=NL`r zOuQbWw`DR=)p=Ug_r@oI?)Q^9#yef0o)@nU6BT@FsfMzV<&`@{5u-u4HdaoF4`!Tno!tMEL%oU?ip;reF}k1wIC`#;bc?qqwPl%ihvN#zvvWn{#gV`FK^MYaz=~f z>}>wuXQb#9Q3^!IuZ%w^#zfPB0K znC3vNj)ex$v%RpxhdIIMjTBqNkzvl*C-MYhHw@lSq|-m4Jv#hGd;B+F5si4#N046~ zeU*ZvI4nsTvg2rpwDXWa?BrJ@?3$bRCTX_-bpIqe`-d4}OJ2;4UqAxIraD>4kT5VKpF zWJwdNqp<{_6q*GTiwA#D%(LR?NQW@O6-3XmJn(+tnHyj@IoLiHNa1TBgb^+r{Z{}` zdr+^}U`qYzykw7qNoB|FG0RBsWWH2Qc zwd=e6F@W~4@C;Gt<*-MlBLOeb_Xiwp5vss*yQgqYO=;`aV-2&ox(DnPOj2owP) zrwdqIN~)3`@E0Nmz=Mb#4}L%!mw62DMx^Z^79oTWKKB7>nJ)Pppi0veDE@$ci696A zpt>P>;0W?o#D_BHr{h|bQO{VkZKRy?V$&c6{TE6(r?IfHsmk>iE*J0A`i;J;t*?T^ z((-mE+SJ3k)(aG+OB}Iue zCmv>h$uj}|yxF`>d$R+B`yUj+#$ynC=lU*o7D2jBmc+ptBWZ19U#rf;^Ad@0oxs5J z4?aJ7!01tZ$nH+Tao*YKsO={xEZ;Q#!v&t}k@roW0C3{tX!rtqy_H5opn7%kVdaI> zKV^OT&4dIfyW;1>1QxDag(dH}gr$BJtCX!+OcZtV%lmnxKvy+4!=0UIn*Sq@QpC4l zbD&W7dEw@wgpXVqL3Kx}U#S$n9$*ZhdC6;A+PhO~n1B)x=?kEp0*E@{ulFww8h^_@ zMB>_1Ir@=j=TT&bcLoXByk%IzkPfQce`{t--Sn&8cm7*l<=o|2O8(o*eHZR*n*>-1 z8g`6(yz*mRIU1{fET%r=VbwXjIleMWP9&>HTb19g ze%7DF@@Sz8LV8Zor+L)j4Tx>UC&}kb?qO1+=X$mGfDJ34Fl(CNZcfzb`<%ZPrC}v6 zG8X$vT<)cSer33X&`m~eWW}S7vb+N9IZvtXxvG>50^%8=k_XX5b2i`i8u|M3hWMnBL;b4xM?q;0;$on)72&Ez+{(Tf6Ip(;s)c zKgvX=i$h5Jq2yyO^3AaRKPVJ#0B+G%k)+os&HFn`MS(zA6m7Lel=*QRPa93NNq+R3 zq{C-v@xIeHrq_E#1g}gCu)wJvQ-73}c&!;o(;lkZf@yERaJL{7SGkGQIrQs2I4(W&r?|xc> z>H=+2<}}vOmZ8}x$C!8cCng(XD>e6mG2-RWZ1NrROI+R2i;>+7v!5D!yhnk&Gd0=` zxCZ@X1*N^lKPdER5$iypn9uL(Z-HH0O^!%fB5D3GE8jWZZvYJ|4$a@mj#=x&*)t1d z9mc8J79y;FBurJS(OWIX)W{WoU|R{5=Yj-mDN1S{=P@TAiF_7`&%5A8CBgu{qH%++ zKAWf#nOC0A?2Ke_3V!yWSM`<)*Ii2=ClEMI?c~xwrgl_4>OgD{oGhW$uCf=>+Te#| zY1urFeS&-W(KYC)f&U*Angc~!g@v16cDWHTyK37KlL>*GPt15R8{mf0{X&S|m^_W? z*Jj*1&9afKAB7}vzL2euLTf#V`9LS8t8m%gu-PlmreO9;lstW#F={09qloWmtIO1>HM#aIk=6Oqtk+*~3jGB*8yU66*x@77#|>1{76!Xg2e`YNW$x)=?<-chGG_c^?w!@b9S!0Ll2DM*x`#;Ck}% z+}MfWf;2`rLsqS4A)|qqeqyZ?NTL@fYu}#-nu7Eq=zX+CK@Z);i5wFW13SUf!h!Je zC!PjCdH=x}Z3Pd64Qy`dah__{y`2- z-I~g{Bl=<6M>FeZ)cAU&L&j9UO>TdFWU~3NlxWD;|UzyVjtvV0_$Jzlo zQ%nHx#gZthzW_-Mno}0C_XNcQ2)T733ot?9$Xg!A?emd?rfo9U?0hUkv$JZk$XTEI zS51abCrcVvbpiG6zk*m@$#bBYrX8=7f%jn1 zWnsq1QL`jiNe5q3HE&ScUARkq+lY~N4!Nq}LcRdS$+Zkj7G>g|HY2+&Q;nz<>W6}K zBd%O-S30D7*bl4{84*bu7QNs!bbN7zWQ#7@JBtN#aOE7va*A~?V{ zGx9?g0Jj2GV@+=EVgB}^A)nMru3mId4X@p_K}7E@$7gu5v>yFR3z9PUnIQW?#AKcL z@M=~?{ay(BeVg!ah4g#s0T}8}*C;BJ?B*O!@g)@&hJXIN^s6#!G$Ggp;ODkarU+OO z?|sU>RCd_$4~$ez3Ix8H zr$ej+by6fyLHUaVdD}e{5B8W^3&3M_i!o~ie*6{Sh5LkjyvFg@3K)lN>g}DaLW}Il z>3jI9gmP8k57x=Ila z^G4cfZ~2D^6lXyo7yoPbzY$;ol7I>fN~S=J-`qRVON|hot2&)-;uRz=IMz1 zY{lgGaosfXD0VlrUL9}_J`r6}{zY^p0C;R?U(~cUF9)MEc*-)k6D-Z%d~t><#_uVn z<8tOkR)Q+=bvTXX`Xa1nj3JyxvAGQ?Wm}bQhA~t7dVwBjbHP5YObrhgKTdh*{P1`> zV(pIY$n#a@uE_~$2SY9m*F3OH?TH=t`U--=GqV*-EAQaz#GF`UYeIz{+uUCvT2>(k zR&hO1%^a<$*oR}Rd!2jSGTLS5wX;kcf{+d(Yw~#0Pu`p}@lSHU#x0bK=RJNB`yQzp zMQ9~6t;uHZOLOv%N{qngobpu9Ewx9xxm;;{zpK{OXuu2o@i3y{p?=SO6^yn*su57c zU0D24EK!BS*Yjo{e8$T$kMdJ_OKkMaQ~TDr$?&Sa?GfYc_{{5X8KHyrvTyjn!pM-u zZI8g1APnSJ=?uLhM}Q(P7(9WsCONC60FQzXqLtzP^M-Dry%%uQ>bL)B{T-a*e3!WypX85 z$E|PS8$Ed#-40%z!RLEW{+RbtCDrv3fK~$Tnb#l#K%(07CUpWSjH(dr)0N-~z%C`J zCWPw>{KzB);l-Q@V(`M_kzuL&>I>rcYwgxKTAD~5o7~yG9l$Tgsulb>Tzh?vwlHUU z^?sW{Z$Q|OtHS$wm7!VwRO44-y4WfC`;sW$a;bY}t0@I2cBNTcq)b;F%X08Zt7||u z@r||?>W>3bX)5%282M%>rQqIiJ+|psVY_&&jZ=V(sgCU(lDv07 z4^zvK009204?=Sb=0Oas%H6hHW>0!u!4x6c@#rRFHk?C&Jak?N`qD7K_vKVqxXYE@ zV3X-eI$@tw6=Imz_X_cbte#yav}Ois6&NI9|B={zl18rp^|Im~0t-B}YQ0!e^d|QZ z9!g5>R)Rf$ZhGKT!f6$_yI!pggDwrgybTvKR`AzixOZzk9Cuoopd$ zw6oZD=DJOKUF3%PHOzv2H9|_}T>1x7o?BctVOJ*{m@j)@ud_bagLt5Mda9ec)3R@L zvw?e(D!3}XLuPi>VEM!PA(wY&64QLb6c2vx7$h2sabs$ z*L3Pq1&>pFC}%Y1wrYg3`6*@DQcm1@0Z?I2vceYBBL z)=Vq&&$p9s?!}n90;l-VGdZjvpck9j8H*KcUsn$7@|>xh<+{)~A5J@iVD_A+akud~ z7F%1Uonp}@7sO1IYG|loqjjI zjNQ(2T?t+oge(+9^Qts}-&0Qib{;GygJMok!q>ntTM^{f;8>zW`slZiuwXh9wJmbFOSh^uPCc za~lHxf`~oj+PRAZY~Q(Yh~pp@*q?n|*l(!WL&%O2*CCW86o9?%0{lzBl?CYITKw6^ zg(6-7I#)2z#s&8FsA3f$r;|i1-An}nR+(KM!11(CGjTfs&2DW&{)U+$e#6XuQ0}k( z-ACykeoFuA<3FvOw1)p-VDf`2CHMsG-({zq0+H5~>^)^f`OhC(z0(ug9!m-atse1%C5 zRTAgggP5L`+KDZmI|E7+B((aO_|T4_#1}-_NGv->ik!xZviD^Gj;J%CHy?jWsA-i=Ig&fTMZs>9KMcutm|JUzo(B2 zY*Q0;`!IwO&zx4t*xq31`T5NUy&3HgyCTSG6`PSTrAqScQRyvQTF8!=ch`>Whkx(xJNogLk5KXSxkL zDu&ONTi9DPM^P)Uno!n{Y)cphj)6BfixZ#JM}XcUg$%&M`L=&hcr{od>C0UXlB!{~ zcL?%w3pAPvRIOU&8@@Q;cM*;J-WwVmRuVnZSwBlGV=eN)ZFYO#%+w?>3F z?9p>F)kN)9@R0ghoiaTQxkGcM#p5(@gLD#>cMRgWLk+Dyk3ZL)>sGkGOFi)n4>3waZa zG?wD=ly1jJW&>U)9D2%Lyj|^Q4dQE!ltgGL1#U!tY^|R@6TWv-?CK5Ow_`WS=5!2_ zc&<6JRsOqVA)&h?b~ko5>o{I=JiK$-uzs(X*(!>n#^vfW+V)tPpINxM zUwJ~SeBV27aaO zPqie_27@eJ^+>~Wm6Pw)v;PNIp#IHxU>E-mU=5}I{f8I-&mEcn@p$;BQPw|vEKeT) zOVg|s62lZgg*NJD(M{1Ae5DNVe+<_kc=pm0QVALezQ6lworv&sUZo0E1h%5b z3zxxIytl1I2zlckh~X2mXklouv=S0wLO1AYBl;D`oPxJbPj=SU*e+v8q8-@tX;>Jn zkfklkL=6_YP0AEF6c%m^JJ2^eIXGR7VO=n-j2?M=DU0#Kb$_ZN-L^FL3a(Q>%WQSa zj5=S|O4QD)pH;NNTn}rzdVOus@7JyRgJ(w$ZCtc#$t?-$d6TWTK7;4Ps+H^9Kgb~5 zT{@_5p7vyqIInTKRyb$l*Q~<^vO-n^^+Q9#rOTcV9&B~9Opp!~*7v++=rFYIRomLn zj%!nz%fe~p?QeKXK1`tGG7sI$ppuzE!$x`!=U94>pZt!d2e<=xZp$7*&)!U77HArH zx1jl9TaswV?yKE5XFngKToYk&D?cl$jhkO)W>eOV!lyaf*jR`pAg)EoxqMwr#p z-4TQ5x(}Voji}DHF6f9x(Ku)+zl&>sH>>GCKU(nX{Gc#j^$;quH25Bh`QFrZBz+UY zjV0#Fp&`AOicOcD&9bO!b6UBBzmJSWz^hR_E3+rykKP0a$K;qs>d10=0+NoW_V$DH>R0et-;7UJ(Py{5fpP3e{Yj@RUo4g$bAzx zrgye=qD>Z>QdzBb=l$>1`l4R0U5M6}^NN2a{3D~Cb3E%($iRcHGs^73$yVR#&i_2< zcY|9=NQ+*II$Y5H)brtixtGp;zF!}M`4w$Tq7+7kKG3h<+a)vl7v+vxkulW{ytpwHa{ zwYRRHdj6FlH)j|>!VI_JGqzR}8P&Mw!6+QDtM*QGmq$LL_3}mN>i5En0<>B@LxuaE zH_FSkII^>V+x2Qy%kztwz_^L?GLmh;l%{{RR@)Q`{T(eHX8J+q^kYYK-v5Ev;Bf$| z7acUf;UQc{lCsiT0Rf5T)(I9|yxcyACdK(ulACmZ!CjK@qZ3G(`UJiq0nHca6{(Upx3|Y@(VmrZ{jNTz#vEcoRCy=0^2?e#a*SaumHkqJ$8AGZRtup^ z<_}T9bn(nRsc$=tvo5_Z^g5oYFSc&eK(hTh7{8AwC`~*T{?6Z_s1t)2MOf}Ftw1o& zhhDvbNv8;b^B0OLh&tsXDP+cA#vi?S_MV@9wyM&fxkym_>9kk7?U=6is!r+X>$Mlb zkLn9_5jCli%3k%@7A|@lHaL(envIIee+4k8=taR^9t~EIK1%v zxNMIYc`pM+w)21u*)22>AETW`3Uzgf;(DD+jmyg5{_(b6P-m%P>mtRhkzGUV>)`MV zB!nf5d|ls1B~i1w+OU{*jfK(Eej>IR6ZSg(ebk}gajw0}r_rL_!@*KIMgzYsQ4#Gt znd|js8{~y?fntcSOA9mhC8uA#C<&BiwQeR#f}$&=0eC{aXqbL+0i*{MMkE zvSYzFh?hzyRyLg8xve}tLVR+`Hgok;LUEdy?eRO@3f1Jh4^tWQQCbKk?2lHDNnDnW zuid3)y|0STH8^x|X4Zp0uomkRjbMx5)q@GHs>zdt@Ue0shjVC>Q?&q&j0UZf@&xoF0!E*9| zx&UdsNn&+{P8>>a@367i?zFp?r(Urs#rqvUut!Xq)-pi=U7O(ArKPRdJdJFamqF`D zeckG&MXoUOJugsDH8?BlyNYnno1Ts@Gw6?`o#fq`ReL0_*9Zs_r$1G?grz z-t3#;R7-enSEXq1?R;FG&8Zhb`er(o;qr1gN-Y%Kao!x!8&X;wvb_7%MP9bkWg!A!T_@7#0kG{EJ_isHnS5ljYmF1g8rRO9{|#j+ zMe)W<`_$8oyFAtBtAP=E|C%YQ4W*OhNs>UzCiDwp{2{RK03MMi7z;3ZF^deCf|McL z{xrWtNMdOaiy1$;@QeVfV;~cbLGx|j4_0O$Z^Z!In`u`>s-X<{svWT{BKcF}8w_SLIp!_>pgWXZxK7=B^(-F^| zpfwRkZy-J=(dPtT`a8x1ha4&wWdn`NI>1Y&3##0%@C-&li)=YT2{T=7{jKGgZTiNl0Zk|fxSHla!^h2G`pMK*qYo*`&h{M)3Be8zwc(4p?s*3z3gxR&#r?`W3vYhJQPQEL_>XyclO#7#}bYn7v>VUo{Vi)OtASn3r+ee3dUU3 z_I8iasm899?r~qw7k(R;ckTF`M{autrq@f>2uhP7Q6@~U&{B}UM<3nBy7-dv!k2PR z3eY^N;o!ThW>cC!-hejPvZ{(6Ui+-4bz&)1Wf=U{?Kv0;@#Y|Dq4Jr-FHSCd!Vep>0#7CIU+(@&2yI2y z+UM@tI2#y2;d0|yRktihO+l&JUCe~wa`t-^I?8;kdYxP!^EgR`cp}jE`y@Z(01)@y zSlKiPRPHR1vkQ&koRE@!;VSBf%=~a2)j7t1^-CY1%=xC}DGl7)eh^6-nP=-s^_1 z{IpGJMd7lN#aYW|)N&x(&DUx!wHSq7=II}g)Sf5FC)kY5h*ee%&DO%@)`K`0@w+sF zH$LDDEF8oHFoX&vQ+=Kr$jhM8j{HhCJ{>apD( z6oqxsT^T$DbX0%}qv;QdI_rbL+dS88%yf%QaeVC>HAAkGDVmJNJ!3Rk-R?7-XuE^k zhqi;_*%>W2ULLY=f%q>yn=`bL%3H95Xa)9snArtLEOF0|89#n=78X7#x90WKV4Ar(X!gOP>G${&_7a@!TbQebS7<+gp^Qp_Th zA=LS>?#%U93NFv##+t;JldYUmyIbaBjp@DVS+~l-1-g&Ep(hI6pQ(h2SEosNye~=Y z4wqUOLD{)D6jMgr(Pt*ud{wx4eGM9Bz-T}!2)Hfi=#$R(^jKvORA^D;xjRtN7Sm@K zYWQK7KSV=p*!a87BA1j6ixvaND7LOeD|R{Z*0& z1qlaKrz1Cr^+lX>h4E!CSPuu1LbjeqnrFX%T=Zg~;rhgSEy>;e$UV2Tqa;mgMWvzg z;$YLzm!5=m&eJz8sYi<3E3MXNeYVj4jdZsbIn>o|b~bjh$DY}ki7r;)Eu;L~JV(VJ zptt}LHh#5(Ou=|ON^V}m+0Zbr63mBlqSibsM1#`4E!JJe(X{r!Mjp-U{4m|FH=eFc z`WRv0AG1Z?CY+Ot48t&?G14{-HzAglAvioi^Qm1Ye_{n6nCwNFT$gE7`%Bs+#WL67HuGTt3YI%PDGmwv)$Mf_ zED)hz5XuZ}1Rn99!dt$DtvGC72Kh`{I$SYfcaJ4fK0AC?HN;!;QpI!G$mPeih185R zAzBCN1H|{6Ke^~7(2VSw<>TvG$90^#m~)~l1k+3A@u$;~78L7CFrw28%@c>t*{ly5f) zq&Mktq#{@P9rTv{^cmAfgPv7~5|tlnySii)ir~Ly=s8_s{E$CZCOrA{Kr|=m+C$xK zi#s5DRzR_QKa=ov?`a7t89}#pSA*pL8ipFm^ow5K;$D(@vZ3u}9{?UFtCeJH zzOiRuo5#+iQL{UE%k9aJE}U8!->(bQ6l*!GD@@b+r7Y1%;tPiLRM}t4DIhzB!}!Ft z+t1{oxxh6cye4mN;@Na3?6OiekN2ws;98Bj&wcs%2Xd^bJ}1V#PwCg z9QO{&-Cer0$<)bVS)Qv-yyqJB=KEkfH{YcZW53=T4CslV>Ihh*j+3=+45I1z9P^0e zeJ8uQ?o;66G+#&7)NvKX$+Cq$WcAQAJ(T)Zl5yBQ3$?U7pSy5XG;$+N<7jmb zRhWjkI!#Wl83&`iKBw){p@?S${)3t~CyyaZ z(WK3_yB{~|s@Sj5i9G`dmq-Yw@V@VB)?#`6IVySSU8CMyP}Pq{rt*Tm>}>C;@O-DN z)AQU{r&YQxP9ZYEiLI02e0Z?95l;1e!7nh#2q;%Ng>MyDgSffTca-XnRwv38JZo;9yfWV#!k80;E0nbiN-JpdGmC94hS3c+Qjim*rfX z0OxUfU3Hvv5SYE4lX}Q(aDcs|P6r+?ks`Rly>Ki^)t?}uq74D24z4IV-*DmnoYt1V z=)b#5G~O90{5bp|K@De+Z(<`RtIo8hCdsT4xRG!amI{Amsb`=>vCAfy_Y+pZv1jx8 z{p+@x9sHP1^0-Z{WI$2=B~17zk`0NmGe_DC^2VDODl>OF6ZJc6I$WJ9^E?+eFczPh z+fB{|@C|a;ON-@y{0g@75XD6MjY9^ooqKWicR~giy~5MPIH+NvGfWl3WRA@PRZ}~03Rn{V-UXCaB@Yn@Ar3JNmqzxn;U0-(Zm%q$=V>wL7NW}bY1MkP zH9@CVuO%b{nqD@@X_YtlzFT7vvv?fu!I|VjQMNJXMKu#A^=yFds!j+ zSG=^nyj{@UzBL%faWWr4TjQqsHbKoberV(ki$=ccVhK^8z7KbU3%B93<+TempAIhA zy3<-r&5zBm1Q%6QCDYu$E3Je6d7y)MSz!~WDAR^qCSjQU%?lrHYYKO3*&1Ksg^7;Pc##rYNn*200dc z^_ihkzOrzO2KCha0DW4Y4u&No-=6~?&CjUGpn41epFQ?w*+-+Hq7kUePS?azrXTAS zZ)U11NLf#BTKXQygzI&ir#doHu~|&A38!bYMb2YGBn<@%Hi}V-4cCc0$H^FVIVhWV z$Nc-sl3+=rBsN1|lUvzM`3BHhjj9=o{-@IInt>(9IX$@cfTtVorLZZ7v2;#lR0Awt zoV>RbPWtIyI)@r=l>6Wg_A#BCJl1$+Iwmnu42u6^=sNs7+vZAN_UR9OvvwkHuXacc z(H&ZjUqmLgNw?=4t7;4vOJJEi73byN*i~FLOUBGq!jsaUSJHRlhoSF`8WHp=yO#4I1Q-6GU|r|r8Z6k9*fea~EMC)PVZa<$K9I_i_u%^> zoAQ?LY^Z(20F}Xg^ee5vX<8*hV?K?^vW$p4u-a(wcjkt(#h zh-n3tCpKKX5q>SR+@j&Ru8y`QMIL3eazNM9@??0p;;4FPzTA2sGCaGcBCOrPk$8S3 zT)pO*S;NEq}}<`k1jSI0}ZSt79;|H3&3P= z=%Qyw062r43rBYxWDrP>p8y7KIRPWl+FR20egTQen{`!^C>JB5e*{fFQ|RpagiUkOuV6-CXA;#PaW;!+Hm7|rd&P_9W-N?AhY~N7yHB>@d{4N<^exc6-fk9OM zLEgMC-S;XsEmcve_(H&kBe1>eG!)J@o0{XUn*N3E1rWU#<~0xh_F6*yDy|KepI*gDIaz!_Kzx>BA@T^_Tbj}r~7@VucZ1{GaFR_Ot@!ihX*KrUNC zTyu!cv1}hFyGNd)?S70n54>t?LI}ALNE26~wRT8$@ZE|DA1?fIrL*{x-93s=0!7fI=Ph*A5F)4E2Lcmv35%{tu zc8^#mq*a1nO@Ec#56TUef4MGPJ18FjCxZZcH-WaYbKowA)&KKXS;#lYn?-E1T%aJ8rL3J=w`=aH2BL-XfcOOqLI87P6QJDPKi(g=aX7^F%%RF5%Eq4L)g_^ca%&nkhkb_mO0;tBLntcr~E)fXSlPz?X5 z`Z2|x!h`)O#DfPonsEkzRl&6qpsRedpTq{_(Sib_0Q>9SFna%M*BeNt1Hq6CQ2D>S z0i-vAWTv*Y29`m$O?#sDu!OJBlVM50-qzmMk&^gD=hMFw&R=

    C~#O^%t3sSSq-d z4{PN}QAK``1dZZG;mBIjY5jXz_YU7)J9Kh9KVRKoQ4b zu^0mk6=5shyge6AyREw8HrCu7^fKi^q~1u;t4+5;C;gO;y4}sCbD7U|kpUf0b{C(1 zw%lL+XKc|7+w%8VTG{yD7D%AMp&Hq6T@MdMtDW!|Ok1@=-$vy9yDsA6x(mpVM41sv znRPpsRUm1A6b~Tgd_42X{=ohFrWApb?9jS<@ zv1bp2GHZV%(YkFe39YHHTGx_jOWxYHB)>kDO0_bfl6#1fF|Sop#Gu@_#-?=BPP(jH zc}eJtc54k@X;;t+CYg7U-lE=x;LG~ltWjQu(G|&^WoqFJkN6=G z)xUb}XqLJ8Q5us@*E6ocW3)c{U+V+c6}a1K;;?=LhEP#!ilpuuqv1-e0~6wBsIx)= zXD*Vt;BGAA0dAeXN!Q|IS3z9%=hz_g%53*ckv1B@4ZRN&W_2$o6_j^hC4JLh6k^GK zPUnQvR5$t>#Zmop`+j&J^lbwTfW>XXqzhxg^XVu~SfYY8m zw(R|45A>xu6B%>|69cy9nCv9DO~>CH`?hsXiCui?(Za;2vtGLkNlDsK z?~9qeZeV+d`?^zrK0qZ}s)}fb*~AoSQ7%FD62n0C$9aXs94^X_BMvOjQT<5yuiud` zyE1#E_WV5fo$`PVL(Yf&pC0p9tmAj&LHtr+)=$hW6<%_0ZUT7tF@xO^2$k+J~Ke_+rp;Rk7*w6o=JJaEW^;frH*( zbPAp>GJ%+|3N@SCD_srNDPTN^1;}5`LcXhW5?{y>IMH|foc%sM=7;<^2eH|NEHeHK zOEVBRO_JJ$H}Cv3KvB1~5BIWsnlCo4PWf+R!#AXgUbGK5+an*IW4a6j=f%m||yV;OrD1K{!qmhTDD7paJXqvOA@A z*Ts9&XW=RiJ1*xbiKC)ktIMA9O*+#Gw0WFy2BjRHAYjsfR*=yC5&{7Y#fAp*Ly<=^VyaLdyfmWfbTYa4=1;E^mN7A95eK z6<>e1--%ya>7m%{*6yry`mCi~s4?fDyHY~*@s}IrlQuGY%7C!1*&4#SVi(Q?@-Bz&6bFM89|$G<60Mr}G`q8&p|YFbwisgq53NAxU>NBTR$C=b%^7A=aV`%I;2yJuA`;f+q{>Pz&}&w z!-ThXa8v7!<{Vk~>o?ktwH+h1dMj`oiy9Wr6dU;7Wm&@I*Uiu*vu)>tOF_9oIr7Gz zZsgrP+;~fdJj5RR2An@*0Olnc3s~A;r`!Tgxhl+j6CZH@tpx7=K}}FZ=dJrll6(Zn zQs~k@S&^Y6AL-F-Wk_O8A*u}TWY!P2V#Lmaz-gOOb+jQJ&#?9e!eGY$5{;aL<{|!k268xJF=6CNT1(<(&x7c zS}`B%F=z+6FPH-Y6;uczNzP9%$VigE;4xijnE0z%$)os%#Yb#2$U!RQ^T))sB6hDN z@{L%XXqwPdIrI{a+GN9pN>PcUJIq6@BI;e@5BUo{U#3QBMaoE21)9Oj~2Q7RBdyor-EU^n@ z;n%1zE0NOdBnVEwL4ST-05A6{WwOg%oH^t^o<*rE8>1cfY`+-6?jOciPzGTcc9=Rk z%!6z21cO(>c*w*>_;z?efQ~((aq=mp2MtlpZ-4|hxubNwG0%3)9_>5>dAO!X=1|am z7(5BypWq4)v0AtUmG~Crg6vY=|9QVl)BPX{r863$#8AKiffzq{1z*-EZNL--g>JJ#NLYi+A z@Uj)~0-C9W`tj4)OQM&&{{~(=Y~Sa$9{SSa&`LQ14g}0oe`cOr(L-32bl&8d|Lxy= zoFbWsGa`?sk6Jt>U&)xr)f=BQKo7B^DDai;%valy`(EV;APGdn86FxAC@Q8Z)X$c&(bBe;RkRDc-g#>D^;Q>iR1w#f9T*H8@@c)gKaH9jEw3wTN`aC^r zz#{p)S=?ExLJ%0~Jx^xF#t$)IC zzw=_GLN{@fpW^6(rsLdglSYKXsCe%HmyC53Vx$w<2UT}BQcZH(eA&+LSl*^45#RF! zd2uzzb$4$1I%mXDEvWq3zS9>D-keyGxGXztdt^Uxx&K<+^X6IUfdGo|KFes?F5L?OOL#TUIgzg}%~drq(C(H=^^nhV+D5{g@~{IE z<1>P}5{B1yem|no?V4PybkR~pb?G`CKQ7OS-a_mT`z@C5t{V`x-0wYmp5-yw(Y96 z8z)>FKn^OkQ$S&|%I>qOaCJj@D*Ku z36fx0To`5y%fBDF2vQ0ZmsdnzWBgT9q-Ag&k%Z*VJ-=kd!aP(qDft^b_?Y(Me6Hbz z)Z=ofBf{IHZ0U0(NzWJ?^p*%l}b8 j>vFz3q~&aPFE>58kR-dpDK#YN_Ba?vjivV9sh0l$_kj5m literal 0 HcmV?d00001 diff --git a/windows/manage/images/aadjword.jpg b/windows/manage/images/aadjword.jpg new file mode 100644 index 0000000000000000000000000000000000000000..db2a58406ecbd5a3cd017205443448a058e881e2 GIT binary patch literal 62295 zcmeFZc|4SF|2KR}A}S>mVG3D7%C0bN2uUc4m`bvR$eQIWg$NTuS<8|TQub}Khmd{W z_kG4X%*;9Wq2;>1*Ydl6*ZsVn*YAG*c&5%~JB~TF&+`7fKc6#d7j+2QtFEG^0@2XW zK)1jjh&l}MD!W+RgCI>!=okb+4B$H!h!(t}0e^lzsJ+m6Xd4a9*5BU`S~}XT$BymW zY3b;9(9>^S3_F>2GB7YQ(9<*SW@KdA1s?P}_b~6?wP)+~){ks;-|7Ya?qZ;4*lO{A z_Mm=+_A$^r-quJ&|om_9A- zHZWPb?b|_X5AZ#-eIFgmk&|b4?AN|c&uhmj@g(>i1K+u<12V za2^#96cRorB`qT>Cx7bv1!Wc0i)!k+SFh>mU%z2sa@X{pnYo4KLkCAEXBXE;PoH`F z_&)dZ4+(u079R2XO=NsRV$%EM4=Jgizhvj+=H(X@mRD3(Ro8s0t!rs*Ywzgn>h2jH z866v+n4FrPAuKJgtgfvSH#WD{MFY|PTGroI_D}2D2iCO>oWXYbt##3Ca|RdfzU_2J zPVQhit4)8~Za=TY69(3E!SAxlcJfK;;MwljH#4&HOAQ|-Y%T5Q%Ko#3dHp|H+20oS z_jUC^yJ%^^;nD7c(9lNa+6iJ3>9YHI;x+5hCKS?&IV5)9al5R6Q*^0Bu{URz8HIP4 z{QcQs7S?@VYZXR{Ea0Jxms6jm(>&V-ID_Tzn3MmXX>Dr?Rn(ENL64Y{ZR@l%_bQh z%6XJb;qncF@eg5ywUr9drMKgzM#)>790hu2emf;ZyE+7VS>~94-97|%n;YYA1(#Vm z!kcnUVBqB|ncpHoBhn?XIcda%(cLpso0xev!oI}?n(HCGRnBV<3#icTyyJ$;oBBy` z*bcj*ErWu@Gf zz$S@1>3cA(K-~L~WYiQDDx}+SYTFKmb?J>FAeX)f(>{6%w;&dcxBZ|^g_vIip7Lyq zJxz9W+a#L+nKXlkmqh*|xsnL#C>7HGBgp?&x@8g6vB8yx13wRS9h|8$D-G!wJoLE* zNGQA|Lt7%R@_$FTcMakV4rKw6IXQ|W9~z`W-hyPMkVPcOum=8rSGeJdnH;cJQ7;Ki z$R2SjRE|SUy=Cqk1;U)xj-DD*_#@2kfi{1+hF-Qqwsx#xOAW@jff_6UK{rUhPK6q( zU1q5ez5d8+F!>k^5+n&WQK3y_NdTyodn;}z%~OzA@TgGf4N2MkoYm}O9o9U85hc1& z>#lWuIJqh35lm(|u;xv97Y{bQoy>-B@>h~0UnO)_!26Z*xHfGHMh->g8(hp*Ja;$9 zr8`%NM=JObx2_zW6@Fx3LPNgA{7piL%$|(oT_5GQqYNlx;Af7;&1VvYRli2n#|_++ zPNH-ycYe3tL1y24Ilu9Pe&vWV>lK>c7yVKviIsenl3Xg}E}lmi#NsTlfw_eqn^A$1 zm$eQKT=@L8;QKoB#N8uhM^q$ssFhVY+k>6BdF01kD}72z@q>9A^(;*%#8I#mCFtC? z-31)F`M!V-`?Oq9sO^ai82$uBripkrxspIFLeYO| z1XLm&sDvUg=3HAAUP}86>T@!}BqjhXGTHH$sZIn|w>TNGajrrAHt|+T+W9}|=U%{N z_XOyX%fG&OA4e2zsD{TTinsc`m?7K$w5-iwX47w(yK=!28*d6xq0lHo=WyB}?7ihW z%x!$heVsu-Jgi}ajX1y6IALy)(s~B<35XBfyCT%`->tU}Trqu|3Qdg{J8w;G%X-#i zZutknkimX1#(B^q320*)4##T_bf)1n!k9M#zlcann2yWVuM{ZF zr#qqnvki8CA6rxDE3o}e(g)5f$9KMgbOUL6)Ly&^&kGX@NoU)*YIcRXd|qzMd%0`F z=KN!O`CU*WGc6n5qvU(|!^CDuRsQ?jMwdCR+cPNTY^se~^K{l2Z~p=3+zwi9%FZo( zF#6GlFMN~Su<>Ju?R*Lq5*h|h<5NS#N@in`p}Z}B?=GE7U5#xzH7IXSf27A99FN>_ z+?=E-MWhuy)bP3kLp&DYR}n7<)@+*+E#ZY8UDtZcT&Fe1G~7|Qh>-J$+7xdODx~C$ zSs%xhw%SkT}Z1YSePF5u;P+R&5L%RdLCLJVu~z#y`5|1jj> zuMvL^|MT@@^iwoZHHUeFP)vnzVhAf-uJ{3N3Y?^D*y1x6CFeeEO)ihJiNPoQX z^#?calx9{eVsEgu4wxJ*;0Q;(YwDQE z>XS3*o}iLlne?m0mriu%N#?BQeVeSlqv*|{m$Pwg&c!b~OlvcRp1i%qBV21^QjkKx zB%hN;m&dJtOQ^>zBvbGrE4D-*c!dg4A>d%W+~Lh}Ds&l#BGONYcTG^CSP6JgAYx7z zZsI^MhGLShV-_+gOG4#T$Pr!)RwbX;+Jvc42vAk#)fyxQSS#l5m@G{yq;QuCm1?5y zL?JG?+S@PR*igcEKBh&BRYfHTl5vtTD5d)}e=+ir{sQkKj~tb@zd zTBNbg>5ktWPT=}6q%mzOw6_(Bqe5di{CSEU6-vfn$+XJ{{!CG|>;3Op<1T;t)x#T^ z0h-KG^vsDUaU^wpy9B{I#hn?SGr^-wy^g8}VPymvoe*h%}(^CB~^bx}t^WdtH2yoo_~?Jm_*r2j@qB+-u{Mi(P6V zC^g(Q3*j#cpPVaiZri@Ac30+!-El(p^mI1#<;^K`sUsoIxmhzUR+(3U!K=B(!=J9l z(-O0zJrk#qz3DIxKU%<6!2kB}UlVgkism?G1>tuC7Cq^>=O%6ZUv5Zii1@OHx|Z8t zxT0yr`j%$zM&hxrUW{A|+)imEx`q+v9v0GYocBZt(%%vvxjC`0RK2j-W6pEc(7{hs zOz`ECLn&_I+qQi_Bec&z=O)uRG&}F$fiA=lqcNB|?cu~gkXB_os*#APA~z(Zr#G*n z_x$U&uN^R;L`Z8gmv=mRR@mf|SXkh9{AjC*YvfF$Y!Qi9%C~l@)Z+ZGp31Ec*B^7p zKIoxBzVGpIFKn}mu)G?9GD{k21}9(L3#?;Fd~Em9?&WTW^A$b1#uEZ0N^A$tI0EAu zou6vw6n5zTI%3tEY>3V$XW9nOt|uT2_9ubyU?nnBpy(K$c78Zo0pvLX{bw36u}B zKkD$XVP(Z`w}+=OZtg+u_xQTB!>ll2#x>8Q)WC74zJ$MO3U&jfjcbjiY7 zYOIih%)o=&a3BVGZbpTGaazI<1;4==m_I80LSBoU1=LCkcl&R~;4&WVJMXSLYQ(2e zRD?9-v}NAO4w<$tUbf+XQ1tAUS69;|Z2BX%yt&!LK7kPQFt3v&F)Vwxv4)#mGUq{A zo!+lYl}A|?qv{9Vez?SC`|YEpi!-B5Yb6YV<7isi;XvQ$gmImt;G@O?;o#s6_-`K7_5*cWuy=7Kk;7p?7`YoTKwkH4EIQHmMo)zDIKYd`oCGDlW0xOpV z(NT?OE`0|Aiqy&XmA%d$U+rVq?zmk~DT0I|X5O?uaYJkPMM8#(jnq4y_=2|dua9#o zUA0L`2llZTT2wDcBwo$fR#B3ru>d?5dNm$IWD(4ZTW&=D1qXIZ=7>^~Z?BA++0C>>F~zh3AC@jH2Ad=kaYLve zuf{)4Y}aomHiJaqu?B@6JFH5SthmK7C3#=+N*r{aeIGs#?a|sEZP!wQ9?_pejfgY# zSw5T!QBAdYboEx#(I5UCpxan`pJwTxwEm4l> zQl>)lgG7Ff7tvB-;x!1(M&KWRoAAf${{be#YqQA9xMP%IGH-T-Pp&?I{=jMPm##kG zw6=v4mNrUNGh0PQzkD@51Y!^COvImUqij@bgG<_WlMI5j^Olq&rADQ+_$JCzG2F_P z%z8`R@hD%D`S?ZF?^?aOh&B#HQ@7L5)5f6n4&buut|NvF)nC}EKdjZiduBVDO!lZjh=?P%ngta? z*#TsM26Wd>ms08Hej5#CN3$|3r2XrnA;0wO#4QDCY9Qs|Tb?2v{4N5} z-5?nFRtj!~KQk3)HMpS?1dPpX4Q5J6={2BvFkEXBhm`5UQ)|H1Z%gG<5fo& zqL=p2IgYM4i=vZ}V>sU{wrD00;+`;d{8hcpPB*Gnf&3ACf@{z`(bR%yo9H%=5wDBGGQ z8Cb004_@my5o}ob-2Yvd^)=d9RrLY<;CwKFsr>V4!K=5_U5h1TK2tC8!hDy z6pqgmAZ<)2JY|h3LgCNHqKD#P8erEs+^Ep|({*G)LMAzIGn3*81o&N!=Nw$NhYF4J zqG@n*2S9`gnjn}enBDjzB{r_SH?;4Yntt+*u&HxxIx zWVnEyW0OUmg{|t(gJFc4+i-KjzhW00UTbkf45&xfFSQv1uFwr}Xi<2C^j;HO`dCvR%0>&qeCUBMUbjq(VOuM&iht!D$> z`dY~0TexY%dOtr}(c$jb?1FSbCnGCNg(^=RPAS`Nzgs5inQ7Wt4(TlW$x7MI@M;d* zY4h|O1n`+P;#)G~6^&{3si(Rr6%h&!`14{uz%eltX>vxBq-lQ|T9LtkjaxmGJPfh)! zl=X~*fnXJGKk)&8K(mE`xP|a-UYg&UQ(s**y>;!C$X=T54>ezm;QZdHwL3Pbnzk8V z_;$Ch9u+!feHgDAw&ZqPQAD=FU^^m85Qs}Mc&#_9TM*Q-U&>3aqKJ;}H9jr0c24Bc z>`>lw(NzJJ?3dHQd8c}M8y()E$ZN}F+$v_?ntUvY^JG|J*f-EcXV@hGOx(WWTkt2OBu1G#hYnu)a&uZ+TdjZ)m* z2pL()n4X)&D80x|-REVFOc!M|_FW0&fi|wBemIuDUFh4;HEtBxfMWUKZ`m()J8OSw zweF4-aWU=5TByBs+M7Q_|FpeYwQCB(;m+UgDRR>ibvy22>qjXUz0oUet5##5KYdcM z_M1>2tekU7{UBN+$HjG(=!ajtMl>9GBNce(v}3{bgnWNPt7rMSMPACgx$t$*J_Z*? zrwLDXd5Ik5Ld$+p!?>Aa7Ofi>Z6;#kYMA#Kx@hUN+{NV=`f9gEsOra>nOK;X3cB#! zoM)V1IQva--{X^^H@#Wk+6;Ltl;;M@Rg+UYC0`|pRi=pHMn}-=-X}Xvf~!?;a(d*E z-Bl5MYWR1)!hbP&i3grKKQ5L8uB+ab!YZ;1SL2psXK-AI`9zPZ<05FVo3W(=z;*8Bmmb>6G zS-?+9oBiS^F&pa1ez>_POL)^Txl>+sW%@6?{U2ZVZ=ZDx;F>;o5j&~f79K}fN0CMW z?T?Qj%pw{Qf#^9!Kxrm1WAfwh7jPSDvR~si@gSAh%C_psO@0L2^Z2M1i5UY=pYL1{ zC-0LoK^Qggd`Pi42pK)jpne#!YM-I|eW7ZZ{~N13leuNp6aH@1;h$C=upghU4sNpO zmsFsaq~0O?t_3(!AV$Sw9Pd1QIfYO^;)xyRX4g2l8u-Y>`tI?Gr8^-;0redBxg@Q7 zitWEAl-!vz*gfc{plq7hb7t{_J`1b; zLwu+${W{NuPv1U^&%~F$EyW*?z&EWe5o)kv+K0-O4mM8^qY{SPLtb>T7|9%2DK7Fu z&%b!2zxev&-4AVc({(+ompeB44JSPHRs5s%GfJ`Kk4=$E!tSTrm3F&d=p>6|lppCR zmiCZ|@nE$s(KCOYW{s}gBfCq4NB4xgKEjn2siWVnU3c;qLAmx-k} zAe!1e&F#XS{XIO#WO6QY?QQj;nfr>}AJAr&&J zNw@1%;%#1VKak=6fDq@KUTiv|^&AmxJKQW4wK0y>%o|ZH4G;lcu>oj7(my zhN0eKP9%)KRGPZs8miY?nunWtv#j}j@Lq0+)`IZ;M??CigxO)P!EH*SmY%G!n_}ul z5~t0qUXPso80(m=Ps^yrx9v)aYj5O=xIcQY(joE@LTTnu6w2ojvtO~~Fv%}FM%AD# z!zSWp2mkZelZ8I!WDP7 zRWd&F{N|o`e-W1QzY)Q{Ye21Ena^O>SU*vrZjo_7q^y&}rvYO7FA!DSC)#Jke!EaC zF$@qd?~b|^OUy@J!7cMOHsJbFA4x94&&2MQ9*vrBHGfdG=2T&sx1ReTH2ACAnY&`0 zPnSmJ#~4?zvK1f=^U}9MoP5k3gj$uI-W#=)aq`r1D5-v^F=PpGaJ#s^ zN59LFbxxb~qm1O{RS*`Bgg5>hd1p#pL=Fhu(l!=~*+(BRIf? z?8#={50`U``>%4Juk3LzR4zW1lPE)&3V(Pi``v&%YJUIyvz(u{gs0^-B3q|V0oSNRs18zUO9HWK+OA7`}# z^`gQD-#E;u@9eg*bSWxdH)bGQewTo8MO(K_T3L`&6e{;5)9*SJu>Nu8Rv7CoiI$(o zF&i(b*Z#Wh_$FU(>9&3stuhoXS=p7qc)G!)!c(%1xAne*rognAigv@@#fsKuNmCu0&mx?|Wtue~a)wN> zvIyV3)53D_+q^f^W2HySSGdOQ-C8K`;8OId;mt^(H`jGL4Ktz)ZAexH?el|Q)^6e^ zDXx2x%T60!%JAKl%p3n#X`n(DJd@%gb2rs`h6>^D zqquhM*@o``_q4o9lXms-+4IY~|LCgSPY#Lig1e4)CR6O$Hi|}dsSukJ@WYsgTcJ&2 z#Ng5q7c->H3AZVvzl87+TUO2H9X#2lZhQ8CaJC3b+TBfs)K_psNqs~oWyF>w&=ZG* zPp?kka^Fy)!22Lrw*kRAC|vocU_HYgJKge^WX(2zVGge&_l{gU%OCm}no)a8_rCsE z**<5}3)~*dov87N!k`yY&_4dA6iCF!@hqmyR{tVLO03Uu2vw&g9e(mV*@6p69jrk3Eo zx#OME>oX%QcWgurd+SXKl(If;a>kt{xEal0x(j16*NoG%3(GO?vX-ZcS#H_V7QWZ_0Ui^(vuKg220U0HsA8qiQ$iIyn0YX^;39}dgQS^QVp8pL*d1JgditW+30Ek!B zVcgC$$I-*`%kj;QZ{9EjW*c%O7i3-ODibh_XK32iEjMkvPZ>VfQBj`uBCgvR(>Xd5 zyrFoi#miFh8rFrVM$#}JV59`PTMvs=#T4IaX|Ni04VTaxXwu#L{sWVP?&o%ypb6*o zk7!?GF+8r)_VFx!u_|(s%q#ndCrhbdxZl!H-sa=ke1Exxj|<_4?<$+@(&7J*o)h-; z_#wV;Qy<|k(-~&$t+tVrxQNm9(s7EVP3=rbUMhm)ccXug84{@%-`eFw4;wbLEVtFAXPS@Ul$HXU~T z4&rYoPFlm_W+{_-JsFwc!k4aJBiT6?cBmRGr5;NevZ%f}pWDCanU`nfpvHLJPr5GK zz!Qa^TW9uH+E3IaoUiH03luBmRgIrgI$RK;SB!7#(QGT65BQuFVkM-W+?`}JSI<>_ z?T~u-m9uP5NtW(fKRl(7HlAYyw0C9wFy&ghroVckf*N=9K2~`sB#Cj7Yrg5xQjf~5 z*rzk*2~V$%y&vljRbT7w{cIHe@z@=%_|dx=fa66iv-{KZNyx_+U49VnF9iMb^(Q(| z)iH!?D&a*&o$fI1=8c3=%*LTr%pZCWByhY?0dU!cQd+p{*fQY3oWqD3|Jvp-Tz3Hh zT-l#CApy{B2ucqRMn~ z%ooz<7XUZ?jQ*N+X!Ymg?j)rLUjsTNNygFOd&wMe5@Q!U7uF7!#bcJjxDAn71kg4K zb5p&;w43LmDo!2ERvv4~mTPtuUAvNsO%b__VKi?{RS8bmt8$k8#7kAm^7X-k?t;#v zw)D!$-L7};wawkT7tZ#EMQ*_)xI5tv+t+J?7PA5RuZdb^ar@jkY&x=-+H+g2j|O$r z^<1w?Z|2n;lYOla-zxj&VE3yt!Cr4UJA1DpcRZruS8EmuV)2y))`H5{zHwLysR}+J zOLZ&Azbmuj(tJOqCfdC;Y9&Xj7F49t7gt^!s)>)o=1Aq_c2J?bg?D+loRDwneZr_v zZju_Gv9OaF%&!cbrOD~fmpg+Ho`IR3LH|+Y>#6W}nSF+(q3MfQP91)`4|H#y1-l;q zd~y4&#laa(o}T1o`Y+g}SRdp-v&peTYR#+#J#V|u$@1i*#08&j=zubtqX~c&I;09b zE(4Ajxup59%u~{*u6j|sQ~aHwvbFjIvM?iHBr&eHdj4%Sn~Y-qF$o62QcY)MTU4de zVWOMKhyEs>m^8~pN`hEPC6E1e8t*%&?!D`9z_FveW%qSAWCkib%7j-73!e87dwoA~|M!E| zf<$@*cd&FM5 zeS~lQwroaaEq`>dYHkX-Y;KsGd|yF4{*4oScPi>@pZ?sH1={y^c}b`LaYmhCWkXu* zrHO_8(Xm2LujRIizBOOneQy6+y?4o=J=W`L*|=1czW1Sgj%{yS++_*k`W|Qc2CRDS z(;Po;&1=|I={3|_GhTV~OZf9kD2`)^X5)-@za}tBPEP-qvqlfIfIXPn4Fq6lJBF<3 z@?y4Bwlk+FQ1)`$>J3Np;G~WgrhL=9K)RWXUTIZbrVV+T8^NDYX}da2hODscE~=H6 zq;m+&&)*j3dL4Xk8YC`otKb$d3u|@zJ&T>Y^XE^0&UUkm`_9vds&mHS{mcQ2zXObj z-zJU-V2Ky9;Z0ib8Ik4y722=cg{gH}qR%eK?GE5@8s4~FeQ=Yu=^hX9%byjzhsnGK zXbMd>Oom=iA-{xw+`JBN)?b66>&*V!rJC!U+IW6-f#wN^u9uQ;Rszu3TWfZRj_*GX zk#n5MYDE^AdAoo55R96F_q!_f^5fm#LM~0+*-sGd82Xs4e~|0)R7vij5?9;K_cbkowUSulK-4hm?M#WPl_Chd~6z z`y+ZS#vL5~KP8#meBd#Q^W=-m58-vr(g4zlXvS64PInP}M*{vuWnL%G3H;2!S(&Ku zx;5FVIrr+QM|aQJ8$#R#C_#gznH<}6BLfRrr;|;*HwLq{?DmpAXPf%(N2c%9bl~De zbYHc{&!>_p%(WJ^$}<@m*+uIE2f8alUmm;!|FJ$s3N9#V=K^NBfI6gwloBrgEy83By|*|pEOZ;>HSiELga z`fCnf+A_$}BU*E}6RT26CSrD$v`G<C1n7%fCd6c~f zU!>6~>hR{iXT`{MzTCF?jJZ37{xfoe-<5fl#*6Ka}BUDZ5OMR?m@};V~UMTZFu-nIv6Z84Ii{xi%&% zuyjPT$~d;ww3E&tP3Pm#E2gs6GP6=^Ze!vlW1bjQtM8!qmH)6HJzJCqA^Cbyi}?MK zT>M%TPXbL&e(2@q^mM@x_QTnpcZ6=GKR!tNZ3urc1Fk^$+7tv+lhz_UT;C5=GA31h zY+(JsP)76Wsh6B|lNOU)wVt)n4J+b?d*D$6v9vTYE{)uzPkcd=oc3gC%dx`EPtUEq zkhF7p`QkuvzJHy3yf^CbTl;y5y(jW7h4*+GgeVo!C0ZT|67g`ubwL z#EUmhqo;56?jdx_o(wRP9`8W!m7bS0&{QA1**@IHCn3>)bj-_Cf~$7f41IFEM9bib z!i_Z1`%ka7okPDV@N6U6o(vmnQdqpJV!OzyV}ItIc4cA&dWfebY_Xmg`(}i>TLr`H zVxrqV0YC;@3@)j`#DOr>5W#N z>YGhVO<$^Y<74`oz{tOS_%YY6wU5W9-f;$FikU-n*1Z5( z9|nemj)lks96(wV<>Y|=uwWoOX4?+`u4%GG7@mT9$iKE&>JTA*-ip`}wkh~52t4mx z|9e6j0SW1V5|EJYKsAVb0IoqLgS{7Fj7gIU*ar_|W)cLEqHchtjX)w^0zhe|>+t-k zKG04B9v6C)M|plK6TyCY%RFsD((6UsR5zL_Y1ULoF@ZcYS<$quVpJ}Z)9S@@&&HWl zKBh($*Kg7-!0!fTfx6k*#X2-1@K|nf-q3bq9yO`DmYzpm!!BpkAgtC{GN2zkwW$z6 z3jW9D9c}acH>I*pD4reT)J^L}ZQPHGaYEx0?!%Ltq$L0nfzSVk{xmhPWiQ+WK*T9@ zjx}yF8~(rCzFHu`Y@hY#b4864Jty-w;|!etvz7lJZq)xwb3F$m<1QIeU=E5R9D+NWbCwFRGJ6Ae`+5u8u+n&w z%mHixIU;#8viBn`G6!&n!dD5hlu&CeDx~4Cxoq2e2CmNe-?V^`m_IdsThC>kSB;6w z6?jyUO@w}a6XBSsI=m#JxB7515EntvxELL`8fn^J7}ULd7#s&hb)>>v>tYGT)IWTzgf|V|Idw z7DI(>MX=Dc$fq6@hIea}9J*_`yp_^1X!qT~V1$q_f`8qJ zvQ>aRw|;jMW2MCHJ%p!1y(mGo*Z9=$a7WM3;-yEBoPt{fnZ<2wf18c89&wSND2O9q zp7XoSvonqNiyE7Wc^pPBH7_qQ4;#A$KyHF$mf5u<1(X1Up@EX4&@j@(mhBvwlv<~m z8|IldumSORJsLtoep0lqP_{^gp`D{l`-YDH(Xw^h#At7Jy z@n)Z&e62RXQpY;=dS*QKSTPM}dtx4Em*Nzx4>u*8K7lyU6#Pl|{b%XC0yJLvY#zd> ziAN!2ow%RHMP{@tEkqzFBt)Pb!Lf$P+eEl_sqCny6oJG8&e<5t}c4LKO; zRM_GXq<ViKPanZoo; znIJnue?m1t)pi2)*x|Hgzi+pLltb(cZd2RTsK8U=`lU;DC-m){znrYP-Tp`-L5wvF z3&hvgek=PJuQ3Xf4@9De`*1wCsSx5I=s$srA3RxNzI>>obRFSU5l1{!2}-sU&3EKQ zJUT|4=qz57xyfHD3#RRwfN<9Xl<6l9*h9Rr)utHeg$12KIcYEmkm9t-=l|zAV*kfS z{GVUr|JO!L?t#nX5JkndTkb~*xf+krBgP(9o5z3{Bz|_14PGW&k*75(@0;kY*^!lz z_dg7labJr ztCoqZLP^GrjeGLKT@5Ml^wk^^NX>3n0Vy{>GSIJ2nv=-uMUmyyF!{0ZzReG5{Mac0 zf1!`ne`onHIfLW`agcrZl;exErVkRO@<6nm26sJ81r!A7R5>N16NSGN_!F*>F6Y5R zErT2CJb<*gvjYEQWMkQ4-uzk!UQ^hq}nWLzsEEz;MbZ?_1f2g?V0F zcKFU_Qy&NOF_o#AitU~%pU4~^)RG$no_O$;tVKR96Im_EX=J&%etR9&{8;he75cNl zR@1+7_oVoH@_4rL$l`I&-3{Z9E~E?_dPnZuJ4d=}5)6vums<{ZStsYO@av~RY-b=L zT8QQ`GzBGXRlvR76$#Z6s^4#7yfXsOgjIXG^bg2NON`&f{=nyd=say zhp;KVJA-QZlwFS{YPxH$wewGNo-TGuC(A}Cq}3_voP4F*|01@$Q2l2m|CX0OrlCb7 zVJQUi%&Cx8L}?Tx%ivQG!h$Hmwf29%xkwyg$T$h?t-w#bJ^QQfGx?wDKF8rQc4qSZ zs3CF6(@gkRNr?16BwSGQ&dYF_#2*K;01q`LP@zL6KfQqEAn*b=(esXgqp1P4d}1Ic zlRXO{&eK!4anVOON@#;2U=Tz<&~93Ex|<}r7+l}4+b%V)xDeFEJ~PfMiBj%U(c(+G zp4~CGI4@@AGc$1AHmKKv<&56Y(gR;&>8!(wbl7Mnlg5Zu+@4|)TG-S|Z}ZuJnKq~B zlUzdQ1ebo;6#C1gf3etYQ!BHS!L#@7s}I)Lrk!}%7yL-}JWeQD6FNxac{X@yB3q`Y zU_MXwQ}_3*1}W`}b&aVDte-QO_A=iNj=R)smSQ-=?-4t~6xb{}TK7`P)JcKALQ zk1svj_`p%3+6bD(ofqE_0-N0+zEF=Yvm>p$lvc^P9KU+{z?}(t=DPFpiu_82GL@SgJBFOqW&q1UZVb@q~iDsyz*ixILvy88@kq_V2S zMp>V5d}=+RQz^7?&dX(Pw+04{`zroi_5l03&TMFtn{{eQf9D%`yb9hIG=A_*eMFuG z%k|Mds0%75gf2D{Sja_ksN)awdZqT929*Os2mb;C{*>_ke7>3s6V?xqX2~$f3PWI7@_s(h<(GAA`e*A{Ny)&CAKd)S`+y*< zED5*tO3@Ih!aT9 zo$yK@*`=S?-K2zHmVq=pAo-74&rmxQj1szueA@Xfj^4$eTFqJ)hYH(oM;@H}o~Luz zyRy{MNTQy_cXysS&GW9^9;l2Nu_W_6XEmmqipAo`DwB7dOTGNVgW$h>1GbD2s1?|6 zzDb2*EK_axd^*2(RSF*~_Uh_Wx^*&o%)cXsF-+R4AWZ#-Z{^&UGa=KAGBdk8{VHL_ zsgz|?2zxC!SnJ)8PK@C#TuzVNdsV%+_r4CYvJG~58=F7AvgiXJRFE8=*U zRv-4Sj1Jf+;1Ak%ayp>7gpwo`C1jx5Qhb)*{Cgn3OzE8+*F?`$+{K?VQ3!Z!Pglcq zZJy<*|NA_%G3-1OupNcOaeV7290=6QHG$%L4p;bNe!vhj`0+vA74?hvUB|@5zKsp( zqdvf8k4jHl%0BEn?P6pj@T`n0tLtTlzth4}&}epURpY~G{YE(V!pP)W0r8#C_MPt6 zKIHFiqkS+L_h?kKn8V`(@z8YwtHyqd!d+`WjN>HNgE`1eV!5lwF5TZbryewdb18o? zaBcO`!xR-+OSGHDve|@7z$jO0-N~rtFLS7U;OO0y`H*#;qM2~q`C&FberE=y6 zBx>&|h}#?&%rA&MX~Cx|`sJn3H;bL$_{Jgco3Y2Vh;UrZqQG{N%~J%6iYS`%b%;A* z-P9yjEm^ZYz&R6W+?NcQ-ncI}M;2c^9GBfxwGG8a;Tv`)_tm>}%vw8iGN@U1;l2vYQ!7i^f_~ zE|Lh-BBA%|07rHU04T!;N_`sC`FjGhJ7tgW6r6ndjmbogV-nJ@Vlk{`)jq8%k@U5H zzr^079MxB;&;bRzf%i|dwp?( z*i-91fr6a{i;E;#LG+XS>l zt8MZp3qF;TH`R8f?|>QEQSfBbSC}Xo0sa@5W-7Fg#oZlj5Sj*Jtr9xG-!&;>6 zAUi(w4ik&Zb|y!wV&SRK#@DooP4Nm#C zCbK`UR{u>GC#NQX>w+(^@n3Xu<3>cXDjsc>h>BXZN|?0@WH( zDZ{zB&ul_&+~hsHF6cjbuds+1uuG4zwc`?3E+5QYif*1~;<+7_T(vt?D zvkR2o{k`7dZ+RS0p!gdnPSFxI{-x5UiOAbYPW%b{Y`1_P#^;~z8;Sug>*hfqe<5T5 zc0XA!BCj(6j@$N!_65(h8%KZUYYz7O_S;TCWzF=-Nm$^sKf9*E)5>8Fz<(D30wd-v z*Ixnxql{5x*92emHn%%yg+K}8^b3D@Y z)kp2}s+gXc!)g+7g~gD_`S{6{HvPOG)8V=|`!#pxc?vO22er}f9Th3 z#by<#oRj$V$`1Tsz@o#!>UYjoW=TdpB4_y;6fRDMp1T{$uu#Qv)xIdgijIH(Twzkc zsh}u3TSw83we@}3_O;v-N37w=bLDZ6Kh_*E(6w3;Gqy zay4r_q^<5rWUM{8styG3kh5ww>RGM_{g2i1?ukDUf^iO!Zbg^O>(1a9vinWci?YMlE43>eKPV;h z84_P;=e<&|_e$Y+W}Ied+RMlAYH2U0_K>w$cm#+{oZ| z)E89W5VpU02`L>~3t7NrzIjStBhFytQm)8|-e+NN$x>l0!S?!)t5R#I^}#rbcK9{A zmcxk2+X2?h2K@z30ph(nEAt70tnclRrEfEOQ=5s5tv%1oWEq*p`c-D2$) zG4)ya~6>s;FSWohJe(#!L^kj1Pc%zIAQzmGma#p6~-MQPx`I$eIml`*rJ?HWc zdDcISULh&q`tIK~tT9Ws(r1s%jT&iU_ITU>x!!d|oAY~WCr#`TI#QvJM#|lDY?mxQ znbn&gxxOjvPXB%;t3FUw-?3OVbgxxj+LGE@z^iV#9&}4$kNzR2iaeeRN;j66EsoD_ zZoJ6^@=BQ6JCiE;$*T%@6w8?sY}Lr?it+L0Sa{VoroJ5{^eVy+{s(*|+Rth2wZYVFlD z;bLahtr<}~KfebnaY-%z0FPDfRND?S(GNzf&z$u%b%&jT*7Ab;EF)J7Ejw8x!w3TJ zXkA0qn8N(RhYnUx?d4Uu%KL_G+s6R2LU49)n$Lr4F>G(nmYM3PoRM}d)=hk$;C8PkH{^JB_bs1={cZ=|Sn-cBuqgj8 z(%v(m$#vTn22oL}Ac)kURH-6eNk9UUM?qcNcjTrx_ z=JA~J?2$w6!{iH++LH{X%L%S0-rdijAuM$9lJC6L=UNO9F&-*ItWBCVl+Pn(pd`Jm z>>ra!*lr%li+bJJR!W$U7C$h~PG3V>s-!1uBslggv1hTres9Y}3}mU3CDt(i#EGhY z6CeHQd9`ez4We^Y8D345h(@pH9Lo4wNNE0@96o}mW|`wJt|xn8?BXD%!i$CfAiH+T*n^OrVxq9RI|ZLGO&-Q7B? zgMVa5@K#k)l6YChMIMLUFdZY_HE zJ3c^{h0ejKZMF2Lym>16M>;4H#63kgIUl|txVIR%_R;j?W}>a5Oyo-SLAT_|7ug$! zzX(E#wHDoh>DM#iKx4Z#(3^Jwdjf6Qm6oO0rbr$>4rN!rp~o5{Rc%`6A(?nCa`b*{ zh7Dvw=#KBm49&~%&(gZt=dQL8kHgMX$VfFDCl{tq!}M0G!l&Xt5E)I%+wCY?Q9L(u zJhDF>f~FeuPrAhLvUpy7o{YU$VkZeEEySmhYkzOX}kBWRR+(m_;Si9$pLo6qP6&7^RTeh7mgo*zmFg5n6^MVx_o_ro+QJoW_V(0Pa z>#UU{iqW{2r^%EbDLOv`;>E`D`|a_?vN1!x{No+l%1y_wkTiM56HW2ry_g59>hqDr z?^rG~!RZq4LGN8`?R(FUjr>d+(rreT6yVrklv^8nNO~h9%s0C|Ua4BowoFx5_p-{G z_&dc#xnYIM{3Ql6)=|p6Sp`Y{{*#U);~C|}i9atchTLF}7?K`)_b8ggfwVHxr1Fi~ zp~<@LNs`(Fhxp9_IOdsesf<041m5jGMs338!gUv9tFvtNTMyzRArbkmloS_dQ5)mx zX=QX#ijFi^L<-dRhQqXO=8Bys(X;(tC+n@Q!Qg!tof~UtMd#mm@WnvQ3%o6uPs+KD z4(vo|{mlIzSF>c!Y-%QzE+s!@`QW20 zCVJl5wdb`q!e4cpD;!!bEh8FTU4|rAxKwTK#>qeIYpV(;6zJ zjyco(wQ1CoopT|r)O2nn>2F_1&dGC)GPFyobB|@q@Q;ss=uc;$jNbQmz+k&F>&-9* zX=pC)LazuZvnwA?Bh8@cxEb3h+&b@~uH+GrdQZ1AvO}Ppz|^d|8z*hU``uR%@d8mk z-xDJGIKJQUv(2IIGlM(J(;ByQ?E4ZP`vgflJREJ26Ae%QF_Jh*=QK9a9pF zhT~(dHgt(_P=&p&CE%*&>XiB771Ehs(I%tmukPUc6M0&#b0;EP>Ywxq`A>S~Jq7p< zn6~Y=MYgb%Yp`Px-F_$)s7aKe|EIK$8*75>h!o((k5FICp+8+fOtqd36MT|dzc?@L z1*X6iAhD+3(*2=R4&?P4BY1hS-$CVqzXp}>?0<_SL}=i@T{-=Ig!_lXO>iW4PZa>$ zOCUKBL{I6I1Qamn<0d5FoOF#_5KU} z2O|LicVLb^b^mkyQPKv8dcEZTCPoWxy7u5MUj_=oA6#PQKe$9b1-zHJ#u8R=IZ5uOO)l1y|} zC+G}DZY5&iRE1 z=keNz32K$yF;_^D5XS!Zq80v0@+BZSo#USp`SzBxFk5GT+1 zqv%72Me$cHf zxpR|XH9B01xqk3+Ti=&*biwPN{4RxaD^@>quMe3zGB2CuIoEX|CBFi* z$FfZ5pUJ*M%b26OM*KTJWL`%#R{W6ByLP2>rdrmRasoPRk78`P9T@&`jlsL>)lJ;p zY9wVOMya{xc0>Vyx%dTyDo40wYf|-Q=5t2x9tjVxVJ{dn=KM&@p^jT2K#vU?nG?oq z+WH2o_s3%ti4@QFd)U&yiSN92Q}}kA&`}8CmCe0^3pR;5IS?G1*CykmEAC&^=f>h3 z1js&rg7MF@*m*7XjMIo9Cb0*pw-PC*H$tvMDQ&fd9WXCY;{@dO+qcW9j>aVMm#;ue z&-?xeZHG8-aD9(XNB^uqF8e5CQ67gIZ0y!=p?D$V$c-ao7}_W3kSy{6TA++yvxc*i zVVqRrRo&$z=`1ya8potwN`Bh>RQpV;J6!BUXQz$I>Ooc-XKBUz#&Rt+_P!~lLl(M9 z9aScS04HP0=oeLCLK3`XPe*q+ce;qCH$ruO5s;Pm=zcqJ<8_^HF2qW)KftpN&ehyt zFYI)0AGmlJs7O!^R}{QDp8rEz6Qi6q!?D(uh5010m6oU)52c!E4vJSXlcKjEzjU7F zLUhq*-tV8!e4oov|AY}Y*ftpukQPXw8~1ixjqZR3F4-bdVy2a;l%0Bylpy>@2DWc> zO&Blz%o=#|ZO&j*sk3?Rhz<4VC9x8cvWt2HVJ4KD+jlNJUdk!mjHeHE<0`KzL*dWB zf=~E5rGUf6Byp_~vqARCk@$JFYOjW9+k`?n7J|nF0p?V>W|!-3rf^6Ibx=ARsri9rb_6oVEdC8I6rInvr{23BU#u)bSI2BCr*p%R zHObtMnK{uUc=?;_xjq$&mb`-3(&X8QI}onM@mGnm6>takQrJb~&FIax-R35!WxI;L zG*5d8|>%sYs>us|ukH?O{Ji~qQZWTKr zyPt$aW;`zvWUrPL7r#!8eF!fqD)LC!ZL4^-gSYQ?53iXk5(j!KaycK~%)*6+yugVG zh=xk3LzE{E;QZ6k9JRTG4o^$QH~L=Pz2(73YGN$1OY=5Wpz5|#!rT-~!_0$z5yb)1 zmj>_b=R=jfRGuQzF13F>vI*`q+>ku~h;Ox)&_@3(+$Y+t0*X<@ffzqfHh>O!kv0-{ z?H7S9z7MM$1uZT7@Qc9G6dt!|iIO_8=!vC2S#p2#(2kZLh4X2~0~~idB)$05BV9iO zTakk_5^sV>z;$E$GQPzgsMYt<3nsQO*B`dxXw+sYPhJW__gXz*!O%ZKY5ycxKvRB= z+KGm~fE---gJ4-Wqk5VDZ(Cd5e@UHC|39dcdy|y?JwZAn5hx9RjTBkSEk3T2@~DY( zBwc|PXB|jU@1=!J%Vd;ls#}ipW9dToIR@((*2V`5Un$o6-wRoVU&`>^z2vJM_ic}* zgz!ozWiVT5Wob1gDMLNm@WRh)<^v{U4p}Ov)~#C-1WeH{DJVs+#HHGfKdwR9V+!pN zd2g@7Hzr(!+BX?eB%G5UzaYkYLgXI|?b{PS7+?>C1y+@e+d1|ytySH1B9AUHBV>87 z^lS{W-&H-tf38OIT>tbKj%T<88-8zj=6(fvS}S$#-Rj)@l#mT2&G;61^UViR{!kQb zLZ;kz6iQ3k(Gx1lwzCIbV8ZIA9w@deD~t-PCl~c1Wpv~$_sZgE&fSrI$@>V)(L^!v z_+|Ao2iitKZ%19I9sEct^7Su*>YG6N*3QCjEC~G~NP~8?GPx}D*UU&1tk%#<3^r(o zl`TasMz%OoJ2t7eR^xhn$}qb?ox8W)Z*$4IA4T3~?Pcr!G2?Btx-(xJPww)9B)5VR z+1(dnRAEdbxt@X8pG^UjCxcooM71)pU&^vSHAdr7L$a2Eq3E|| zPOTV~ModjNHbRJBmKCG$ZH9J_Swju`c=??PMVcTppKtpvBdYX5w63GXqeOQ0WU&uq zgebmG0sbL6)q~6);$Cb&sIVFs+lFcG^7oCymqxAYtp=8EP{cvre);BE>>&)lQSP`g5YyC`w`1^t5Z@JTKEqZh21y&KOHq zh46Zcq&|?28f|yw5bt6;bpBlv`i+bA%mD;wE>;C;zHA`ae!uh=ffFUD__(|U%BJHr z`!bQENFcEEeX5Jb0GANQt&!jMoPre!Rf>Z6hyaA zji|5cH>hk+i<|g*;QMBF99d*QOg~f;#Pr|s?nwcDat)!3|9bEzub9~c;Q;QAN&vh! z{~KN*0Cq2(11|$Lt5**v?)sAi`v*KE0693Nr@Td3pEt4|GnBqMt{YLn zUOq^MqdVLd^)dAw$5vU*ZDY&}dp!ls55y-mDt!W8~>L1H#Ky62APBVC5lq_n73(WSIo zhLRzoF|OLY5uZOM8;m;3UE%IhaP^^0%I&WSp*|-S?0_)b{6*k3k*D1&4a>yD-YFd9 z|M~2REAQR901HQ^Pn?QAote?4PcE;@F+3tdEoqKVHzIABn`?S|&UREuK8uoekdbGi zGWKBH3R>6>j%@iE+Koi2_kE5Ewi?IjVxbI;+IYw_WZaLVyK?}>Cl5|8yNS0aum zOFp4)Wg0?J+KwM6dTFV7udXXH!kUppa9naHPgk0D`Z(09W>h@&G<(8+oLNPY1!xP|A}` zqgEXK5b(eJiy=x5GB8Dpn%B5u?MqQ;kOb2z9N?eAmBy^OzBc;upjUNq_Hye}bydn> zI|2LrjEI9_6}wdGNtKvDm4_drgsHxsyYSTW>2k?!(m09~ILFkhJ_T2quzsaB=1xMg zvJEAoELXG1%;-uzC&{yp+RE6`p@d~!#y1gRGQjcMg7SCUJ`;bOzMo5qt+*D_sJ63d z61rUICv2t?(PG%;aFN68nc;U?{oYD6@j>`Ow&>4vpDcmWD#q{m_AZBNp-@pHJJboC z^Ten3!9#|{_B9n8p>Gh!JltGyOf~i7X+ie_XEa7i?HLT{&5UlZwGZ6aE6L%y04@GV zZt=Y=wLSR7qwn`s-(7fkqpGzb6n1GXfo^0(+ZbkiZ(GArCL)Qwcr~K=y|SCwJ6q~j z4vj6&mnwFSxc!H>+7p@47Tf4CCBQE*&Nd-j*NE)217i*2y7zmUNLo=s)=Mj zxmwK}ew9N#5_4xOZy!=JhCvw*EG7=L)ncU?Y=BdF@`y#Q?!)_AUC(Ksu~|R)Mc~MA zejG(2u{+%>EyZ5?iJn#uRD?UJM2T1Ibpui)5O#iB>n!~R^< zM_-T)as4TBWz}}x^_WAf?E8#@(F0KHc4ybhamho6QTPMWT+h<2O}e`!geZq?g^+h53J(5LlPd z!fI5MABjwa+C%T@xmf8gy(D!SzRUMq=}<_CNr-BC^30Q>BDY5m!Q*j-2Ra$9jff{& z)aD@EtSvn3yOXRlkRSOneFh!r?H29Jh3yixmfod>UofZF<}5(FH&g|Nr>`F18G2nN zWEi{EB<%M(lp>~iUoJzOlGfK&o;gC_tUGQ^h@c@D2;RAOtjUhG~pc|Q|c68QoFs(>jFZw zxdkOJcewc;2pPP2DEkOlONmJSX){yQ8Uq%ON!V7wX_le?0oYSw-(UdFG8F^UDP3#i zCozsn7_Y^JCc=L`L>-&f6ae95+#UZwd!FkgY&-!Urv|Hlpzrpamd$}+iGCN>DVFT{ zLGs(&da?O;xk^G@jPD3!C-g)O-*^RreNYDQ_g}oW>z5BIz?K#&3B*zkGD!Ee0CO+|UC%`xU(7$QfcU|-H$Njsz?j;*Y_v~6yCN$ZsT0|x zejo_)*g|#{RbHvg-ik>*e09>RCqTzNiMACc4O$-mT+i@JzYxAb6{lNr<}x%k{k_3TXxVtR?y zM8`?3QM~Uj0(-XVgJw*w+&FZOe-Hy;v}(+ItVG-F377WZK7`&-pHw_ThKJO{UVQ+W z7E^4FUd(~L*41>g ziozl~P3}8*XU5=bB%n~yj3w*koxSDyjGNmUL=SGc85WK#Mz->b72dLj>3DX>qF27@ zE5FL<&#de%NPD+Q=DwQW0@1CEU@T@QusmUaNGL$w?JVg%crdFg(7)1P3_1BI;2OG} z(wu^ERxPPeJJ*tF?~34m8o4ni&w`*XPFTU~6|(P3>ed(OzP5w=c8(-N=!Czs6~CIg z-Ihf}qkSce=IR;AM@d)>G6MEzMK~d>Bqp*s#)#u>(TpwgLclFa>i2pa5s%1dvg{f; zrgNr$LTUP& z34L`^AiZUj_KnAVcPCEL7t$xou$IkUSmH_6mPsFRqPuxU&n$4C;S#$R!FgUc;w>Vf zmAHv!M8YgZ>D;UO7`1SgpZpx=bUWjd32KsT5t3vN?nQoh{ZQZ*eG%c2IuuMGvXUu- zhD4d&NGh3wbgu)I4c0)2u$EEGm6!=?MqQi~x<2CCyaM3#vpW+&4ZuhQrB5PLJD*@uVAj+gVy ztwFi$lez`0z9h9O%aq>c(^1SM7l+YXyT{$^T0yerS%?P>BlF?iuT7mj=E-GwS4v*` zh;dkN4N}u}Xx&>x-;N#(3)$QU6|N5D`s^*tw`mtwHU?~-tC8nA-{rqn9WngqSwY}i zl^s*-QSbcvo6V0(9+`Fzjew=3K=aPetvD+)Z__?$$VY3P)wv%Q_}*l^qx14iZcDpJ z1bJbAk}FTY^r+Lu^AO=E=ar!~=vAmC1oPMzQdt$TW~4Y*5r@}fg%ywSFAhg{@EL@? zsEKBg8?An07He!|^j7bNf^yfgiNQOyX&sQyTt#*VEIX7_J^y!L{=WXSTi21Y61YZ_ z6CfKXg&Zr-Lve39;D-RR_m0;mV*K$+alZ&!eh~;CFlC-}qd;dOBo*W@J}ZiC!k!o2 zfD}CS`t7!_KLCoxpLYD9)9m?AEI`|cCT@Tp5SIdmaHqz(X89L^UHy@g5pdk+f+f~d z`ESz9A}64D%~)4(b?eYY-afEe{)gi}Z(DpWB49iA8(lKfwg8GHJ9UlZ?3YTO@9j=8 zN( zQQLRT4;j2aYs05V(Q%Wh=?giIZWK69*C=#qwDp@`3vR}5zaB1PkqWV6k^m~^2}OC6V1ZwKTSEb2${K&Lg%ydV`K za(jML_PxbX!=l5}CuF!LqL+@V@{%7Z*|seka=MfcOwg#HEk04TaDzLg1C-I3p$370 z%NOn>ZBO0|MEDa`>V1*_zIa9=iTA*FTdaDUdK%lTZ@+j8CL8L`_=8QuK!#~tneM$q z0XO!pP;O!6#6^?qosC={PS`2P=_Ni=(qib*IvQsp$qjnuM*5b~)5ZDiW<^&zEL{>b zc$I}nCcaxu(KuG>J^#vmzV`E<&bI3PN_~7(P97LqtXGAlTV1JGf8!(0aFnbJ;N!oTmu@oCO+gA5HiEPb%CGz z9kdqXyf;{X&|e2BsQHfJH$^)(SJl*v^pA{{PPxfKBo>JMnmfp{cbz5-CR|W(;r-o% z*lnX+SaEBFS=nIT@GQa?*YxZITo)_-me>Eo%GGA?9PD-Ew+GApbsckCuc_M{?VEIt zXN~$5M@a*i0Jh5TU&f;)`DFP&)fE$etWwiSD+3%g7Ahe@IAhNm$%oj z=5v?v>hX`riEuXE(vgxMa6X5pRV9`3?Ai@;3vn8(ITROUKjl$H!`?uPdNy@^=che+`6X1f?woJ0EW=4k4ckfKT=l~9=s5@bG)Ar> zXB;(`L(o|>CZ@}<4=a=6uRAzAyata|eQVzxQz$n*@oo__-Z*Z?C-vb9{tZV~1CMGB zUaK_+>`u}{^?RS%D({D z@pyo}MQCo-=_)a?3>dM>|Sa6jja%?qQrs5|@Nl6Q%3S2A~Bjj&H9 zyG~+Uek%Mq%B*}S?Muk8hlwW5`xhOGgu85y@T*#MUyi9mdS~KTI8tzw+i&XlBh(F^ z)W&>seN|Dp<9eA!{2-*ih_hMho1zfs%$rM@TdoE6Tp(xdZ0>JV{x4-Yz*YuQmj31Q zzd`JjI4bECJP8LD-=L*zEU_Vs- z_QP^I9rX9cYi3b5*nX%hd23{#j)DQuo&ivR0k;hXJkXxn+N~i6{NKPnCjNM*%h&G> z`gY6Qwb!opodveAeOXeG1?5-GYLpuV?VDZ`d(cNvcmWI8)$r}UoV9)X=B0yqW`*$= z^Bm4}F_Ml_Jj(9L^U&A;^y8dJ>9*}S2072(yLy~J)tE~_J-xVh=BY$DU>}fcTjlj% zOLPb3Fc4BErY}P%;c6S5VqH~tpUA`}$9T>srLWT}AICV>4iv*XDzQkK91)xLZ*Rh0 zQpnTnNQxeXV!@XEOI2F1%O8Z2K5*XsAWB4kK*QGM`07_A5- zjO9}Kh_qx@W7cZ9G_k_2QX{>xc6-J5_UL5gtb#7#d`Qz$Z0Tb}?P-3nu55Q9(iVB7_%r)Y z3Bv$}wua-Q?u1|~1otpC2fgfKm?c1)9AclyN{@d3E z`S(hy3<8AAVmxP`gDA{B0)OR-k&oz;&V+iJ5_*fuK*n{ifG+_iFIhY3gSKQ5lLErg zFB#7#eX{c9EWFGy(`+PrRFg>+oiWk!y(#1BT(@H(1`Mg7ULA{SXy9_$6?e!5*PL}m zFB&h$lTex$XUsYoRomlM{Gzcvo{2M!c*?rkLPd-QqHv9%;Jv_W>I)=sio1l8nk6e- zUqpsyk+QHdzbUMV_oHrM5I3?&{{U}<74rDWpgf2ZhKi8w-%X?@iNVm97 zPU6aA7vm`#+KcNhr(CAU&Ajk)<}u!~ks+Z4a(V6Wp}JVHYu(U2`K8Zyzub8J>>8~c ziFC>1uT1Bz=Fy#`dOP&1%%GzTiFm$Tdm8Xq&7=CA+Co#Op)?;zzj_{u7P4HX0eZga1P2?P}GYF3i*RQ+X9r`eGS`P1f z50?0rf#S(JuBW>?G9)o>#9uUzQ#nRYTG{8^&rFw{m=R++6KXqbD%nPJ)d%ib3X6d{ z2~4Ky%XSG-#m57=5$_$;KajQAJ&tO4lEN3D7dXuBWV4GdxW2 ztk%SMlfPZ^Q}2waS6`yPEu^%XC>}OzT(V&xJ2p&wjqk2Z==MT<3}NqHdPZjxo~1_> zB0y90QpuyB4}}SAeFXIKLb^XsxJ@3P8F|D@1=3@FKZhY?K0Wi+Cfy`>46rr4dAZ`F+8Qzb`snWeg{{Y4qaun86ETus0n7ER&xBjm;31%D} z=$~euEr=Tm2B!MB3Q#s~Ewx3D?{TWm3>W@R0_CzG0?&)<>D1>vJ+%1r`80#)lXv=j zz@e6(k$rkWVC34O@B%p}u5I-zTeINOQ2Wj|@fxR(CsfflVI7Hf5GzP~BGQMuANw%s zHdichKn8`v?QD3W+|BB87S9`bNKBv_FfM&62hd{{EQla+Wj$a07XcJWjF-pfFGJce z1-r6wU|4w9FENe7PlEOZPZ)St1;KUiX!F-k`kyvVS*)K0v%GL>WJ3@uZh$$zZWz?0 zWw1sk-f+Nc>X6I%bi$2#wDm#Fh`~0~%DnlXi7Y`YSA%t1hjP@XZ^c?4iTOq+3?%W1 z+~`pPg`}auk>gVM2W+kN2SPT`V{H!KAWRq-kA!oSSfcSiGFAS{pe}85u@InYS?u0MkMh)@hR5#|(dJ+~L2GN*ytllDBn0{JvUR!3_EJ&(IV@p`USj9L6a z`HGn-KbyO|X-DDL4k0eTRZ!cXkNb1V<3~>kB+h(56!aA5vo6}s`}P}qyQcubnQBz>zshbvM7ApfT0we#a3(_3vpDYl&kQpv*jhv69wc6=PHL^{1Sgr}M zAeUB|j0-=t;<+fw#{D#ZrvWmhDxG$Y#C>bUCbC;2J7o(bnQvy!bdDYf^*n7RfX&s-I?9M?qqcnNxMkFo_D+_yyJlreobO%;%xJ z8fH(Gw-zf8AQDlOM;F10=t1LKx_KFy2R{r)tfXI-r6e_)Hkg<(vOTQwj`7e|x2GIi zEO}jQr!Q(5)XDArj)r=o(DlYy+MxDyM|9P}x`KfOo)z(#@h$z?gu=!Q#=yq=502niWzCCln(lWU|bsd&HEc@~Y1(UVS8+o-# zbWh3zU)kO{Rub9Fjg)=7O``L#YF{>FunsagmEIaVpXWA|q31>u*cs|GV>K>kbx}(C z$99bKfrPljl=z21^xbUN%+6`P;Y87rz|jW9gajXUr`!T5-v#$~JiKhd?H`q&1&7g& zGJ`HjZK2KOu~G}zd)vBudqFI+Gm;X8=Qdj?~| z@P1v>*_6HJlZaJ^j2*juIwo(8{rE&4yROdjOe4Phinvgt2T!-o+_SQ%?(7TE0o+XWNri%i3O80|5&WUm6#xZ+TJnbhi2afRIL<;~J^k84q^Jdtjpl6u}> zEaOqTzC;I@$VHsy=6I_=OuNL2b=xg3v!qQ}QS?iZ_45I~>V!_e-rzp(fFs|9LZ==3 zXggr`yLBC;>ourmAv4t(4d7UTzA_Ikp^WS2h8Ex)MQR=ob9nix)8WME89yB5d=i&o z={9jlzAT&d`qSKl+YdtBcAtnG-qdh^-eFm%W3XNlvc{@3KwT`Sf6guK3wkAB9xa^P4#->bi@y&%ZM}DauG?%n}nqH)`hOWXuM~{N5TUG5@uj$^ zq7N=&P+wvrc56bJW|*6!sm^t&=E}pCLjRjSx96Ub^GpVefCz=xEIVdu1!-*q8E-Wj zJAiL^ZC30y&m17%g(q7cykJNM@sBaQoloRSdWXhQJt6kA`#}&UwGvZ4OG&FRSF8OH zjS4Bv7`|Ry8PTW~!!NZ_F8tk0sL+~~j7%P#+DYOa+;J4tdCO%OMhUkMsElo9Sn7#g z^6;B2hFJ3+*u|C+mOx_#HcatQ&T(BkS>3L92t^%aosLdCvAfba&*ptViT-9pc($57 ze`yQD!B9=w&J`p1l^TScMRdZWaxv^sUb({*g7T}UrJu-ZuJ>cdk8QM@{rYPO`usBq zlyS`E(GCrUthSIM>w;^})p!m%W4GRf^cw>ibtAL)9iPPKuj086tz=oI6@2)*=6yV^ z%&WWt{N{>Dsp+3N5?m)}xmj3Z%HCEsuVwW1Zr{4i@b<**T-%7sMXYYeCc0xTBb};z zP+Bp|cKEpbSSioe_M;6a?6QXVmViTElcY2AWUs!Vl6|>S->NQ)rd2?jh8wz|!2n8# z2sIua*C?}1=B~OmGi{Q(`zic`e(TatZs{zeXOkc4#wzQcIo=AR?$Zx^btY zwrh<$pAt`{!HjG`E}jl=OHkSv2~b{%_W%KYhzRdDHnDVqa_<6qckURr2FYyU&b*`s z{tDuVtgG+-lntiF!cW1&k<;cm-~L{n$bc?9gB5R`_!a#2@defY#mDCeoeinqi548g z;=hg{L3A>=+j*-1!-H&uQ6pLpg8Cg?l8E$&?6n)wcl*aiJ8tuahQ>T9%BKHD%(5_C zXAOoO-2(jhvNzz^FW*Pvuh(0Mo!?8N3UkBdZ0^*F=e=xbB`2}Y$}t9rpE9IVLLgp{ zitp}ck;N@rNa*-XLnIBtR4sm23q2Dof|YPwHZ)uvP^9s=rlj|VFh=e;+VI4;5I>1O zGgQav+sVS-yT?mk%B=g)i@m%&n7mtYk?es6!MU?B4+zdCpL-51;=)}{Rm5-|7Fz)w-TalF_}oryPJd2&9jjVe zc@zD)l}3ZjXRBuAV>zuROxawW)r_6kg?78b??-pcogC%pT=S%w62_Ys6X8wvoZVv_ zyVO&A6`8gs0Y(wiRvZW!zmEM`5`Jmkh0uM}1}ID*@;)+2Rp^IMVX)J^Z86ESuE&Q9 zZ-*Ap5kd3n)&h0Z>*c~mYS$`j%6gl}*Ur|z?W$q=!gncbH@eq8N0xEBCt$CdQcwkB zzd&jr6(94%Cqe#ZE1Q$*SCbCYu>Fq|={1xKLFMHW3!$Qkl1$$hK|2iAkb5^G`JR{u06waP# zv{`*G^jd_Pb$QbhqS7xHzIRi~$Y-CA{YVH3TZuz3%h(DB{n~Uafu?e#CY#~DEbN#oe?f5KMn155S};z-#(ISZ~-L@l>`J$LLgN}XfCdS!y=P_ z_4oI89r%Go5Gc~1%ZywZ21kRIs6V8j3oQ%q6VDzz4PlnaQ2ok^1}HZV&NTnykL#$d z?>qfpI*$E&(4$?z=D&jFpyB<=yN@rCz5jaErT=o(RnkcY(Cyt!K)i)PG12xeBVmP$ z;5q7E1-Ajzj|RW=A0UF*8s3UO1I|oP$KkJwZ@05ebcpdDEp)OMC&V@%-P|!GU(0SLk$ z)gnAy|MCL@B#^8A5}LfUEzUxCO04rviFG%SP5+&m2V+q9yAWbPp&7vLt4KnyTyIx! zq$D$Q5(LJ0x~KTxge8A-^YDLgbD%u@XG7H&(9C=PDqQpKt{ean^yQQ-q_BQdah@{B zt)9ZA{*wHsX4~sCT{&$IyB@vlX*5((Lea&1%>X5ZZ9hH)_YRyoUUUnbnd{Fp zQ(`1xO=pp9*ZQDnq&SewQ%_X7p(`^BkX^`e+Y3A#i00A9U5dWoCV?w1pia#UN(T!R$w8I!GQ(h zk8oBFy5KL)Jy+;#ILJ`ef`JTW(m$))QgE{^K~j&pGrz2i?Y-gPu`FYAR)O}Ztr@veARQ&omB<#jeB=9lC4a}A!nRh)R@$}W^!kH< z@Xl*tNUPTiWKe&nXjG#pKW(=Qi~AgGbVR-{&&4Bcu+&ZwFuI-ZAUdXqMpcgb>2d*M{w?*%q*sceGo-FWr!O{8#Jjd;Vq%7M$;6(5# z?%7!h1pxA(=UurF3u+?4!1;s6^A#zWhb8tZ!nmi&mw9mb7lE-b##F8!Cux;|D3hr} z`JCG$Tj*$u>VPv;p1pDBE6<0UTXgf{fd(xz=rG_@LLl+fiW)*C1?36{vlUa-ZBzA( zDs~H3CG(0&mXu>5T=~<`ZtEXcl;0q@4g}Eke%_a7PtKp7CuZcE6ux0s?*+5`qX~LWY3Z`8JtoJ2EK0q$AI?xo-k^IZTi8$cL&b@SR^`T4v6E zRqmq6?TPM~4NqNy-sRJbsf-XxP9#N1KizNQ8m)Zb-iKFfbrf7$nC-pl3j zLU0FBWw1$}DOTu**yS~+yyY)lpV!0^-&Dp+^Tm&M4HsU8O`Qxlx?hiS@-BUN;i=(% z9XlvRH=85nQCh2}(zj6a&i@hvR$y*L?UMkBI7v@YeNA;Rg- zZgY)6k4eU8^~>w6Z?E@njxw2gwcm?+bPWiZusO$VZbZ)J_~AkDS-ai&9ps|aN#&t; z-puy?j?dOUOmO;WeVCft93FR_H{vQ`+b;r%6qDC)Bl)3QA#UYroAEgm6S!nB-9q+d?1MK3A}vIz(>It zx#4KWy2}*|(v}Xy6RN4mR~I(HzCq8> zA-~CbGcNFxHtW#oqh6;*HXjG3WKE0c-aH?o){!T>rpaQ$%IzaYkm7$SkCisHHSYv!PS1w`LK6&FXQ5qRNy^-_&=@5a7r~=@nURP+0!la zR2c<*h}{2%wp_+vC!cpmi6LSa?N*!_nW7({qq(i44%nWFHd)L*+} zGqXDaqG$C0`!(ybpoqN*&+SYWymHyE&><@#=P18%_LBTqt3`63>%GYR`o1NLs-Y0c`kkLYWNOy9FRF!zsjNPAtdmga5DvKHHB1MD37y z1NFbZJeD&6`|<9I#|YjB08bK)Vk<0ip?epA-_x%IePf?NaW-}6AD5@14WM#zmHWx@ z=?NL_*`V92|G2I56UtyNE7TkU#~TXAeFmd$09kkWMS$G{S>BHYx(x81;64t)2lKhd zz#ek?L}u_tr)QDv0w}BJ^wKo|poWC#>KHL7F$}*?-HhQBw})3g^azc+Hc9!`+&NjC z%-M*;sVc;}Z1{e!)nVc*zkx%DrDOeyG14R82;rcC9(nx#hH0s{HE_W!6abcpp7x?S zn!qamSs9IA`FCZsK0z7~Q1hGJ!V&>F_(zHyQ_p4sh`hG|i1KA0q{%1&c=;c_ft|7D z$aWz(=-dmEWcvP_ZZ*WSDBKk+UJJI+b9^v>+za8EFEJ8V+@@;?6&u_v;kAw2APqH= zy8m9YRAsU9NnBuBjMB7CTjRy+s2o%*)Wz2yKLaR`BIQ;5D5?|`*t)iAd>dUCYMQ5L z%jD)B@7yM$bd{PdUgOPTzLFHfHi&XI&J&-|^qk!V@9wqhh$zIa~i9`ybkVW zuGGG?1k>FQI@;lg#JFn@*3=JvdUq^@?(jPjqRM9LVZurp&5#(J%J4y6&$()&e| z-Vr}F=TzRBClKyDcDHA0edSAwac+TL!YNyNh`mo$%*4b`Nf&Ger@kcTPfv1Sk<=>` z_{#cCtCjq#OdY_j!FIl^f*P-kwp{JhJHwG0w2(tm6QlW5iI`4)LB>({}xK zT^VxGxdz2BbrOMMTk6mVf>MH!MtOAT{;<*BF+BPK})|^6T^f{_H z4#V@0Z9)!bSNugaNNf_0`821~JjsU(L_+g##41#%sc=M$DjsIs*<$6BUoDB_cHWme z4S@TyMjmC?UDyX~!F9^o0Qs#3Mw?qBBO6WGLP^@3ZX|Y;M?Ji4@&@f|&cq^z3rbf$ z?uzF^%p>;-cFx5v*jp;^0I%m_&#N+Hf^G4}6Bcr(g~kJMJiA|wq}xtWt3ZT3yKU*< zMf~Mk9+%+w>+CcWTcqAn+x*SbwH|O=^URsMuDrD6!&+DB-=!q$@#z!B+I^{Nd9itR zmaH&}YM%}HtqgXF5;wSY7CBqB7K^`Dgz*Of*oH2&k`J=@)cTS8PFXmn362+R)QCcw zE#$_gmS-NJn7ws+rKRS!{QJULm__w>9~V`WSE@gD$cLwhX^W(%v>_gI!Uc($J}**> z>#o9ajDRq4j%+jHTiycd62Y?#kn;I4Z#l@Wb`2F^V(Xu=UigbJ?Adh`8Z3(evfOBV z%T$=O179@ZyiUt(jND(7ohczTL(O1gZqECnJH8kSS;GWTQonzdS# z@}4*~b4~2Yrhu-vJI+5}o`zfhr|pYek+b2ZfIc8W{w>KL^ud?b+wW0&Koit$<+ zzimvv8~=e&BzFHaU+m8h@s1i6O!IbuQVlHGC`b<41kmuW*+KJATiB7}FnGKs?@yD1 z>i;%5$b+JAKJu~=;=QpDCUL%Hd`AEMgOZXU4Zl}b(Q;oMZrz~6=uNxx(zRW?{FtK#q>tEgSwNO?vF!vor%u5PGPQ~53H%aa4A={vT9To z3k0*D?=6doI);Tpw1)QV@9p&Wx9^MGNR8F-SP0|o;B(~TC%WHq>;JI#9#BngYuI2E z5EKzX0jWW0DoyFqf`uj`s3@JNDAf?@ogfO*5fBg%B2^Iq=~Y5UdhaC^=`9o?km79g zoO{pl-2eaYKQn9AtTnUFa-D=P-`-!@D?564V$e`&E&9Nm8L!E;i)4-okgT%MOM6X)o_@WwGXOMcxyP`ehR^2)SKl< z&t`=qUd>hG?M)Q47-_WR>}BS;K7}s|Ml6Bm)UV4b) z5)rqjH9AELme|{Fj-Q%kJ60^2P`54{6#qzUf)ET^;WWvg>gpp)jz+okcU_?7oOICZ2DSFk}A@%G1`WE&>6>vZ4_NW z;xn@)5rW1?9CNlD3wz8669W^gBZyDj@wfX{*;dRCOcXQ7=ehbUaE*Uc=|an1s_fVKl-CX~K?QR$`82bq z4-}yDj2;Qsj0#?PVd(j3^_52^IfStGCTxuO1L7QqgB@E!9}|^GaN8RvG<4TEeD4=Q z@&cZAzwue@ZI<~Y)eG$S!V|3USV#V#=I|5(U!{5p-gFk@cO6e?e-Mq^+2c3lwLmYq zdEz9H-$^Lc4ytD{OSPP(0Kmv9Hy7EV{%prG(mjg?47zQEh+j`{PL+pDV`T!8G^?f^ zf+YB;?=hx}mzX8&)UVMl6lWoAa~8Cl*uHi%m)znofuk|@q&`7Ft>|+ZY92!f2}4&X zud7bx_-$!Y*Gh9;SWk>DLj=cMaIqE2`WC4fq*+=rCfK&^bPu7hoF=1>Z8Mg?Z_Ij8 zK9OPosESM@7&jWV*K>viFh1_?3)6)gX0G3^anbYmh{rP_UyV(eAjvjcG&`q58L?# zS-N_n8vtrHCdP`VeqJEv!=h(AX2;uG$Df2f_byjGDM@QA?k0Khm`39HhVLhJDS&yM zUne-dCPzLYe3i^V4}3iSl-EB%WCM_)b65K?%a{95Tb_W;UK@T8Gd-g71CkA#<9Yt_ z#R)GeRAUj?mW@q8#f_$OFGN>vnxH|*QtTnXOrFrkO(8!6Rx#(Uv*8+E9W@N3pqu#t9mu~+w|Ln6|KpfXO0=e z8acEJJB(^%Q}Ov_bwqvM&Gz!xP|r5V)d#6Awc5|_!MH4>PawY4CTFlxK6*BXeqUsD zNuGY4k=@-TWxYRMpuNE|tuw~!5|0I=X*RWu++5a*coo-?&Nbh@u$Ksgh#mIJON|KW z-Q4n5v2zp~S(gv_Q4`&afWadKd^b&qecMEie~@$3dQn7IZVR&W*@*YM^B-P2?l$q2 zy}B5f?>W)IX6G9f1J^Oz@h1v^|6Yyc(hjsDq^jt(JCIZUtoy^BYbK>KFbic1dMnB2-Fje&4px7{eZ-1gb}HLpB#|7A)(Mh4zN$e z&gbt-tsQtjvxwOo0ahl49ys9Lt_DT0fd$}UPJ*V(+BXWW{(y)S8}BD=$o%m$7VfC& z?m6Jr3V@z0DDJfMq2`J}yIxRG5TANsF%^uSeGj=7wC(uzVb>*)welhwieLoL%0xBs?e z294*z5L3%1prq%bsQr?e7r&LvfCY}y1*90Fe^$&q20YelpkikDFMv(@KeEY2Ae+qg z86>Y9M}V*SciOnSbzc3bji3-+a;?*U%rJmlR8YLd>Po8LBlQQdN9}lmGc!(chfV+z zxFLGt3HmB74*VOy6pNw9Q(Ubq>h;S=YffZF7Fdc=X)|9sQxcPnm~2E~U5{xH4!fL>Tf2%kO~V^+mFq7% zEa?kZG?rMb@-x;tpDh2TLg!PwQ*vYF>eHEnZ%s3L$WRw&jrH%10a?V7@8zj)H0^9? zUDI{)L$BPCyL|3}l?;Sl6qIC1Ry3tC*T@^G5w$1B;(A1DvXA~dE3 zd>veDc+1xLeGd)=7(5+Vw+U)yIdmgrXxFRJIlR|14!JvvZ^t>W?4xoy^z}8(vkjDn zUo#jFk6=$cwzowJWgZnzy+h>`sL#p33(3s?n87<0azHO-3gfMKV7)RU18!CJIH7O5 z@ZiWI3$0zJ!bVnF-y2K$bZz+ZPVvRnDmi0U(x|(vpwarI)RR@sxO4B{^fGHhh=M|w@1??CjZ?yB7TM>ctu@|chiB#JjM6^2 zdO^`BSioZXv5HWR#C0VxZVOS21^t1A=m;Yt{78+|HjadDjW&Kb#-P~65O*{J&-LVb zdn{o-%}=RK;Yeo^Zf8Q;+l$$n(Ta^L^8N656WwbrhZy>&U0Dg4`XeVdjf=z#%Nt9d zwq}n6J?aObsO1b?|IXF?9#kH}v@l;cKx(Y~`f1OL4y9)p^I4g=+GSGie>!}TXU>Jr z80}vvjMuF(xHhnd4v>&zmvc-=jkBH)*SRb<($<9BHJ3}hK`qGh5&Fj4o(v^A}d_|8FDFJGx;lf-Alf<3F`@p;)<6s+x0UrpEOmnHnfVSw-?Yug2JzpVJ#QzO3-rj_QIJgwLW z^}B*yRy(&wcfE|ln~EzQBjN<7(bk?E>QDAunM%n9NatBZZpx%$qaLxdJ zG|YY)`Okm*%+dguJO@m=&wcyyYX6`|t0#Q|%+f4uIV8WI%+jd;T>&A0dkE%Rr{ogt zQ>59`t;LNT)=|72(x2_Q75rFX!u5@| zcaQq+ch%R7ojiE$9JgFRNSWJ(={QK@P{l1t-?_+XkOmtwF|7C;P42kGK}Set>eWbS zDZ1RWaCVx9*RQ1^Mcwb5yelZ@H#6m-6B3*7-PLhTNui$O@R6CylfNb4CrN9)w2mv* z>l3**-5d*5(VKbGRH@=P)p*-CqnoD_p8HnZ=Ks5$n|iEHbJ(J7URYXVkEs`uO347GfR~_t8mc zx3>akVbD9wIw{3&L`84I_O0h?$!tp5z+6w(x43ET&dE?oq4w3gItL=ug*)v{3_T~2 zFENAKYFJvy3~t|e#77JI*B7Idu2Vd(W_QCKlj{p%QO8O9BT%lma=n60W)(r(cTAIZ zB?5ikr=TnJZjkRZ-)Wo7^!nG-EZJpll|+V?uz#%5ggaw0eY2sN5C6TN!%zG4;o-Bdr z1D5X3kCK-kbQP`B{c(a~N6H*Y^N%l(pnA-3X0mz$QVRr7T#vJOX(P}T@EAtU_o#DA zn;>~2Y3n7d$)<4RwgdZ$qsQ0h`oj5N;X4_dh{z*O9I%{b+cu}y|7+WlmH=$eU%D~E zSAW@-9c&=_7c&WHT0q!zJ{SHLRS@>4ZVYT+GM8h$k?22u98772pW=XD$wSbMV7U$g z{SZ)~FbVljh@XnN?Pjo8+&2b!(dvEO-2Z?a`b`!0uL`-pfBrAE^z6wrs~16uiSSR6 zvvMryB35@2`kR&>poQiN#p2I7SHTEW041;xy5|k^{A-V7b&NG^SGf{62M;p$!^6e@ z2oD>nt~>@Qq@q69vgCvP;>}`Ue*Z&E&sBh;XLLK~z<}ZzJvg3VSX_dSa(zFpk<*es zxDY)|s(_rYr;ZL+-U)cv?jB)p(zvebOgz7K01raM-(MG5_gvy&3!i0*}2y7FRzN zY|0Z`F1Wb8N{`qnFLyK)v@YF?nd}JUI)m4rUP!7$*C`6&D%0G}pYXk@w%e0!4R73j zCidAZ*hs1|q&Mp5r_|t#9R)M9yl&*N&ipRc;h^vz$-#;}I z{QzEET688<5x#WcD`L9||Q{dC2xPx@CS-#Rgj2B~|s zeeiszPXE?aFL>Ni_JNA|FsgIv>+l%?jrvMH{GBNn$HHdQd#n|k?^b^X-D<4cy5aRT zMgQCz*X+3;8fy1IZH?;@&*obErK7RrE;PhL4ri~muH0BVW;I?`*B{+X&6OWt6RtE*)*JIUSBPXXGE&cQaa^5p zH>HdY_yJ+OY!R6g|LAl`KlA0J{BuXu5K;#rBQyx)F=HZ6kHeDaG15o5*>y^aI_vEf zndZIZ#o(edt9QP6cVD;hh%h=V^|iX8M)N*Ce+pWoz`wCKt&Phrl#gQ^7sAhoc(s8- zLHdL*HwcfhB=kq~R?4RBdMr6lGve~P;G{^>R2a>|(xkD8+=^+9ELT$cP49CBJ=u~P z8tyV0hl>Rp?Qm)%_635+mq*1&9dAl))eY8(nshEiKKz$S{tCmURCoZx$LuVm=?vD$ zRh<8g*v2&uMx=7?_%YLxSGKJ7+KX5&Mf&+NzR)y*KuKX10+*f*U47x}g{QDW;kaeq z;8zj%o}w+DRI;dQ6rHE@6I(F%Ik2a^h>T3tj<@wU`z8fH7o<+yhAL!}Kf zuG{fVD`tZ12*q2ko^xxv(6f`f;Q8d|$;Q@fG2W7ynTD(d=ghnfu5`(nEQBfeUt|ww z7m~`AaMwdzspCF9*ke+&Hwqih*+!kH1hGJ^NtP;tF}-n2ok3AtC5vGii{$}v6VH%_ z2+hWrLko1JWz6dgAsOdr-|VoJW?EusXV!&uqxXaxQpcIqh>AiJpNkA#EBiO*M*_c| zs5cC9bSQ^8(1laKX^WXTI=DZd}WyY1ASxMDaP-6YY*KV|rk693rRy5&^e(Hr{3 zBQ?p)UQz3ElZsL6@dOe2!;5*=BdN$DBdS<2G9R1e%&h6N48Xa1pqNJd%+wWa%xLx` zxet|(Pxwm8Bhp&uXrwO248)0~os=#l(P>1UyK!b;sTW_d>DCGwSrT?wqM ziK`HFCM7670Sj!6D+t_m>{`MNQ6-W}jn3pDVfST^<@;9(SjOt!uYg5}mRp zBdNEeFcC}JNCo+?l@F5)?R>m$+lD^1o`bP@=;PT_Tr?VmKj1~{SeRwGaz74RGx%_> zWg}J{Mhs&QErnO83(us+K1>VdGCja+8@c89vNnOenk|YnoAB@z*7|k;a&=raZffNf zrP9VFp}Q=;Mw6Gh4@Abs%zuK?gE zD8WX!?-gLS5B+iqyx6>Yp+J@9IOdls&2>^Mh&hV~qpDR<=2!xS32Gs91F*qit^R@u zhD9KUJIJ??0JSn`1BxP$ls`BhE6wfNf~Amr01OX#jl7#DcW^&e0RH=_0~O`~@iDnK;% zzV%PKtgzqdvQjE98Q}%0f!BEm#0a|{dS9X+fs$`McLWGes{b*3#}t47E{MXG@8^@R zd|@Xa1!nl`k1p}#rlR)%%3kIPLEU`)7uWSq7xq8>|Gz~^mx9^g0b<`iF~4Ba`!UQ+ zT-a|gX=ltt7-}N|yN{CovhPNJhj{J&4J94v)eqYU(gZQg{gDm?5q{^hK@T^QZ(06p zt_*-D{&zwf0F&No=A_|1u0q4Z9k`*fHrP^Q@6x_x1mFujt8*A~w{K+a@RJC=j$B;_ zarr|!1n*#J%D1}Nw|#jXkj-VMZ`|nQsBEDItcYt5Rn28TD@O3#KJyGYdVOO{^t|$P<;W%$?EVJu+Aq?25z`v|Iq5jk z+n52{VZ#7QsSJd>*r?pM^E`#Vb%K%QtsB)4wNK6-=hhWGRHsAk)UKp2UL3a+Q%AZw zWX|f<3q93qKhZX^>ay1P;q2iJ^JVXXdGn+m&pdh35O`1NqU4iks~|!I$YDh9_l%ht1QKR9pVi1v4Q+t9RB9f&0M%bzq8a47pyVd#B6=j6m^hHnF(Nf|=Z z-G%%WxQ;-c-h!~>a2LcD!Tqvi{Y-s2TI3xYl~5M1yEfV(2ysvEv?3-c_hAL73b zLhhM{=>epjwC(4A-8YPl+*iqo1LB#FQ{y?^bxLr;sm=x?dc%i#@^o`6Dz#f%Q{Esh zmandrK9hb_)ZU?l_cfhDn9+L5vM;r`VhR}6x`(3s$F14Z3gf7qsu@}JYmOdYqD%#e zsZI$guOaA;*<8j3Twp6@#g>ZaQHf1TlMU+nCcQ7V(B|bjtp2Ixt%be*=sn-`7}xZc z4~9>SZ@`C)Od8G%>ODA9_*Ra2WcJ$pVQ#a8ACQ%(cSGZrMbJT$^9cLf(g!5&^=vQR zxZjoBmv)(XO1?9)nm$@zuZm{NAgd zd@8awB+J+{nUh&ACqIjLtD+0cxLj0GWv9-^W*&klyA!K)Lixouwqx_(=?hg!Lq7qN zzM{j^4N`4*0N|c967WM=aEjJp>6VE)WhP%t)2(6*G_!Js5nXJkmD7*E$)gneLku<~ zoTy(0K4vcp?&^hEbsRHjl91Z=;_fY!5y?TI@}DffD85}-y!~O9<*Dwbp=yO*pI)ir zy&3JHLq25+jDrS49TKlb3hazNyXqqbSx-UUC0;tM#JUA>IGDM(DO73FNi<(O4c9W5 zCY~c)*28a1UoGr*@U)plxU2UR`VZ^feUM*V>9=j6*^&v13Hw~}MCrk-#u1;9CPOq` zrHBQF(~A?7hT^tjPR#GU7`Qm1A+N$8`ygRL85{M>55Rl*Z%z% zd-@UCv8`dRNL$G-<;ERHZ>(2k6*N~pI;;4-zJ6V|F66zY0FiqyQj4RB!#1nt>?^6Y zc%cIj1nV^3*Ku6rD4D4@ig`m-s+&qfdgy7R<&@O&T<)@U!xWDEE>35MVZ_4-ut#vH zXL6UkQFJ-tbvwmk&t}Eo&fAAsd??J8nca)jH5O#~cR5ePDR_{?*cD~?!7=0ETw2O- zD+Z)#sB;GNY`cn`oBM$31pEXRk5-GAzTIV0z&f2U$-KkJ8{GWUq~W8&3%5hbT35ePsbGe3M^dHqDuT00H~DI-h;fi(aM73fK-c%2RFRJ9Rd& zg0Q!QH$_vnA+<8poRF;#g-{=DYy}P(~{&8 zy-J$KlVU34{Ohl4RCQb9lK9jpZ8x?q&Ee7;abl+mO0!t%#wBh^Ora#K+Gdkjckkxb z*!L_ban3N+ETJfQ`u$C((Ch|z>23Xc`KsvHc!6N^*~ZQT!wHr+6?Rv36r)S?qyf(f z-m?4^ZlA*w2iX(f%{^1%tY@kT^RW$4U4i1FTzYH+)n1^6>l(^?vnP&_W;&>I>!n&I z9yvwZ)&L9KvPk@*tK-A=q4Q5~jw=mc#P7vH*3M=#4@^9gDpt|Lt5-Ze^Cpq!#A2&y zt#gBH4lc1b!sB@8Bak6^fo`y#`4kk@7ccy!nDOQ%9=^-VXDP~)OR#vI<3W7B9+#(5 zAFEzHzj%We(Qe2){h^)uGew~edg7Yhg7p)5-D!($AIhdo22o!0mtySJ$phnEMp6m5 z>zrcW%|Pps4J;-G$*In4`Ct8YeArKYdwbmet)Jv*=K&MbpQ_Lp!oDiBNy6X0DnaW+ zS9pM$3Bxp&aH^1=bS?s;T4CGh^QXncEV%jd9~RR%s7DC@tH~q-w4Q;@^vw0A&9uQZ zkNqv>y9DO*6F`_wnj-}>gPd{lKXS(Zfj#HoUy`$b`~2TRKAlk$VW57(5D-aMJ7e}t z0r`yRZ{#x|LgxcRHEWO|sKN6fuYbcC06u5_hD6aM=z)buSQ1X4+h>Dc!Tb~NiL!?7 zDyRQX0(yW9zO^T->QuS2?6<;x$~~KJ&4UgkSg23dmMGZN5%)%1Le7h;u1( zJb#nCX6@vTO@A35JA0zG_XQ8q{R<(ha&rrNZCx}_@wm&Lb-adxsUa>g#od%{RM+5R z8&|@~svkK#3Hek(7%%8HTwrMstI=DTIji%?kH$94W8f7&Pw)lK zaW0-h1!LJ$da-PilxDqjgnj^*^Y}{w;-2N(6}9Jb(mP5`0vk-5%iCvMiv7qU`U|LI zv$_59a%t9VQJ5D6+XJR?JFS%i&i>B_c@YfOL2t)yXqHE{V22J~t`uf!6Wo54D|_>O zwvr<2f-?j5DpUPfM`&D+X5Y6smLCwc&d$GG?P3iOR- zk{_EUFvnfWHOh(%gU;z*Jz;2+RiCT%x}$(@eKhq(E0fe%KILe!Kyk z3SZW5{UVag-!idO6lZ^??rril8}G>Fq?`B#s@KZfDZ{MqO{Gigt*}rBIyn_wF9zp} zf1BZD{aW$p0@HuYu$-;hT_(!@*Cp6oSl=mcvJbuoYq zO&(X}L%-x(qaNWEauOUBO4LYQj-koR*W%C?ia5{IuBCT?xu8!c`$OsTQC>qB7{#fj>lS+9pz!J$cZo1DshX==Rkpi zu@*t3=V~Z*S+UpmSiuL4`;?iE>6^x5WoN^_Gsp1lJ<EMeA<4IGgOz=>jH0Nqpu}o#s|UuxX$8wb#GN8 z?HwOaeodGO9FmVx)ez^+E?T}#d4T3IN{n7?j5k&sQP{>;AhR`xSNJ5E*KlvPPlEPt zaj3nO5RXz8x9-tQ;c$o1fRhi#BHGpFUU9ZN*Pz*nvcevh6)-+ql-7=6cS_zYo^i2B zC3iCNb;NZ&GN`q+^k6F)SfH)SGl`Qp}m7_%-ZsL7_xW}j8axIHG7P*c1 zNU<9#d`4>N{FmIQ9kO(%?q<#wP9{?TwnGh zeT1Szp)_;2$oJA#Pv~;n6iHAYH?|#fk&{SsD{Bj9+uP{C z(5W7Ie4Qcj>$bVgO0A83G3)n^Q{Si1MxsRV{%1gHnVrlC8TJoafeovwo&YuEpB5Dq zvEQaiUJBc*yW4BKA485U{1}(5K z0DfSfF!uM9+Fy5IL)bsKOhf*@ix2&dCw)i1NIRiRbhko(?}w2n2Rx1F|EBx!iyK$A z>)&XE{}{@dg)zdur2|vAl$z|u@4W|zSIFJ4KV_D*f5|MlH^Mh~@p9ySrW)}=nVLS!6+RR@GQu^N#q&QSHH*AIv1%WLyx$eKsMFk`w#bU~oRH50X<9AyhHd`V1hybE&1WBdGc1OE_!1=i$hiLv=M zs@pNaT^mF0S?7Bjmo`)xCurTPcded@Ho4%5&Z{7h43}NaSVHmyzp$gf!jfg##)pf) zes0yZ7n*MqcCt%+iA$&?@KSQ@yU5${^QI?*&QsH#;&V=ZYyMUj<#=SgTIe=ilUSY% zdE;|6G(5wE-=EmrvJf7Kpkj2fV~5hZIBRt;C%Fi1jkv62O;bC^a9A*?sJBBP_8lC3 zlb@~}Tgh|muz~IMz3s~T7?DcR8Qvf9Os|`*^*Yw+rqg5P#XS}98D!py@`Vl9oLQeMcKs@s9+kU0qBRin1 zuj#HfZPHt{zdIUtupzu}(u@!mcH<~2GVWL|+sZCH)czS+GX6Tx!}y|vl#E7jK2={b z#p+juuUlzs1$u-$)5O|Wuy#SIz=I8ei|ZNi=$i`ElO4bVXwI}^33Af4nJh4+PSZ_( z=DV+C_`d-Rk|Wa$fWdO=uM?Yi@%I!!5?Cf|z%miEp8}xz7cQt$=P$w4eOwS25FPja z7!X-lyhJ*GJo!jaCgtrp@^Ma`2~)EB&|bg5$^(#A&+S7kOM?#uO90*b{2FHFylgQk zk_5(=>QE>3Rw-_?UJS1&S0B-?O1PRy|Hk%N=umbfnHfuxY5D>2M19YUO!k)Tz#F2r zrUgjfe?aS_4x*JqV*M@fLGoZG$+WaYXd|t0y zh&DLseSov|Pk^&6x(G&0-dH0y&;l(CXEL4my29EE)I{1iPid}Ws2Se#LxTo4^7YtY z;>&qK>g`4_KuyN}0Hc_IL3KBb_yko4+dgdt-P3)n1np`hib5Gt9eo%wMHUoS;Q^w) zFfd&4#|oRelsHwA2ujv&n!y9QZc!mwS$VAdaTe2|GOrxXOuZrBCC}ogr^H~>iy)zL zpuh4eDSfR1`O&Lek)?BWD~x)~L#E8{oP+=O5QEwF0fPai7FzcXk#X%CRv&R!zVYUi zB(w)U?RB&t=cGrkYlf*l;RROYA{zE|w*YzKv&JYDJCZ{o!y zjt`ld9GWr;J{sOp@(Jbp15#`fwO(I%aRS4M*Qm!1=JCotx7ayuk`-UV$22Ua#4E_q zVG3_UuLKFyHenF-!zlz4xIe<9*zH{@rNNs%RI#wjOV{?X5vMu4=hB)MUNXevydtB= zBM>Li!TVQ}a?-)hGu%Rh7}snVOVr<+Qyg4Vf_{eo^~DsRYSz~Uh$KT$r64;XpbT+D z|6e%_$G;>zq<;~2O_zLjT`?%hz)0iUl^qLz^GMdgAfNWZZ@!ezI<8|T!-m0X*T}_H z*jHd|uhCaf{%uoub%puTgIK%E!?n+SXcVd`xs*NnrqF@f3$UWAi?XPf9+#&LwT|L# z3p8)8UCm<&nbcUYVYX$KKG?0vjJ^0^blpFB{9s9T@wPp#A?3Xh9&1w3Wrq9mKDco6 z&8uqq+uq zby@B#z&B2UDW084tcRdD(CoaHWHEf{NHoG~Jzz)ti`NF&?J+ZaXt3L}{Mzk_?D($6 z`ZZ?2!Ltcg+%I06;3ojI$p?p^{%sMg{>>r~_-PTy{(>Tc-TZ`I1~HsfC{9FxHxl?TAX!K_@3zV z@Wp{Lz%d}D`@lvtrgi8sOLWPm)1{56UDejAqtkDv%3k0br})`11$Ok@yJs(x1c7RH z9HC(ty+S*waAZjx=Q~iVF__{`)h}rsFK29R%*YsBoG$39(sx(ahrdRX-%daL_80SN zgPgid3`4R@{1u#V=_V|~pqjze`e8RRp)1>=&Rjl~;a>JZk(KBrc5 z^t);OvtLmi4&Zq@??NGSUuNDt&?#+Q(6Dc6V-=aG7OT&ukaV}Y!S0ZFr)dw`pf=gN zT-FRv1b}9;d;BHEKdRQyxhx^0RxyV@1L$iLdD;LP&WI&|#)RL)2lS z5^gS7SGm6OJy!^dZrISZdF0+51|A`%+{nQxOoG;k4gBQ>87#bos@rv#2r%voF?c6_+uuH!ixA;UT4hhp}l4qKd=B5+2NQI}lDCL7)u9e=7o^M}_U z=ZwynKlC}=PR;wRkL@hyP&c?g>^cjHlA5%ug#%W>Uxt~zjy8+A25_QKb?~j@(484r zO&H#gdJd+|pTuDdrIo(fo%8gF@N| zDJL(>P;O;bo+PELdALrF7{jlvGezg5nPj-TmusEZGlRT(T4l=ZL$gT3y&*WK#pa>) zTpdWCV0wrOIrx5T%{XU_dSAAL#%UKaV@0CNtn#oPbF_;RqmW!`2&349VBjK9!$#3r zNyQb15>=g(ja&>`8r+7h?y(6s)Rz=rD+;78jXfR}Y8?~&_3L4t86oFr2yOl-Y!ZnN zBKuH~iSO}uLj@txhkgUe*O9}tVuxan=5 z_0g~vn7`v8(?!kJC_*kU_W(rUb&yvF>Q8gei;>(}3*{o(??;z^K=w7R%27BKpr)mk z^Q(lg1C$VI^XydqC16bd4ZZytG^DqP*=7eHh8=;l?u~vC2~qsH$_&YJ%2)UkIya&^ z4q0DMBLLH{S;!GdpxdwLk0jGQ1}DY<9vmJk)Shg&H!Ou7ujf`w+zuj>j=&}#EMhl@ zMG0GijDe8;N_?7U+F+Zbqq{W{VdJNt9(!A6Qb|nz4GzMop20FD^0ApFQHH1j;B$=5j3xF_^!AQFj_V1giOZJumDa$|a=ir(lPM znruJ0yu94ay}x5umii2t-c)>O>_^Rmw$($?g5W-sj)+9-gjIXV;BtcC*IcH1VYzFk zzcAmJ3_N`Fk+-3>DSA?pxI`X_@KB5as#G*`uF0zoQ@M`1g(c`_}j03h=-G zb^Blz{`=N*&%UF>{EyBuuM-`<-8d=rbM7%%vi&jl3gve%+^mCFta#r%dBR)kdikVQ zs6b;PXJOx#f~jWTR%V|l(%Itn&zV;n>_fxzf&2N_95m5#U6D>;yV36lL<_f#nKnex zx;PmN+$-r4@}0(C-*BCdWwE?(pg##w`@9+pCo>{GA7roQI~X2g*Ej zivt83cIa&_TDW*rosSlom%n*P{p(e7hxyVoi z|8qlp0&Ya#Z&JQAf^e;*gfaW_@W{$d6(t#ks;y6`{l^2YeNbyc+zN|(jweipJs&WN z;_qcq?XvmQzutK~crki{k>Ub}vm~*l3#gZ3h>9KC0Qi+WIf*1vRRV&_lc?Hdpkxd< zD@C}#232LaM!pDd0SsaLs)YYMr23Brn1}_pK+BCp#g=XGnn262KU$V1GBr_SVr;f2x5 zi65znqVz{_7XgoKF_!oc6CHS#VlM`en-A?@^p=slFrX#dKN5!bL@%R3!E%MwNya0iHNY2U>m5X_uH$J zrZJ5YEzk&hcAkSVt8(z$qhs{%KEZtft53(E#>BO~Pl+_^b2V!;Qf2E+AAq%BQGCzZ zt;>(b`1a^Q9dXmJDM@1M|KpS5=UY37*)Wn9{LVa36-ImpZ&3iVP00h8!#*YC24E9< zoI@sCz)n^0yk974-4L=q^lpVWwEkPPs)a@qPp(k=xBL?k)^IY^oB(XtuBW(S@~?x-MjnHtHra564i5rtaoDV z&OAjre&o|IK5UvLNRpN{dbXWlP*GYOdwE0%DVO)TLx%f#N7lac#sQl-gU-j2o*`jd zO|I~c6w)yHIcy@7HVl6j{ipFIW&-8};{W|~BJuy96aW95_`f(O-hjB`HTWUaAoBoN z6a$GLQ04GUE(JI~se%>k5WiA1exzL342v#E(F}nU4g9U-9*po1)hq(=!Vdsm7$dV! zeqb#{2VuXIHh8W)ggpczfAltNEPYkt^-po7EkZ$XsTJbv6YT?^yKk>b*hoMS5-$*G zqn5O0KQmDrnc*tU7Eiz-NZQ#U^^&fVPKqd}?w-4Omc5X$9qYYgU~K_qxXtPqa{#=i z+DFCjVbCmuLJ~D#H8_n2hajM42U;fl?E!YF^=zq3=47G_=YmQosS{#^o7*1Z1woQGvkJq7oKbC46shLI>2$5ow zVv`2{L8RiYNOiAD_~!rIKabu0n(|me>YOthM+g5<EV@;ZM1Jzmm92um9BCn(VXSSse82kHmp4D>ndkI1su9oSe-9|kH))J_Cm(`UY) zC66`aewyJ%B4eX=^q7HikWpUZ4f>Lo_bK;0XNXIiUX_ca06@><9!8Bnf~3F`YKDEu zFFhfj6WPmI>Aoz>43{EO1wRria7reZnMTzKEabMb)(}Uofb}E&mzo>{1*0!ECN`@H zKm)QWb98s%qpe=K>PWtwluf5NlJ!;)`IPlG@VVc?>%xdMFruca=&}Iel16vq)NOYm zz*OQFmf1(v-MO&WCOQjugUMW6Q&CvjaweY=-F5`gVR!&$2aj4W)572H7#bjZkof`V zc@h{33nY`A4NU3FeoK@Xp=-A>%YH3E`j5D@e`N=n4cbxi4!fHDZt=I^(6Dfj2? z8Ii$d&JlM#)c)3;;(mAN|InSoukMQXZwB};iYP|Z8kl6$4p{ts3|IxgbKyl{*TG|% z-}?feLD|!P>Lx!1?;wY3%XA#044d=;aTgHN*u;nbd8M$=@G2^Nz?mv#5ZfaLT0Y~ncLbKfJ^ z`yq{|i>P+}7iExXp1}O2bR}gvu7zQ7hFEV|&Fq&SEi0M2Rwb7*R_6+$nZCTmyWdeZ zEus66#H9ZcIXQL*}C8?Y^U?*BwQo;0|hwiDl$!cb)_us<`>T-tYHvqa(UM(+wk7e2Uj^? z2>Qy|sn9fX2M;)5KMyQ#PO-<@aN{s_Er_;~k&%i|ugqT^y6evsD{){q^9Je*JngAh z6*~XhLYV^f)a#&#^4DK$d3?l9MmSG zRm*!F;1+T~20c(};yn%=6O0bm1#$3Z6j<&w|) zq*A=aX6)H^K}C-v{xs>4K+H zkPpw`ghxMgRi0nfK5QhVq#(2LC2Z#BMIgaN2>$ybyaGvFD7-*S)!^6mko8;6Qhn`{ zC42N^j%lE6Cy(QxZGn1t)6b@#-h!t*Cm)`}DYPKE$mgVb3UfplZu24+AbR zmZ|ro4J^^h8zwWK(*x#Ia$Z| zy7PJ9b&zRQup0;Q??xT&gOG_V_zC46{yc0Jj*kUMS+F!gyzG62t5`df1owcI;G-}f za}SNvhI`*`Ivj#1C@*()wk^_Hmczy@RTD!zSSPVVS`!1+#wO6?S0{ku3pci0nKR7J zG0XE|vNCE5PGlf#$F8e3YT;XmMOHPWFINFz#F^isq|qwx4)yY;^cPdZSfh8M)Dps!3#Ms zwyy`g!j$C#tv=x*-Dq-nAg4fX$<|at*G-|;5PmuMtm$Xpr|)gls!x4mh+7@mW+Nqf zT(uXj1N@P(h|*$qcju^xqZ^RsT#6q4|6>jIrkVZUSASW@e?$0N&0KT$1%HAj7KInh zlt?LXb1E}AS^r>u{N_KKbEV{uw&d>KrjhgbI-5}j^XI6pzZ&^J)cX&pu=e$S%+Zik zX<`5-@rm^h=GimK8tu|Qx{2e2qQCOLzX9yej*9*QCNjQHKe$q~|Mq@NFObx3-od|o zDli!x2B&4cdZeVR224fs4@7*NEB@&CnX;ZHqgwWNp!8YxhaH@T=0nqG4lsQ#|Hpav zgYv(Ida?TV(?FMf90$f`O%1D)`#1Ze0U-^=^EhAFUoC(88knQDgufI7%9hsvD|%2e z2PH-M5AWVL&Ijh2jnG`PfdA|*?Jo_$G_;R(_f#qKqp_zLwcAdxFP977_y^(&Ua%|b zp{~fk7{B;DFnxXcAuTBh%qDuzZtc8dF7Nnz-Io0y-koof|HATP^-ptPhFrjZj!XMX z0VsL0@66q0e^l*O**0_8i6zsd|!5M+!&vU;mul|bp1Hi*~Se+FUuPr$q* z4Ya>t=?-Sg7p!$#{y1L9SNu`?P*bJ_2v$ kcfOo%UKF!zW~uaj|1GN~m^BH8&fxjvE#&a1!T$eE0CmolwEzGB literal 0 HcmV?d00001 diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png new file mode 100644 index 0000000000000000000000000000000000000000..f1eea24b11102d01bb21105b2f4156d2537d0f3c GIT binary patch literal 14426 zcmaL82|QF^_&+`>Dul5WvhT)HmdYU8&7OT5YqCugWi7IlWF|WyYq=;pF$h^oveT7p zSt85WmqxPxF7^5Se&65!_4?mv=A82^@8>zsea>^vz3}?F>SrifDG><78BGnq5P>)b z!M{SMj>A1Ko~cj4A7q|}>MDrh?(=hS;E-qePULn~qA>g?XkRSqIYRM?27E$$=qMEP8w2H-*@E3F| zFY5M488u3qv|X{UmNn@@-}sJps+Pmn%VR#v-)d5@Zn^5%ch$9B@y@ssd}%c(IX5Y} z^(x=}uHyDl#qE=-**jHCg{sX5)q8`$?LOdM$2HGBHS>4s>gpP%l^VApP2(O-?{8W@ zUvy03bnHIr+B6zie=&YEZgR88^k$vK;~7hvFiZPvs~b4$n-SIyWw!9;5N_-8_J%`@ zol}C{-3hz9Q});tdu+PHtyd0r>K*UoIEJq~IXPkP7T$udXB#e_mAAbr+@7xAeemI4 z=(?A0vTsnsL-=}>7w{-QdxxA@9*oNhK7d5!>gyMsp)guXlqMLYx_id$52=I$k%TR zgM&XtM@Pqh%uG!DoSdARoSgYNIra1B^v|C&Q&Y3kQ!~@kGcz-@Gc&}QnfaO7S@_#5 zadviYac+KNetv0TVR>P3b#ZZVb!Bzq_r~wvzqfbbe_K27|GV%Hd~NUV?;ITL9vti+ z92`X8mq!qYOQ$sfW#jw9i|L#3i)dsht)%R%sK@82^VhmxL_7=2q`N^$R~m|Jo6=W` z|Hb=$-*zi=`hu_X=igSTYl|jkqxpI4UDbv=sac7)mmV8sztbdBd&YQK;Khd@1&qRO zz+Ju+arxp)sLGo49BgsXd0u2XP8Sda86Z3n@Zv%LYgTbnls{hQhNO^76WtFo&+kfu z$AgQDLIh9hQBJJm6B*CNd=R}zeuFg0f;c{TV^PH?bS$Ppu_>%L~c;L^0 z9)Vv|`ou$|n18|B445Ct$?3Apk+W?@jUQg502G$DSU=cGIGl^m$>-~`$x_2m7N zkH3dMG6i$ePCh1UX3@s|7Nlpl_&8Z18N+FQ;v7$r)%mWeIvVm4vKvWQUe&d;+Jx-E z+%1kG#5FAjVO5}5(1Ibhf6vjC?bO5e)*v>*u$ej=?FyqeV0j|zc-qMdfQ`q{Nr&`G zUA1HC%t+`L`Xw?pya12mX8gs)Hy0fu47}Kn7x9;TK39+?Ifb;|PEr5x{%loz#r#xR)>&q=LyD}U>t%R9~1MBW)647a}4LbyDTgvWE_?q z(?9$hKwVRdH~9ReG3)r^3!*Y8_At%fY6SvJ3)_Qng}w9lDGK8zN56PeTSWV4Jt*Lf zza#)|EVy~`0;xV?%2N~6BT?!*-L_7CUP@fF3)!|DQSw%bjK_$E3s}Qb4tBFhG1PAj zLMT7&b;_w%8k*^HTs3zPKXdlIQ$$P0cYs=c)>Q|>Vv(0Of%lA}fZu(`Q>v_waL0_z z)WZ-c0U=9Sx7&#--wRumPE*i4J;q2LEKm2i@4Jdut^L=?RBc z?|^Iaff`z&Un1S6RFqr80qwB12i+}wAg5h0AX0Y}$v#o4+8 zZ;8OUUz`VxReKNL7WVX}70a9bj;QrTIo>b;wWT|~g}uEv-gddTHCoZ&iXF|SZsO{9 zjCvkybYyG|?ljB^b~pwk&O|T`=nP5GAHw5LaYZCAdOO^CYsK^Pn2;Zc;%X3zp5biR z&Fi_}88H6mD}VV_b{nKG=&+?AoU8l5PLx(Bs#0 zH;0-J6y%$K`SRVSW#GHJ{m$5KgA74`Q+WQAc>J`${Xbobq8S@=Ddo?d+cGw*qY@KEHpxcLeO{F53#tbx?WwKLiCXR z+jNHWc;Y>fMaGkias9oQO@H#BZ(CXgvyC(V7e=L~PFZ~qvR5-!QFjuQVr51Uxs!4% z!zEg#nLk(&mk}P_sHrnAFpMHI6p;_T%1v61v0bRhVWI0ln9WX9nn^i&0zorD+>3U+yM{tIx(TNMf30-nAzefO|w! z{8;DdD1gKWYIn2FQ!2QJ@Mv&G~(3{^z8c?bhsd$s~4(;3_640qPIR4BXPnxQdEW) zx>iN(%+8PXv_X<6tjG{9;`suJvX%mVD8VcA&`;np(aame+t)69Pd4a};_vQrRk0lS zkF>c9tD;QqN;i0C!YPv_N-qx*M>lAn-PWx9>=WH3AZ$i1MImYsvh059l1Vh@%PweX zOYhq(_7@AYPbVZiK7*}Q5FJB~#uF2@oPri=0ExICr$9yi8t_UoU!JgBg`o!Rxq3mg zZ2HhG0ZC6w^{ld2lBnco(IZ!zhr>V)VAJtZtjLb#0KZ@C33a-?i%<)mPWoho15lwX9Z-K{Fd5a0T76r`OZ+ZDFW*&6+Fhg9nm%U#9QsltmJYZ4{BIj$Za zc#uU3h?!;un?$7_6GuB$N&qjIo31VlgS*+89~?^_lcg?Pu!%HDaj-SPk#V6Y+egDq zP=mde!^7G}9Z0@L3yC~GHkUgJ*Oz`$9Dy+RzHP@0nnzoh#8h21yuX}(s>pTx1Zg0z z>S?}V#B+-eiDPAbixyYao3Qt_2_nha0VA(0>6|i=fV&;@x@<}z_TI;g7Lj=>+Pu1w zA z1va(a`sN`s#7B|7kI#7P5=766Rgd&TdGhquIYn7##_iCZDpEcxJ}?{dI%|}?Y5)G+ zKT2Mq4aSz1fszv!)#F8F-(vGGgUv5EW{LJXP4E5!JUFmjNDbw{xy`aR4nTXxAt6}B z{#TESv-sQ6NLStj^SNquS!x?jNEq|qqf39tKDsZ~bT}Opbaf#Zq8forD5Lh6e&2zv zFW}7O{YQap*|wNe?x3VN&AZWh(+w{^E;r}Tj(A3hX1h=IQB*pZI3P*2$g8$o--KhaSKTxd8*LWuCkejZhYfd~q2Di%c=Vw6d&KoUU` zV#_IeOmt@msA}7NBp3Rgy@l%C>zj_?Wi3Z?=oh}YqvtOL8Bj$X{ykV8V;Bd%=0Vie zg#giMS0Ew2XPRVv_+qT0NPcSA3(DSzze+fiy}pu9KXfpnq)gVYH5YnQW_m>@8t*;p~IX~I<+MTGeRd+UIDr%}0(q4CS(LN%6 z&>K1|l)wZ;^Vc{US-BDcU*0d@y`{Al(#7Wx<5T9rh^_FJjp%p!NA^s3dIj~?zRVg| zWO13N2;aS;F33@|`wKTF42z)UwTQmmt^g^>ee=B*FzI5|MJZ^DmqOK4=`ppqrm`Xoxb& z_0XAI+s%jW-TZe`n&!h3A?x=k|L}GVAqt;$0iN>1U!ARUkt~Vu#ANtnsyUcHCRX5e zgFK91MeI(x4~DYF+MNbBxwd=MgEo$PUFP%q%QTBr;Ax@<+^>0wT&M55twIt_EURGK zlC3>)Lyk^?4<1^%<`sWJCiTljbvfu->+__PqLQA{6HqF0DejdMgP*FGWN&Y4%r`yT zBkg_?p!J~~cU+>6S{RqR3MqzKo34%t5B;CyN zbOL`rN?QI$dmKVE8mI8(4n5I`o2wkiL{O4zjD!-oVcYxyK;I(Szee8wYosGSYEjkL z!TeHcmaX^GXR_N>#c0@Nf1^|ZH`Xdjnk!wPQ|KsS1l%2%w?CE^&?)p3ksQIbP>B;8 z4_r^03i$Dse=&P%{e*~j%b~?5_75C1bMVDmGByqm5vl0wVll+s(yut1&qbt*&{)&U zX;&c0OPx@NRzDONZs&}wi?W=v2W7Sx)At;(aBWTE z8_C?u?Uto~5ty=fz&zY&lyC)dNhm)qQN#3BdUl(J%L6`EMCXpdgw#W(gQY*Ozb0Lz zO6T-pg^tKma`_>=Td9j%-2qcJSTHWFn3^>aWW07jM)BjZW6Q#eP+eL%_Y!-is$OSc zHZ39`>MCy8lb|=GH;X;66v0f8k;VV4iuYZ)BuSOd?lZYO%Hx*PgDcip1PbDkQ-=DX zWG}nSckjQ1qG$nEOZ7LEQS}1vHdLH4%bRrh{E&xYjXIR28D8m12k5Diec432Bw;J+ zX#Sv12(1p(W_%sLm_$tPR1pkI-#XL5dN>99LuDO?mJ*K4=*x?JE7VDMQPvuSDeuGC z^l}@_10*I)Yj8xb9o>hgL0=datB;#)3#D7m8$cZ{&J8gr6R+K0n>LTA2B4$0%UzpP zc%ntT`UMvppR@c|eA=2%K$b{_iyz)CD=rr(t+;>1b$+&SdeI>38boMLnyTYSYh@2ZdCjMH(k z+RP2lpblU0C19T^4t?_n;o$#;8)6-kXBk6Y*Q~!?SxMRB05K*h%$EtOB0h6mzxc{< z$0p1@lyQ9F%bTGDcwttorqC?B^{jQUG^)nu+uDPG1^E!x@oIH3HA28bCre}(F*g)f z+@t3wzqUVE6J8Tc)c6Hl6LHOnM|$Iu?hRLDqDmofB{QnkgzJAV0ttRYOLhJ0gcF7?Ls4VWrPw6? z?LrG@5QBX}j*Y=!*{ganphBSGWr6>L8CdW{v?6?Kl2LP)!1~;_)w>8#C0uZ3qH#^O%U~-mgxasO*C7PCC+<| zW6zk--S(e^qS!+TcG&5#A7 zITjV_dd;=0GB=*<)gt@xP2-q`gDQL0&wlRhBUTAF$Li)*s|eC{i?#EqiJfiFhhheG zSqmH;>jLNB<->)}8!gG57!OBp-Wq|puA7`T>*V+&Jj8GdOgh$e?fVjS5JC>h(7Yt7 zLmDkA)O2M(TTynEL{wYuZFlq|Efp2Y0=9katg}SAj~xO<_gQC%Wzx{)sxkp&z;zVr zxRT?X`i?W#l7VuQh5Ae{Fh1IzqDnF;DnvamEHuI;CV2Dwr4~ai$b&0xj$Paqrioho zsDEJV*Dt#YJ?7O^Un@IdWZ4KrcN$8M2yVWjPkF?C9_E6u0tE#j_1W{(8dJkzG>umX88 zLU#oEmAp7FKPIZ#CjZCM$&Zc;9d^2T2KY)g#Z`lNaO;1=OD3ZFWd91r5zGHtv?cfd z7hN$4{BW36d2^$*fgXNzK*jZ%2_C?T?)zb19biRq9+3q_H8$3QAg(^_%p zY*`sVqQZ4^wHf!mO%BPBWMx3aF^hL_i1w-C;@FhR>TbTAt2M{)Y?A{?iw;t>Aba-L z35RZni@lTCq*KiK{-+F7>_r@c<~#F#s+cC?0?D9nt&8czLGh)}%dVI#**4y%j#Te7 zbp4(^XLfx9l`1*_;lU6QM$-1woX5?sT-biFS2&C^22XE*bfD+ucV$$O z^YSTs>yrKbtM3vHrbFPk6^$?81z++HPugro<2f2OY7^!q$G8qUGF~Uii7rgd+%-dgy1wEvCQ1vBIN(f0U7g(;T#logr#;l!_iXj-ijrMTTCc<{nx5 z+r0*sWR%gu9&41AX}It0y;Hxfm&*(THxGd(w!uL4=-E@arCb(~V#o`9oRV`Bw$rg# z#+q1D_InO~w7ed?9T!Yb{!x}zXwhx3dhunOEyBaBNdgap_zOEdi~aK;b(e8!Y-hc~ zjhAS71riavJcCUqR{D#DfF@9*>A&!R z9I;3{#|9ewQ6f~F1eMFOBfq-w_17b7scch6O!iesjA4$kR_w?u+oy|pYKU9%!CVy(UO`H0lT$umBnR2bpQ8^v7sPUopc^K1{vqWk3}KO!!Vn<;6$ zR!JsUD+qb%g7o(cv%TJ#pQWTxC*B1hgHycL^YKGuuc2TeQVP}e_B3< z9{efUolJ~0+4l^U+kuw^7!W-S$d46L?6dd0xwo0xyr%t# zew!U8kMPr0VY}^ruLuNOVAshU2X5q^E`Y*l0E!sx+?n&rwq8Euck!KZk3jF$-hMx*g%q;voRt0>vnZ08x{gi`! z&yTN0F`)zLevcJ8RH<&li|@a6##ZikB!``fEkm6;U3yi2CJZ>hYM2bse!Rmndghwn z5uVk@{cJKKsbAAXFRDBDrZF9dwv524Qy>HW5Xx9FRS4i&Y2G$yCQsi+nN2o+so48G z;En_Y>5C5K6&b=*^=wCKSFRm8;2PmJM?zs?_y*B;Nq-*lO-BQ;zih$jQXJ8j#{ymv z0#Qee0tT_LYd~~Du%6Wi(pp}MDgV*n{cCn<)&7_xl1v|iQlOxlpDeP!r)~6C=y@eO ziggd5!wv~WOK`D-JvEhfGM+iFP(#pQYtJr!y=Fzq!6m{g&8EvGU6!F_?b}IXucO?` zKJ`sh@)FvTqgy^9<;*R75ULBPb><(2_e{%=D`s@X=}$yO7Qz}s`z?F zCtKsto5&AW0XPnuW3Qk`j0!0%=Z=+$AbR+M--{j@RiOos!jW-kpg;V?ZNUcUm@#N; zuQ87f9H7bJ2pBlLpNN}(XI=1UzN?PnWB(oo6L&Nzxp$5Sp{1Or-8rA1XGZQRd2zS7 z3>-0V;15?m`nD6#2U9x@XM4%i`9|?;k#--n$!FMJD{H#@UnaeKI zI8%lIfO8k&1v^@->?cgtvj0`k=Y(xGlYzLYjLBK{0Qe=xWv z^b|j$f(1@*?OOjhWfDFXsmJrNu^!m3P{&!ecnkRzykjpWM>Rg*m_2_}!nY&{VHmeW zV5oZ{aOaW9-bnh{HvX9>XWFj3&z_laVIdkYp9Dk0(vhzj*lD!s0=QC6+gzTF{Nlj3 zu2k-7ca`HP{f_qSd{Ge z2!z3v>39jmao)H$k=J2WSH7*>C*rDgQ8r#2AGA5%KZNaaySz4^STGd`V2bRp!R=Y&c63rSA(#iKq2b!UVT5n5sOderq7&rw(t!IVNlS41Bd6{Ddc+j^q&e=KE4YBU!p^OV5 zv!cVZsclbu{kx|1-SrS+74P;WO^0t1C(ytKo%J=ZuiJG+-qEX<8Q57V3a1OW7dAaL z9ds2!=o3fToN+czkuayn?{&p=tSa~E0DDkkxiqbAS5FXqc6OK&A!F=YYSm1CeT>aI zI1QDjcr|7>!HJ!B543a?zZ0l){i~# zMFihgMpbWfo<>ND8MM2(jSA3TPtFaO6MZ9oAmS~}*^ga@lnpgr*NmQ@NqLuQxrqlD z1mf_*epwd-ToNbe2+vM_kVKIokOMcF;pLGOg{b(#IwE zEWUkLv zjk{yIS^AZZSF8?>XHp)m0UZq`(6##mj0&Mdq-nomu5Oxx{+Y5eimt{E+@*1&%~h~H zgv7SuQx}ZJ@6o-XFzC4*)HCzP`qfsTUZ#R zpMIt7pNb^p=!t~A=2wMul1zzOAqEVXT$Sf_^QDo*LI)2pbo4Rz6Q+-p2Zlq^kE}Ee zOwSeM?K*+5sk0`6-IBQ!7)*%M4;gR5Yzg0jM70U~k3_c@B1RjwkBS}`$19ufh>WjL z*X?Uq>KI&Ky3d>J>I%96{{G{>)#pm8%DM}5(;WYq6W)&{N0Z42gzFzRbLIXiP26^=+SltN^=g}xYEx$!WInc|3()s6{+lZ98k1w+wM(+7@a@K! z)DNJsozI{5LPI{%8kX$V48lk1U7hsQpZJqcCS1Q57(XiC^gkq&R7({i)_)rYXSb)E z5URIS_Xy!P3jI_WescXYfoxSKg(Zg2%;*gYE73}<+mah7YVM@k>Kq19_WUP2#WyaL z>lf+>em~L|MP$Vc>|JBQZs~uvrQ`RrmN;hrXXhRKehKZMI-SC&c61KJQ0M_ytA-FCBB{D=Afgo1stR6EZ2p=dfBfhl(wugiDER!$& z8>Ie@tl&&Jd^!TO|I#bc7im$(5SP@xrABIyOJh3Dx+v%*^F@GLMEAGs7Oj29p6c&K zWEe<$f#Qeq73tC=7$plfV@;3ecn6Af{t7kZE?)$)ek*aiK7GZCYVF%a@fi-2g$T}1 zwy7wSRM|)S^%IILYxpXa!W|fIJ$;tb#2SE|A1|OeXLQTmaxa+l7+-V0OrLH~-}}C{ zbT$jW7>^K!*TPb>hhtZm%}-RMr5WdbsP4zsA<{4*v*zCVk}$)91+RP(Wm{ zudCOuDh=D`Y!JnGYt!Z3FY*un!7YYF9OzjiDp<{xTuQPMilR)%r*8-j(|AiqkbizY z%JPI1Cgd#-nH~DfeSrwj2Wxz%{j5YO;u+Nc;rAKREGK*pG!7m_HooZNysJufuVcjK zg29oCd(wW4Xn5CZKAiqH1#>aG0)VXohUfx>?a=X_PfSqr+HGOoGxPqJUJgGb^hkwP z>F`p=aj)z_HCmY@46eQD8T>Q)wZ7K3K+$dM#dXprm|$BNdYbAsJ$8Oi?9Eb0^UwS8 z%MI}+F5j(h30frVWGyh^Z3N5&ae-=t53R@X)w?m+0IL8!WP0oH_8N`)!EO+pgrHyg zp&%A$gYMY#T|Kf@#Vd<4<(16@B?U4p?{H%ZW5x9G)4}aC1;&Ud=6yAz(Nm^>>$)hCfE*Xnbt z;%>UW{{53$txJp@+e5i7rdc~vhO|Dt;QnO*8xkudD&+R~LrCOnGxm> zZ@oT{N+mjact0ktWO!@1eiyvWTjM04ecL+cOkKoMU}>JEOswTq{jYb(NXNEcFlBqF zN~c_R-8+MZ3^fuL-8!`Zi9GXq_9;YK&^5&xBzQxqO!_6)RJjo7(ZiSYx{dkIPZ>(Cx*sMa>`z`ufjpP}q=xp% znl{Sy>FrqJJ_Uub8Pc-*iy!>>{}7<1_xqnOekD)9`#^Yg+H)4PFQ{cg1W17}Oz80&Hv=t8`tCUtVd&8 zVPCs>{Mf^1S)fhRe&_$h(!NQ*MnW_9NP(6uF{j#$O+M`;dRV?QTJw3hS^Pf7I5qrQ zZxtk_1d_ELdzGl8y1{VjhnQZYcF+mlxKIjN(OEsYqIvVrlMgJs-zAvDtLwhfmr4#5 z&91tie|yYCkhP_|cG+b^rpAHQW3&97%yQkj`h_EdJoX8PkKZOA1Ud_?ZY1X$bDs$# zsT@yU=>OV)9A&;AQ(NGzD&1yf(cWy9@`K3v;jdffzIOZfzkSyHYqXr^p1TZ2aGOpf z)-|jm`MZtx?P!_OS_@mc$lp)JUJw%$A0yjTLe3|aze)c?azlpCet+Ye*K4@J$IZGw zKE}dV?Y5xLXfi_6|Cs6Svom*FALQ=~EZZC)vPEmZ1&Uc-5T;7wOTUu)Us%ZJvpT!mpE77It7%MxD&-gU?VB2A^P_&e&B7H@IjSIif zRXZ7>09wq2yK5zlyqMNDyCE|lqFj@(Xhx6^dw`j}>#p>!PgIK4 zzSL(vDp^_4opu_2Kg#e~J>X!SXgW5g?!*ERw98`Ro5~6n2R+%P%;kf)&Kas0DiaDm&5Lz>Q^3_!^r3)R=O1Q8F>rb_B%}Z>y(%zttHWM#~o#GAwytNwz6A?MF3N;fhb^J=RuSJ@AaA(9h*U zBE^7lD$FnB(oM(oFs#IpeVKolA&qvW?!2qqtQfyn-+9OjLkmyi|8EoYAI4)fS%icq z;P*j(%SkHI)zOy;@C`S&qiG?VLnl-;{1JdcDG~I$`ws6$1XPFd^=HeR{s%=ZOd-f_ z5932FIrvpuU~0o{!?9=KBXhw22=3UV>%To&TR-tFYHn3#JKXt4zP0+_y4Z^@fCjD? z5@h&-P`KZzx#7-^XWGY8f{7<@Ij*qqy)H_c)KzAVO^_kXya(LnM1y!zaLdJ^repgu zEXt(j^0JxMaaL7QWz+g)5T$Rn(il`t<#7T!+tZ%H7vxF}Mbm_P2pA%Co-+gk&lg{* z8}5YdeAHoDTAl;4#U5(lPTaV@=VQ}eEl4HYac>h;hf|Pi#+&HCyXMa&rIV9CIu$9M zlg)~GwL1UXIx9YWG~O-tZ1SV*8~Hz|^_6o*RG&U488LXT6&A{_S5YAMev}Ha6&OEC zvG}Ph6p_YIX7RI5z{2$ymyd{qi4u8Xa2Zp_5GyVE_u?%F$AEV;w{Wl`R!C-Oyext{ zpX=`R1XPUQ!pHzog^(u2&jW@M(;~6lJm5G7yEVM+z+jA~+#`qUYJJTUWrlqew^`2! zQ{M`|-OC1bIF}Ye{q0IDA_%_CuqHkFfQ`aJmh~z%WWY+P7x-XQo$6JZfnmIb8*o;H zY68Q2@jcSol5_O&v8!5#Zghg(c#Txo)QhJ;-uk|91CcygrGP$-paP>#U*`32mlK2s5xaBxR7wVQEF&6?m)FBhauoso!C{eM{ zlsC(HdG%SH82r8pTpra(Lo4POpETp%2Hd4vKjM$rdw~XfM?4}|li+G51ZXn02a6^h zXji6%KS{(ZH=EuTXh)#dCXVE4ZyxfW;BxLSwl>KZ>cgoGSo5XI#~|d~MOb2}k-?NN z&I`=jO#Y!&CVArmTiWBO>C9_=5^@w+#wHQ0kZ9e4{(@qhCb?`0C5P-`!3ICVfh8uy zkQZ9l($^u2#8?_LsGGMVQ~>I1i*pG$+`0>-cvR(j*@5Hm$&itCKha0#BjX>AbaD+voKrAMZdxf}NcX4;gq`K)XcE5UVC@&7 z^QmZoiwAxy1FvxoK~*Siav3bi5cRSK)gz3r{;MYyuSC6jCJ-0;n0O1Pt3DEVb~Y=7 z=npo{;NcCT4sSovJWJ3|lKSvfE5EB?`XM2gpT@;E@HD~Iq*13ZTM-qpM*O{%5s~mHyHf4VboSg9{zy2jz_ugGwNCB0j98mFf{R7w z1LHaIab)ZO}Y{T5WCjC@cG&#I8n?wi%WJ zSI#H;gHnswmT|neF-KWB1@f=1I(;8T=-2&QJ-9$GbGSZmmMej3XiASIh&<6ivKiECsvmg&e#HtY_Up?+rGCXCngQ6bk{Ak>0d_DB7(LkuAq_E`Xy45T4 z1QFxKO%dV7$6AT{q_KaZb~xf)gbVc8;lWNm}}> zYmbpN&h2zMf5p1>*Xub9)`Nk9A`^O>`zvkj+vD8j%MOl95^@p5Tki>PfD(4*QLC(E z9G2UHAYeXzL)MM%&UC*kVVEN8UZO7&n-l7J$v1~o7bOFQ;&A!&_e2`u4W|AZbXy*3yK8x?e4pj5?#r}qPj{J-0#1klEAJ-Vzfz- zfK=E>-Ae!D{H?m~-%16-x)^>I6c(PlSnu?MN>{xFxAx`!Cma%J!CjpDqZq#OUhED1 SvBN+4Lug*p1&UQ}JpNx@i?^Tv literal 0 HcmV?d00001 diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md index 6d441151c7..1dda9dc5a3 100644 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ b/windows/manage/introduction-to-windows-10-servicing.md @@ -21,12 +21,12 @@ author: jdeckerMS **In this article** - [Introduction](#introduction) -- [Streamlined product development and release cycles](#streamlined_product_development_and_release_cycles) -- [New Windows 10 delivery and installation alternatives](#new_windows_10_delivery_and_installation_alternatives) -- [Windows 10 servicing options](#windows_10_servicing_options) -- [Plan for Windows 10 deployment](#plan_for_windows_10_deployment) -- [Servicing options and servicing branch designations](#servicing_options_and_servicing_branch_designations) -- [Related topics](#related_topics) +- [Streamlined product development and release cycles](#streamlined-product-development-and-release-cycles) +- [New Windows 10 delivery and installation alternatives](#new-windows-10-delivery-and-installation-alternatives) +- [Windows 10 servicing options](#windows-10-servicing-options) +- [Plan for Windows 10 deployment](#plan-for-windows-10-deployment) +- [Servicing options and servicing branch designations](#servicing-options-and-servicing-branch-designations) +- [Related topics](#related-topics) This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. @@ -125,11 +125,11 @@ Historically, because of the length of time between releases of new Windows vers In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to: -- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate_upgrade_CB). +- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb). -- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred_upgrade_CBB). +- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb). -- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install_updates_LTSB). +- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb). The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices. @@ -211,7 +211,7 @@ The same underlying figure will be used in subsequent figures to show all three To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions. -### +### **Immediate feature upgrade installation with Current Branch (CB) servicing** @@ -233,7 +233,7 @@ Windows 10 Home supports Windows Update for release deployment. Windows 10 edi It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates. -### +### **Deferred feature upgrade installation with Current Branch for Business (CBB) servicing** @@ -255,11 +255,11 @@ Windows 10 (Pro, Education, and Enterprise editions) support release deployment Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end. -### +### **Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing** -As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing_only) section). +As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section). ![figure 7](images/win10servicing-fig7.png) @@ -280,7 +280,7 @@ It is important to note again that not all feature upgrades will have an LTSB. T   -### +### **Considerations when configuring devices for servicing updates only** diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md index 64404781ef..bb2295e65c 100644 --- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md @@ -17,14 +17,14 @@ author: jdeckerMS **In this article** -- [Why join Windows 10 Mobile to Azure AD](#why_join_windows_10_mobile_to_azure_ad) -- [Are you upgrading current devices to Windows 10 Mobile?](#BKMK_upgrade) -- [The difference between "add work account" and "join Azure AD"](#add_work_account) -- [Preparing for Windows 10 Mobile](#preparing_for_windows_10_mobile) -- [How to join Windows 10 Mobile to Azure AD](#how_to_join_windows_10_mobile_to_azure_ad) -- [Set up mail and calendar](#set_up_mail_and_calendar) -- [Use Office and OneDrive apps](#use_office_and_onedrive_apps) -- [Use Windows Store for Business](#use_windows_store_for_business) +- [Why join Windows 10 Mobile to Azure AD](#why-join-windows-10-mobile-to-azure-ad) +- [Are you upgrading current devices to Windows 10 Mobile?](#bkmk-upgrade) +- [The difference between "Add work account" and "Azure AD Join"](#add-work-account) +- [Preparing for Windows 10 Mobile](#preparing-for-windows-10-mobile) +- [How to join Windows 10 Mobile to Azure AD](#how-to-join-windows-10-mobile-to-azure-ad) +- [Set up mail and calendar](#set-up-mail-and-calendar) +- [Use Office and OneDrive apps](#use-office-and-onedrive-apps) +- [Use Windows Store for Business](#use-windows-store-for-business) Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization. @@ -35,7 +35,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e - Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD. -- SSO in Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](http://go.microsoft.com/fwlink/p/?LinkID=746211). +- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](http://go.microsoft.com/fwlink/p/?LinkID=746211). - SSO to resources on-premises. @@ -45,7 +45,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e - Use Windows Store for Business to target applications to users. -## Are you upgrading current devices to Windows 10 Mobile? +## Are you upgrading current devices to Windows 10 Mobile? Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account. @@ -54,16 +54,22 @@ If you have existing Windows Phone 8.1 devices, the first thing to understand is Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC. -To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. When the device is joined to Azure AD, the account used for authentication changes from the Microsoft account to an Azure AD account and this is not a change that can be done while maintaining all existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile. +To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile. -If you want to avoid the device reset process, consider [adding work accounts](#add_work_account) rather than joining the devices to Azure AD. +If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD. -## The difference between "add work account" and "join Azure AD" +## The difference between "Add work account" and "Azure AD Join" -You can add access to Azure AD-backed resources on the device without resetting the device. However, this method does not provide SSO in the Windows Store and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=734996) +Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements. -Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device, keeping their Microsoft account as the primary account. If you [enable auto-enrollment in your MDM settings](http://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. +- You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account. + +- You can add access to Azure AD-backed resources on the device without resetting the device. + +However, neither of these methods provides SSO in the Windows Store and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=734996) + +Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](http://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password. @@ -72,13 +78,13 @@ An added work account provides the same SSO experience in browser apps like Offi - **Azure AD configuration** - Currently, Azure AD join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. + Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment. By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join. - **Device setup** - A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#BKMK_upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup. + A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup. - **Mobile device management** @@ -163,12 +169,22 @@ Return to **Settings** > **Accounts** > **Your email and accounts**, and y Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account. -Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device. Microsoft PowerPoint shows your recently opened slide decks. +Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device. + +![word](images/aadjword.jpg) + +Microsoft PowerPoint shows your recently opened slide decks. + +![powerpoint](images/aadjppt.jpg) The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience. +![onedrive](images/aadjonedrive.jpg) + In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business. +![browser apps](images/aadjbrowser.jpg) + OneNote requires a Microsoft account, but you can use it with your Azure AD account as well. ![sign in to onenote](images/aadjonenote.jpg) diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md index 52bfccf8a0..56b14bd016 100644 --- a/windows/manage/lock-down-windows-10-to-specific-apps.md +++ b/windows/manage/lock-down-windows-10-to-specific-apps.md @@ -18,10 +18,10 @@ author: jdeckerMS **In this article** -- [Install apps](#install_apps) -- [Use AppLocker to set rules for apps](#use_applocker_to_set_rules_for_apps) -- [Other settings to lock down](#other_settings_to_lock_down) -- [Customize Start screen layout for the device](#customize_start_screen_layout_for_the_device) +- [Install apps](#install-apps) +- [Use AppLocker to set rules for apps](#use-applocker-to-set-rules-for-apps) +- [Other settings to lock down](#other-settings-to-lock-down) +- [Customize Start screen layout for the device](#customize-start-screen-layout-for-the-device) Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index 6cb03fe5ef..ac4f1a456a 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -43,23 +43,28 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

- - + + + + + + - + - + - + diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md index 75ae863b1b..6fdf49059d 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/manage/lockdown-xml.md @@ -17,12 +17,12 @@ author: jdeckerMS **In this article** -- [Order of lockdown settings](#order_of_lockdown_settings) -- [Configuring multiple app packages](#BMK_map) -- [Lockdown example to use in a lockdown XML file](#lockdown_example_to_use_in_a_lockdown_xml_file) -- [Add lockdown XML to a provisioning package](#add_lockdown_xml_to_a_provisioning_package) -- [Push lockdown XML using MDM](#push_lockdown_xml_using_mdm) -- [Related topics](#related_topics) +- [Order of lockdown settings](#order-of-lockdown-settings) +- [Configuring multiple app packages](#bmk-map) +- [Lockdown example to use in a lockdown XML file](#lockdown-example-to-use-in-a-lockdown-xml-file) +- [Add lockdown XML to a provisioning package](#add-lockdown-xml-to-a-provisioning-package) +- [Push lockdown XML using MDM](#push-lockdown-xml-using-mdm) +- [Related topics](#related-topics) Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. @@ -41,7 +41,7 @@ The configuration items must be in the following order when you lock down settin - ActionCenter - Apps - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449) - - App User Model ID, as described in [Configuring Multiple App Packages](#BMK_map) + - App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map) - PinToStart - Size - Location @@ -66,7 +66,7 @@ The configuration items must be in the following order when you lock down settin - ActionCenter - Apps - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449) - - App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#BMK_map) + - App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map) - PinToStart - Size - Location @@ -87,7 +87,7 @@ The configuration items must be in the following order when you lock down settin - Enable tile manipulation - StartScreenSize -## Configuring multiple app packages +## Configuring multiple app packages Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior. diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md index 6dee688668..09664ba97f 100644 --- a/windows/manage/manage-access-to-private-store.md +++ b/windows/manage/manage-access-to-private-store.md @@ -21,7 +21,7 @@ The private store is a feature in Store for Business that organizations receive ![](images/wsfb-wsappprivatestore.png) -Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group_policy_table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy. +Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy. You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md). diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index f05c0d2b34..496f5d11e0 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -19,11 +19,11 @@ author: jdeckerMS **In this article** -- [Identity and management options](#identity_and_management_options) -- [How setting conflicts are resolved](#how_setting_conflicts_are_resolved) -- [MDM enrollment](#mdm_enrollment) -- [Learn more](#learn_more) -- [Related topics](#related_topics) +- [Identity and management options](#identity-and-management-options) +- [How setting conflicts are resolved](#how-setting-conflicts-are-resolved) +- [MDM enrollment](#mdm-enrollment) +- [Learn more](#learn-more) +- [Related topics](#related-topics) You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), Windows PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. diff --git a/windows/manage/manage-cortana-in-your-enterprise.md b/windows/manage/manage-cortana-in-your-enterprise.md index b356bfd53c..4dfb5f15fb 100644 --- a/windows/manage/manage-cortana-in-your-enterprise.md +++ b/windows/manage/manage-cortana-in-your-enterprise.md @@ -15,7 +15,7 @@ author: jdeckerMS The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -## Cortana integration with Office 365 +## Cortana integration with Office 365 Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. @@ -28,7 +28,7 @@ But Cortana works even harder when she connects to Office 365, helping employees - For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379). -## Set up Cortana using Group Policy and MDM policies +## Set up Cortana using Group Policy and MDM policies Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies. @@ -169,7 +169,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device - For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). -## Cortana and Power BI +## Cortana and Power BI Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop. @@ -178,6 +178,19 @@ Integration between Cortana and Power BI shows how Cortana can work with custom - For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](http://go.microsoft.com/fwlink/p/?LinkId=717382) blog. +## Cortana and Microsoft Dynamics CRM + + +Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. + +**More info:** + +- For more info about Preview features, see [What are Preview features and how do I enable them?](http://go.microsoft.com/fwlink/p/?LinkId=746817). + +- For more info about Cortana, see [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818). + +- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/?LinkId=746819). + ## Cortana and privacy diff --git a/windows/manage/manage-privacy-for-windows-10-in-your-company.md b/windows/manage/manage-privacy-for-windows-10-in-your-company.md index b7049761c4..9561569ca2 100644 --- a/windows/manage/manage-privacy-for-windows-10-in-your-company.md +++ b/windows/manage/manage-privacy-for-windows-10-in-your-company.md @@ -1,142 +1,139 @@ --- -title: Configure telemetry and other settings in your organization (Windows 10) -description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. +title: Disconnect from Microsoft and configure privacy settings in your organization (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.If you’re looking for content on what each telemetry level means and how to configure it in your organization, see Configure telemetry in your organization. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 +keywords: ["privacy"] ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS --- -# Configure telemetry and other settings in your organization +# Disconnect from Microsoft and configure privacy settings in your organization **Applies to** - Windows 10 -Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +If you’re looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md). -**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows. +Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. -  +In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the [Security level](configure-telemetry-in-your-organization.md#security-level), turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. -Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, Version 1511 or Windows 10 Education, Version 1511 to manage them all. - -In Windows 10 Enterprise, Version 1511 or Windows 10 Education, Version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. +The settings in this article assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. Here's what's covered in this article: -- [Info management settings](#bkmk-othersettings) +- [1. Cortana](#cortana) - - [1. Cortana](#1-cortana) + - [1.1 Cortana Group Policies](#cortana-group-policies) - - [1.1 Cortana Group Policies](#bkmk-cortana-gp) + - [1.2 Cortana MDM policies](#cortana-mdm-policies) - - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) + - [1.3 Cortana Windows Provisioning](#cortana-windows-provisioning) - - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) +- [2. Device metadata retrieval](#device-metadata-retrieval) - - [2. Device metadata retrieval](#bkmk-devinst) +- [3. Insider Preview builds](#insider-preview-builds) - - [3. Insider Preview builds](#bkmk-previewbuilds) +- [4. Internet Explorer](#internet-explorer) - - [4. Internet Explorer](#bkmk-ie) + - [4.1 Internet Explorer Group Policies](#internet-explorer-group-policies) - - [4.1 Internet Explorer Group Policies](#bkmk-ie-gp) + - [4.2 ActiveX control blocking](#internet-explorer-activex-control-blocking) - - [4.2 ActiveX control blocking](#bkmk-ie-activex) +- [5. Mail synchronization](#mail-synchronization) - - [5. Mail synchronization](#bkmk-mailsync) +- [6. Microsoft Edge](#microsoft-edge) - - [6. Microsoft Edge](#bkmk-edge) + - [6.1 Microsoft Edge Group Policies](#microsoft-edge-group-policies) - - [6.1 Microsoft Edge Group Policies](#bkmk-edgegp) + - [6.2 Microsoft Edge MDM policies](#microsoft-edge-mdm-policies) - - [6.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) + - [6.3 Microsoft Edge Windows Provisioning](#microsoft-edge-windows-provisioning) - - [6.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) +- [7. Network Connection Status Indicator](#network-connection-status-indicator) - - [7. Network Connection Status Indicator](#bkmk-ncsi) +- [8. Offline maps](#offline-maps) - - [8. Offline maps](#bkmk-offlinemaps) +- [9. OneDrive](#onedrive) - - [9. OneDrive](#bkmk-onedrive) +- [10. Preinstalled apps](#preinstalled-apps) - - [10. Preinstalled apps](#bkmk-preinstalledapps) +- [11. Settings > Privacy](#settings--privacy) - - [11. Settings > Privacy](#bkmk-settingssection) + - [11.1 General](#general) - - [11.1 General](#bkmk-general) + - [11.2 Location](#location) - - [11.2 Location](#bkmk-priv-location) + - [11.3 Camera](#camera) - - [11.3 Camera](#bkmk-priv-camera) + - [11.4 Microphone](#microphone) - - [11.4 Microphone](#bkmk-priv-microphone) + - [11.5 Speech, inking, & typing](#speech-inking--typing) - - [11.5 Speech, inking, & typing](#bkmk-priv-speech) + - [11.6 Account info](#account-info) - - [11.6 Account info](#bkmk-priv-accounts) + - [11.7 Contacts](#contacts) - - [11.7 Contacts](#bkmk-priv-contacts) + - [11.8 Calendar](#calendar) - - [11.8 Calendar](#bkmk-priv-calendar) + - [11.9 Call history](#settings-call-history) - - [11.9 Call history](#bkmk-priv-callhistory) + - [11.10 Email](#settings-email) - - [11.10 Email](#bkmk-priv-email) + - [11.11 Messaging](#settings-messaging) - - [11.11 Messaging](#bkmk-priv-messaging) + - [11.12 Radios](#settings-radios) - - [11.12 Radios](#bkmk-priv-radios) + - [11.13 Other devices](#settings-other-devices) - - [11.13 Other devices](#bkmk-priv-other-devices) + - [11.14 Feedback & diagnostics](#settings-feedback) - - [11.14 Feedback & diagnostics](#bkmk-priv-feedback) + - [11.15 Background apps](#settings-background-apps) - - [11.15 Background apps](#bkmk-priv-background) +- [12. Software Protection Platform](#software-protection-platform) - - [12. Software Protection Platform](#bkmk-spp) +- [13. Sync your settings](#sync-your-settings) - - [13. Sync your settings](#bkmk-syncsettings) +- [14. Teredo](#teredo) - - [14. Teredo](#bkmk-teredo) +- [15. Wi-Fi Sense](#wi-fi-sense) - - [15. Wi-Fi Sense](#bkmk-wifisense) +- [16. Windows Defender](#windows-defender) - - [16. Windows Defender](#bkmk-defender) +- [17. Windows Media Player](#windows-media-player) - - [17. Windows Media Player](#bkmk-wmp) +- [18. Windows spotlight](#windows-spotlight) - - [18. Windows spotlight](#bkmk-spotlight) +- [19. Windows Store](#windows-store) - - [19. Windows Store](#bkmk-windowsstore) +- [20. Windows Update Delivery Optimization](#windows-update-delivery-optimization) - - [20 Windows Update Delivery Optimization](#bkmk-updates) + - [20.1 Settings > Update & security](#settings--update-security) - - [20.1 Settings > Update & security](#bkmk-wudo-ui) + - [20.2 Delivery Optimization Group Policies](#delivery-optimization-group-policies) - - [20.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) + - [20.3 Delivery Optimization MDM policies](#delivery-optimization-mdm-policies) - - [20.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) + - [20.4 Delivery Optimization Windows Provisioning](#delivery-optimization-windows-provisioning) - - [20.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) +- [21. Windows Update](#windows-update) - - [21. Windows Update](#bkmk-wu) +See the following table for a summary of the settings. For more info, see its corresponding section. -- [Manage your telemetry settings](#bkmk-utc) +![](images/settings-table.png) -- [How telemetry works](#bkmk-moreutc) - -## What's new in Windows 10, Version 1511 +## What's new in Windows 10, version 1511 -Here's a list of changes that were made to this article for Windows 10, Version 1511: +Here's a list of changes that were made to this article for Windows 10, version 1511: - Added the following new sections: @@ -186,64 +183,12 @@ Here's a list of changes that were made to this article for Windows 10, Version - Changed the Windows Update section to apply system-wide settings, and not just per user. -## Info management settings +## 1. Cortana -This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -The settings in this section assume you are using Windows 10, Version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. - -- [1. Cortana](#bkmk-cortana) - -- [2. Device metadata retrieval](#bkmk-devinst) - -- [3. Insider Preview builds](#bkmk-previewbuilds) - -- [4. Internet Explorer](#bkmk-ie) - -- [5. Mail synchronization](#bkmk-mailsync) - -- [6. Microsoft Edge](#bkmk-edge) - -- [7. Network Connection Status Indicator](#bkmk-ncsi) - -- [8. Offline maps](#bkmk-offlinemaps) - -- [9. OneDrive](#bkmk-onedrive) - -- [10. Preinstalled apps](#bkmk-preinstalledapps) - -- [11. Settings > Privacy](#bkmk-settingssection) - -- [12. Software Protection Platform](#bkmk-spp) - -- [13. Sync your settings](#bkmk-syncsettings) - -- [14. Teredo](#bkmk-teredo) - -- [15. Wi-Fi Sense](#bkmk-wifisense) - -- [16. Windows Defender](#bkmk-defender) - -- [17. Windows Media Player](#bkmk-wmp) - -- [18. Windows spotlight](#bkmk-spotlight) - -- [19. Windows Store](#bkmk-windowsstore) - -- [20. Windows Update](#bkmk-wu) - -- [21. Windows Update Delivery Optimization](#bkmk-updates) - -See the following table for a summary of the management settings. For more info, see its corresponding section. - -![](images/priv-settings-table-1511.png) - -### 1. Cortana - Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ]( http://go.microsoft.com/fwlink/p/?LinkId=730683). -### 1.1 Cortana Group Policies +### 1.1 Cortana Group Policies Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. @@ -319,7 +264,7 @@ If your organization tests network traffic, you should not use Fiddler to test W   -### 1.2 Cortana MDM policies +### 1.2 Cortana MDM policies The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -350,15 +295,17 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn   -### 1.3 Cortana Windows Provisioning +### 1.3 Cortana Windows Provisioning To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. -### 2. Device metadata retrieval +## 2. Device metadata retrieval + To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. -### 3. Insider Preview builds +## 3. Insider Preview builds + To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. @@ -388,11 +335,12 @@ To turn off Insider Preview builds if you're running a released version of Windo - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. -### 4. Internet Explorer +## 4. Internet Explorer + Use Group Policy to manage settings for Internet Explorer. -### 4.1 Internet Explorer Group Policies +### 4.1 Internet Explorer Group Policies Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. @@ -440,13 +388,14 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**   -### 4.2 ActiveX control blocking +### 4.2 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). -### 5. Mail synchronization +## 5. Mail synchronization + To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -464,16 +413,17 @@ To turn off the Windows Mail app: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** -### 6. Microsoft Edge +## 6. Microsoft Edge + Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). -### 6.1 Microsoft Edge Group Policies +### 6.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. **Note**   -The Microsoft Edge Group Policy names were changed in Windows 10, Version 1511. The table below reflects those changes. +The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.   @@ -529,7 +479,7 @@ The Microsoft Edge Group Policy names were changed in Windows 10, Version 1511.   -### 6.2 Microsoft Edge MDM policies +### 6.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -575,13 +525,14 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http   -### 6.3 Microsoft Edge Windows Provisioning +### 6.3 Microsoft Edge Windows Provisioning Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). -### 7. Network Connection Status Indicator +## 7. Network Connection Status Indicator + Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). @@ -589,7 +540,8 @@ You can turn off NCSI through Group Policy: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -### 8. Offline maps +## 8. Offline maps + You can turn off the ability to download and update offline maps. @@ -599,13 +551,15 @@ You can turn off the ability to download and update offline maps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** -### 9. OneDrive +## 9. OneDrive + To turn off OneDrive in your organization: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** -### 10. Preinstalled apps +## 10. Preinstalled apps + Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -717,41 +671,12 @@ To remove the Get Skype app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** -### 11. Settings > Privacy +## 11. Settings > Privacy + Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [11.1 General](#bkmk-general) - -- [11.2 Location](#bkmk-priv-location) - -- [11.3 Camera](#bkmk-priv-camera) - -- [11.4 Microphone](#bkmk-priv-microphone) - -- [11.5 Speech, inking, & typing](#bkmk-priv-speech) - -- [11.6 Account info](#bkmk-priv-accounts) - -- [11.7 Contacts](#bkmk-priv-contacts) - -- [11.8 Calendar](#bkmk-priv-calendar) - -- [11.9 Call history](#bkmk-priv-callhistory) - -- [11.10 Email](#bkmk-priv-email) - -- [11.11 Messaging](#bkmk-priv-messaging) - -- [11.12 Radios](#bkmk-priv-radios) - -- [11.13 Other devices](#bkmk-priv-other-devices) - -- [11.14 Feedback & diagnostics](#bkmk-priv-feedback) - -- [11.15 Background apps](#bkmk-priv-background) - -### 11.1 General +### 11.1 General **General** includes options that don't fall into other areas. @@ -823,7 +748,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang - Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. -### 11.2 Location +### 11.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -876,7 +801,7 @@ To turn off **Choose apps that can use your location**: - Turn off each app using the UI. -### 11.3 Camera +### 11.3 Camera In the **Camera** area, you can choose which apps can access a device's camera. @@ -915,7 +840,7 @@ To turn off **Choose apps that can use your camera**: - Turn off the feature in the UI for each app. -### 11.4 Microphone +### 11.4 Microphone In the **Microphone** area, you can choose which apps can access a device's microphone. @@ -933,7 +858,7 @@ To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. -### 11.5 Speech, inking, & typing +### 11.5 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -958,7 +883,7 @@ To turn off the functionality: Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). -### 11.6 Account info +### 11.6 Account info In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. @@ -976,7 +901,7 @@ To turn off **Choose the apps that can access your account info**: - Turn off the feature in the UI for each app. -### 11.7 Contacts +### 11.7 Contacts In the **Contacts** area, you can choose which apps can access an employee's contacts list. @@ -990,7 +915,7 @@ To turn off **Choose apps that can access contacts**: - Set the **Select a setting** box to **Force Deny**. -### 11.8 Calendar +### 11.8 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -1008,7 +933,7 @@ To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. -### 11.9 Call history +### 11.9 Call history In the **Call history** area, you can choose which apps have access to an employee's call history. @@ -1022,7 +947,7 @@ To turn off **Let apps access my call history**: - Set the **Select a setting** box to **Force Deny**. -### 11.10 Email +### 11.10 Email In the **Email** area, you can choose which apps have can access and send email. @@ -1036,7 +961,7 @@ To turn off **Let apps access and send email**: - Set the **Select a setting** box to **Force Deny**. -### 11.11 Messaging +### 11.11 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -1054,7 +979,7 @@ To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. -### 11.12 Radios +### 11.12 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -1072,7 +997,7 @@ To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 11.13 Other devices +### 11.13 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -1090,7 +1015,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - Set the **Select a setting** box to **Force Deny**. -### 11.14 Feedback & diagnostics +### 11.14 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -1164,7 +1089,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic - **3**. Maps to the [Full](#bkmk-utc-full) level. -### 11.15 Background apps +### 11.15 Background apps In the **Background Apps** area, you can choose which apps can run in the background. @@ -1172,7 +1097,8 @@ To turn off **Let apps run in the background**: - Turn off the feature in the UI for each app. -### 12. Software Protection Platform +## 12. Software Protection Platform + Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: @@ -1180,7 +1106,8 @@ Enterprise customers can manage their Windows activation status with volume lice The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. -### 13. Sync your settings +## 13. Sync your settings + You can control if your settings are synchronized: @@ -1206,13 +1133,15 @@ To turn off Messaging cloud sync: - Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). -### 14. Teredo +## 14. Teredo + You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). - From an elevated command prompt, run **netsh interface teredo set state disabled** -### 15. Wi-Fi Sense +## 15. Wi-Fi Sense + Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. @@ -1238,7 +1167,8 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 16. Windows Defender +## 16. Windows Defender + You can opt of the Microsoft Antimalware Protection Service. @@ -1274,7 +1204,8 @@ You can stop sending file samples back to Microsoft. You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. -### 17. Windows Media Player +## 17. Windows Media Player + To remove Windows Media Player: @@ -1284,7 +1215,8 @@ To remove Windows Media Player: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 18. Windows spotlight +## 18. Windows spotlight + Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. @@ -1315,13 +1247,15 @@ Windows spotlight provides different background images and text on the lock scre For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). -### 19. Windows Store +## 19. Windows Store + You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. -### 20. Windows Update Delivery Optimization +## 20. Windows Update Delivery Optimization + Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1329,13 +1263,13 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will on Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. -### 20.1 Settings > Update & security +### 20.1 Settings > Update & security You can set up Delivery Optimization from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. -### 20.2 Delivery Optimization Group Policies +### 20.2 Delivery Optimization Group Policies You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. @@ -1392,7 +1326,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con   -### 20.3 Delivery Optimization MDM policies +### 20.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -1449,7 +1383,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS   -### 20.4 Delivery Optimization Windows Provisioning +### 20.4 Delivery Optimization Windows Provisioning If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies @@ -1465,7 +1399,8 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). -### 21. Windows Update +## 21. Windows Update + You can turn off Windows Update by setting the following registry entries: @@ -1497,275 +1432,6 @@ You can turn off automatic updates by doing one of the following. This is not re To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). -## Manage your telemetry settings - - -You can manage your telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings. - -You can set your organization’s devices to use 1 of 4 telemetry levels: - -- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions) - -- [Basic](#bkmk-utc-basic) - -- [Enhanced](#bkmk-utc-enhanced) - -- [Full](#bkmk-utc-full) - -For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced). - -**Important**   -These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies. - -  - -### Use Group Policy to set the telemetry level - -Use a Group Policy object to set your organization’s telemetry level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the telemetry level - -Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values: - -- **0**. Maps to the [Security](#bkmk-utc-security) level. - -- **1**. Maps to the [Basic](#bkmk-utc-basic) level. - -- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level. - -- **3**. Maps to the [Full](#bkmk-utc-full) level. - -### Use Windows Provisioning to set the telemetry level - -Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool – part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization’s telemetry level. - -After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD. - -**To use Windows ICD to integrate your package into a custom image** - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next**. - -3. Click **Common to all Windows editions** > **Next** > **Finish**. - -4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following: - - - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level. - - - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level. - - - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level - - - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level. - -5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**. - -6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** > **Next**. - -7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**. - -8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**. - -9. On the **Build the provisioning package** step, click **Build**. - -### Use Registry Editor to set the telemetry level - -Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. - -If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. - -2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**. - - - **0**. This setting maps to the [Security](#bkmk-utc-security) level. - - - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level. - - - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level - - - **3**. This setting maps to the [Full](#bkmk-utc-full) level. - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Additional telemetry controls - -There are a few more settings that you can turn off that may send telemetry information: - -- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article. - - **Note**   - Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -   - -## How telemetry works - - -Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization. - -### Telemetry levels - -This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Security**. Information that’s required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core. - -- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level. - -- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels. - -- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels. - -As a diagram: - -![](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only telemetry info that’s required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. - -**Note**   -If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, Microsoft can’t tell whether an update successfully installed. - -You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level. - -  - -Security level info includes: - -- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - **Note**   - You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. - -   - -- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender). - - **Note**   - This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality. - -   - -No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article. - -### Basic level - -The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. - -Basic level info includes: - -- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as mobile operator network and IMEI number - - - Processor and memory attributes, such as number of cores, speed, and firmware - - - Operating system attributes, such as Windows edition and IsVirtualDevice - - - Storage attributes, such as number of drives and memory size - -- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems. - - - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS. - - - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. - -### Enhanced level - -The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -Enhanced level info includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang. - -### Full level - -The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels. - -Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem. - -However, before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- Ability to gather user content, such as documents, if they might have been the trigger for the issue. - -### How is telemetry information handled by Microsoft? - -### Collection - -Information gathered by the Connected User Experience and Telemetry component complies with Microsoft’s security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info. - -### Data Transfer - -All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -### Microsoft Data Management Service - -The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that’s locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings. - -### Usage - -Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis. - -An example of personalization is to create individually tailored in-product messages. - -Microsoft doesn’t share organization-specific customer information with third parties, except at the customer’s direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals. - -### Retention - -Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%. -     diff --git a/windows/manage/manage-wi-fi-sense-in-your-company.md b/windows/manage/manage-wi-fi-sense-in-your-company.md index 25fef38407..86ec3de588 100644 --- a/windows/manage/manage-wi-fi-sense-in-your-company.md +++ b/windows/manage/manage-wi-fi-sense-in-your-company.md @@ -26,7 +26,7 @@ Wi-Fi Sense isn’t available in all countries or regions.   -## How does Wi-Fi Sense work? +## How does Wi-Fi Sense work? Wi-Fi Sense connects your employees to the available Wi-Fi networks, including: @@ -42,7 +42,7 @@ Employees can't share network info with their contacts for any company network u   -## How to manage Wi-Fi Sense in your company +## How to manage Wi-Fi Sense in your company In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense. @@ -52,7 +52,7 @@ Turning off Wi-Fi Sense also turns off all related features, including: connecti   -### Using Group Policy (available starting with Windows 10, Version 1511) +### Using Group Policy (available starting with Windows 10, version 1511) You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor. @@ -88,7 +88,7 @@ You can manage your Wi-Fi Sense settings by changing the Windows provisioning se Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). -### Using Unattended Windows Setup settings +### Using Unattended Windows Setup settings If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**. @@ -98,7 +98,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). -### How employees can change their own Wi-Fi Sense settings +### How employees can change their own Wi-Fi Sense settings If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**: diff --git a/windows/manage/prerequisites-for-windows-store-for-business.md b/windows/manage/prerequisites-for-windows-store-for-business.md index b469db817d..7a13825ca7 100644 --- a/windows/manage/prerequisites-for-windows-store-for-business.md +++ b/windows/manage/prerequisites-for-windows-store-for-business.md @@ -27,7 +27,7 @@ You'll need this software to work with Store for Business. - IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. -- Employees using apps from Store for Business need Windows 10, Version 1511 running on a PC or mobile device. +- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device. Microsoft Azure Active Directory (AD) accounts for your employees: diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md index f5b92e0974..c2e97f611c 100644 --- a/windows/manage/product-ids-in-windows-10-mobile.md +++ b/windows/manage/product-ids-in-windows-10-mobile.md @@ -18,9 +18,9 @@ author: jdeckerMS **In this article** -- [Apps included in Windows 10 Mobile](#apps_included_in_windows_10_mobile) -- [Get product ID and AUMID for other apps](#get_product_id_and_aumid_for_other_apps) -- [Related topics](#related_topics) +- [Apps included in Windows 10 Mobile](#apps-included-in-windows-10-mobile) +- [Get product ID and AUMID for other apps](#get-product-id-and-aumid-for-other-apps) +- [Related topics](#related-topics) You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md index ff42ffcf26..fa3b555b68 100644 --- a/windows/manage/reset-a-windows-10-mobile-device.md +++ b/windows/manage/reset-a-windows-10-mobile-device.md @@ -17,9 +17,9 @@ author: jdeckerMS **In this article** -- [Reset using MDM](#reset_using_mdm) -- [Reset using the UI](#_reset_using_the_ui) -- [Reset using hardware buttons](#reset_using_hardware_buttons) +- [Reset using MDM](#reset-using-mdm) +- [Reset using the UI](#-reset-using-the-ui) +- [Reset using hardware buttons](#reset-using-hardware-buttons) There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 5b8c07a56f..760a45164c 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -22,12 +22,12 @@ author: jdeckerMS **In this article** -- [Other settings to lock down](#other_settings_to_lock_down) -- [Assigned access method for Universal Windows apps](#assigned_access_method) -- [Shell Launcher for Classic Windows applications](#local_user_policy) -- [Related topics](#related_topics) +- [Other settings to lock down](#other-settings-to-lock-down) +- [Assigned access method for Universal Windows apps](#assigned-access-method) +- [Shell Launcher for Classic Windows applications](#local-user-policy) +- [Related topics](#related-topics) -A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign_out_of_assigned_access). +A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). **Note**   A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. @@ -68,18 +68,18 @@ For a more secure kiosk experience, we recommend that you make the following con   -## Assigned access method for Universal Windows apps +## Assigned access method for Universal Windows apps Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: -- [Use Settings on the PC](#set_up_assigned_access_in_pc_settings) - Windows 10 Pro, Enterprise, and Education +- [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education -- [Apply a mobile device management (MDM) policy](#set_up_assigned_access_in_mdm) - Windows 10 Enterprise and Education +- [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education - [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education -- [Run a PowerShell script](#set_up_assigned_access_using_windows_powershell) - Windows 10 Pro, Enterprise, and Education +- [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education ### Requirements @@ -120,7 +120,7 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you [See the technical reference for the Assigned Access configuration service provider.](http://go.microsoft.com/fwlink/p/?LinkId=626608) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) +### Set up assigned access using Windows Imaging and Configuration Designer (ICD) Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) @@ -249,7 +249,7 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. -## Shell Launcher for Classic Windows applications +## Shell Launcher for Classic Windows applications Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. @@ -380,7 +380,7 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici [Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) -[Manage and update Windows 10](index.md) +[Manage and update Windows 10]   diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 5009c67faf..e1ed1feb64 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -18,9 +18,9 @@ author: jdeckerMS **In this article** -- [Apps Corner](#apps_corner) -- [Enterprise Assigned Access](#enterprise_assigned_access) -- [Related topics](#related_topics) +- [Apps Corner](#apps-corner) +- [Enterprise Assigned Access](#enterprise-assigned-access) +- [Related topics](#related-topics) A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. diff --git a/windows/manage/sign-up-for-windows-store-for-business.md b/windows/manage/sign-up-for-windows-store-for-business.md index 90a852b957..0a57c72f72 100644 --- a/windows/manage/sign-up-for-windows-store-for-business.md +++ b/windows/manage/sign-up-for-windows-store-for-business.md @@ -27,17 +27,17 @@ Before signing up for the Store for Business, make sure you're the global admini 1. Go to [https://www.microsoft.com/business-store](http://go.microsoft.com/fwlink/p/?LinkId=691845), and click **Sign up**. - - If you start the Store for Business sign up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365_welcome). + - If you start the Store for Business sign up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome). - - If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign_in), and then accept Store for Business terms. + - If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms. ![](images/wsfb-landing.png) **To sign up for Azure AD accounts through Office 365 for Business** - - Signing up for Store for Business will create an Azure AD directory and global administrator account for you. There are just a few steps. + - Signing up for Store for Business will create an Azure AD directory and global administrator account for you. There are just a few steps. Step 1: About you. @@ -71,11 +71,11 @@ Before signing up for the Store for Business, make sure you're the global admini - At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business. -2. Sign in with your Azure AD account. +2. Sign in with your Azure AD account. ![](images/wsfb-onboard-7.png) -3. Read through and accept Store for Business terms. +3. Read through and accept Store for Business terms. 4. Welcome to the Store for Business. Click **Next** to continue. diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md index da89adadf8..4b3444dec6 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/manage/stop-employees-from-using-the-windows-store.md @@ -23,7 +23,7 @@ IT Pros can configure access to Windows Store for client computers in their orga You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. -## Block Windows Store using AppLocker +## Block Windows Store using AppLocker Applies to: Windows 10 Enterprise, Windows 10 Mobile @@ -52,10 +52,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what- 8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. -## Block Windows Store using Group Policy +## Block Windows Store using Group Policy -Applies to: Windows 10 Enterprise, Version 1511 +Applies to: Windows 10 Enterprise, version 1511 You can also use Group Policy to manage access to Windows Store. @@ -69,12 +69,12 @@ You can also use Group Policy to manage access to Windows Store. 4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. -## Block Windows Store using management tool +## Block Windows Store using management tool Applies to: Windows 10 Mobile -If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block_store_applocker) to manage access to Windows Store app. +If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app. When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app: diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md index 9cf338b2d1..72aaeeeb45 100644 --- a/windows/manage/windows-10-mobile-and-mdm.md +++ b/windows/manage/windows-10-mobile-and-mdm.md @@ -19,12 +19,12 @@ author: jdeckerMS **In this article** - [Overview](#overview) -- [Device deployment](#device_deployment__) -- [Device configuration](#device_configuration) -- [App management](#__app_management) -- [Device operations](#device_operations) -- [Device retirement](#device_retirement) -- [Related topics](#related_topics) +- [Device deployment](#device-deployment--) +- [Device configuration](#device-configuration) +- [App management](#--app-management) +- [Device operations](#device-operations) +- [Device retirement](#device-retirement) +- [Related topics](#related-topics) This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile. @@ -37,7 +37,7 @@ Windows 10 Mobile not only delivers more comprehensive, restrictive configurati Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client. -### Built-in MDM client +### Built-in MDM client The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management. @@ -47,7 +47,7 @@ The built-in MDM client is common to all editions of the Windows 10 operating s The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050). -### Windows 10 Mobile editions +### Windows 10 Mobile editions Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system: @@ -64,7 +64,7 @@ Your organization can opt to purchase a code signing certificate from Verisign t To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal. -### Lifecycle management +### Lifecycle management Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features. @@ -72,7 +72,7 @@ Windows 10 Mobile supports end-to-end lifecycle device management to give compa Figure 1. Device management lifecycle -## Device deployment +## Device deployment Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios: @@ -85,7 +85,7 @@ Often, employees can choose devices from a list of supported models, or companie Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices. -### Deployment scenarios +### Deployment scenarios Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile. @@ -123,7 +123,7 @@ Table 1. Characteristics of personal and corporate device scenarios   -### Identity management +### Identity management People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations): @@ -182,7 +182,7 @@ Table 2. Personal vs. organizational identity   -### Infrastructure requirements +### Infrastructure requirements For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system. @@ -210,7 +210,7 @@ In addition, Microsoft recently added MDM capabilities powered by Intune to Offi   -### Provisioning +### Provisioning Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. @@ -241,7 +241,7 @@ The following sections describe the device configuration capabilities of the bui - [Account restrictions](#restrictions) -- [Device lock restrictions](#device_lock) +- [Device lock restrictions](#device-lock) - [Hardware restrictions](#hardware) @@ -264,7 +264,7 @@ Although all the MDM settings this section describes are available in Windows 1   -### Email accounts +### Email accounts You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario. @@ -329,7 +329,7 @@ Table 4. Windows 10 Mobile settings for other email profiles   -### Account restrictions +### Account restrictions On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices. @@ -343,7 +343,7 @@ Table 5. Windows 10 Mobile account management settings   -### Device lock restrictions +### Device lock restrictions It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports. @@ -432,7 +432,7 @@ Table 6. Windows 10 Mobile device lock restrictions   -### Hardware restrictions +### Hardware restrictions Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions. @@ -463,7 +463,7 @@ Table 7. Windows 10 Mobile hardware restrictions   -### Certificate management +### Certificate management Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides. @@ -526,7 +526,7 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr   -### Wi-Fi +### Wi-Fi People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention. @@ -864,7 +864,7 @@ Table 14. Windows 10 Mobile VPN management settings   -### APN profiles +### APN profiles An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators. @@ -936,7 +936,7 @@ Table 15. Windows 10 Mobile APN profile settings   -### Data leak protection +### Data leak protection Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. @@ -957,7 +957,7 @@ Table 16. Windows 10 Mobile data leak protection settings   -### Storage management +### Storage management Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. @@ -1024,26 +1024,26 @@ Table 17. Windows 10 Mobile storage management settings   -## App management +## App management Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics: -- [Universal Windows Platform (UWP)](#UWP) +- [Universal Windows Platform (UWP)](#uwp) - [Sourcing the right app](#sourcing) - [Windows Store for Business](#store) -- [Mobile application management (MAM) policies](#MAM) +- [Mobile application management (MAM) policies](#mam) - [Microsoft Edge](#edge) -### Universal Windows Platform +### Universal Windows Platform Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information. -### Sourcing the right app +### Sourcing the right app The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system. @@ -1051,11 +1051,11 @@ To install Windows Store or LOB apps, use the Windows Store cloud service or you IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business. -Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile_edition). +Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition). Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps. -### Store for Business +### Store for Business [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription. @@ -1073,7 +1073,7 @@ The process for using Store for Business is as follows: For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md). -### Mobile application management (MAM) policies +### Mobile application management (MAM) policies With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. @@ -1099,7 +1099,7 @@ Table 18. Windows 10 Mobile app management settings One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system. -### Microsoft Edge +### Microsoft Edge MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile. @@ -1129,21 +1129,21 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios: -- [Device update](#device_update) +- [Device update](#device-update) -- [Device compliance monitoring](#device_comp) +- [Device compliance monitoring](#device-comp) -- [Device inventory](#data_inv) +- [Device inventory](#data-inv) -- [Remote assistance](#remote_assist) +- [Remote assistance](#remote-assist) -- [Cloud services](#cloud_serv) +- [Cloud services](#cloud-serv) ### Device update To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available. -The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile_edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. +The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. Table 20. Windows 10 Mobile Enterprise update management settings @@ -1282,7 +1282,7 @@ Table 21. Windows 10 Mobile Enterprise approved update information   -### Device compliance monitoring +### Device compliance monitoring You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards. @@ -1339,7 +1339,7 @@ Table 21. Windows 10 Mobile HAS data points   -### Device inventory +### Device inventory Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates). @@ -1370,7 +1370,7 @@ Table 22. Windows 10 Mobile software and hardware inventory examples   -### Remote assistance +### Remote assistance The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include: @@ -1394,7 +1394,7 @@ Table 23. Windows 10 Mobile remote find settings   -### Cloud services +### Cloud services On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services. diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index 8194e17dc0..82ac833b02 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -22,7 +22,7 @@ Developers within your own company, or ISVs that you invite, can become LOB publ One advantage of making apps available through Store for Business is that the app has been signed by the Store, and uses the standard Store policies. For companies that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](http://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported in Windows 10. -## Adding LOB apps to your private store +## Adding LOB apps to your private store Your Store for Business admin and ISV each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees. They’ll use the Store for Business portal, and the Windows Dev center on MSDN. Here’s what’s involved: @@ -41,7 +41,7 @@ What you'll have to set up: - LOB publishers need to have an app in the Store, or have an app ready to submit to the Store. -### Add an LOB publisher (admin) +### Add an LOB publisher (admin) For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher. @@ -51,7 +51,7 @@ For developers within your own organization, or ISVs you're working with to crea 2. Click **Settings**, and then choose **LOB publishers**. 3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer. -### Submit apps (LOB publisher) +### Submit apps (LOB publisher) The developer receives an email invite to become an LOB publisher for your company. Once they accept the invite, they can log in to the Windows Dev Center to create an app submission for your company. The info here assumes that devs or ISVs have an active developer account. @@ -79,7 +79,7 @@ After an app is published and available in the Store, ISVs publish an updated ve For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543). -### Add app to inventory (admin) +### Add app to inventory (admin) After an ISV submits the LOB app for your company, the Store for Businessadmin needs to accept the app. diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index c11effc96c..bc320b4898 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -1,4 +1,4 @@ -# [Plan for Windows 10 deployment](index.md) +# [Plan for Windows 10 deployment] ## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) ## [Windows 10 servicing options](windows-10-servicing-model.md) ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md index 8bbcad3398..2736bf45f0 100644 --- a/windows/plan/application-dialog-box.md +++ b/windows/plan/application-dialog-box.md @@ -30,7 +30,7 @@ In Application Compatibility Manager (ACM), the *<Application>* dialog box 3. Double-click the name of an application. -## Tabs in the <Application> dialog box +## Tabs in the <Application> dialog box The following table shows the information available in the *<Application>* dialog box. @@ -98,7 +98,7 @@ The following table shows the information available in the *<Application>*   -## Using the <Application> Dialog Box +## Using the <Application> Dialog Box In the **<Application>** dialog box, you can perform the following actions: diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index d5ea58e8d1..518a60037d 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -11,7 +11,7 @@ author: TrudyHa # Change history for Plan for Windows 10 deployment -This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Plan for Windows 10 deployment] documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## December 2015 diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 741a3223fe..8d8aca4ddb 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -18,35 +18,35 @@ author: TrudyHa **In this article** -- [Plan Chromebook migration](#plan_migration) -- [Plan for app migration or replacement](#plan_app_migrate_replace) -- [Plan for migration of user and device settings](#plan_migrate_user_device_settings) -- [Plan for email migration](#plan_email_migrate) -- [Plan for cloud storage migration](#plan_cloud_storage_migration) -- [Plan for cloud services migration](#plan_cloud_services) -- [Plan for Windows device deployment](#plan_windevice_deploy) -- [Perform Chromebook migration](#perform_chromebook_migration) -- [Perform network infrastructure remediation](#network_infra_remediation) -- [Perform AD DS and Azure AD services deployment or remediation](#perform_ad_ds_and_azure_ad_services_deployment_or_remediation) -- [Prepare device, user, and app management systems](#prepare_device__user__and_app_management_systems) -- [Perform app migration or replacement](#perform_app_migration_or_replacement_) -- [Perform migration of user and device settings](#migrate_user_device_settings) -- [Perform email migration](#perform_email_migration) -- [Perform cloud storage migration](#perform_cloud_storage_migration) -- [Perform cloud services migration](#perform_cloud_services_migration) -- [Perform Windows device deployment](#perform_windows_device_deployment) -- [Related topics](#related_topics) +- [Plan Chromebook migration](#plan-migration) +- [Plan for app migration or replacement](#plan-app-migrate-replace) +- [Plan for migration of user and device settings](#plan-migrate-user-device-settings) +- [Plan for email migration](#plan-email-migrate) +- [Plan for cloud storage migration](#plan-cloud-storage-migration) +- [Plan for cloud services migration](#plan-cloud-services) +- [Plan for Windows device deployment](#plan-windevice-deploy) +- [Perform Chromebook migration](#perform-chromebook-migration) +- [Perform network infrastructure remediation](#network-infra-remediation) +- [Perform AD DS and Azure AD services deployment or remediation](#perform-ad-ds-and-azure-ad-services-deployment-or-remediation) +- [Prepare device, user, and app management systems](#prepare-device--user--and-app-management-systems) +- [Perform app migration or replacement](#perform-app-migration-or-replacement-) +- [Perform migration of user and device settings](#migrate-user-device-settings) +- [Perform email migration](#perform-email-migration) +- [Perform cloud storage migration](#perform-cloud-storage-migration) +- [Perform cloud services migration](#perform-cloud-services-migration) +- [Perform Windows device deployment](#perform-windows-device-deployment) +- [Related topics](#related-topics) In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. -## Plan Chromebook migration +## Plan Chromebook migration Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. -## Plan for app migration or replacement +## Plan for app migration or replacement App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. @@ -56,7 +56,7 @@ App migration or replacement is an essential part of your Chromebook migration. Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). **Note**   -The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform_testing_webapps) section. +The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.   @@ -80,7 +80,7 @@ Record the following information about each app in your app portfolio: Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. -### +### **Select Google Apps replacements** @@ -100,17 +100,17 @@ Table 1. Google App replacements   -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select_CS_migrationstrat) section of this guide. +It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. **Find the same or similar apps in the Windows Store** -In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select_googleapps) section. +In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. Record the Windows app that replaces the Chromebook app in your app portfolio. -### +### **Perform app compatibility testing for web apps** @@ -118,7 +118,7 @@ The majority of Chromebook apps are web apps. Because you cannot run native offl Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. -## Plan for migration of user and device settings +## Plan for migration of user and device settings Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. @@ -127,7 +127,7 @@ However, in addition to your centralized configuration in the Google Admin Conso In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate_user_device_settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. **Identify Google Admin Console settings to migrate** @@ -275,7 +275,7 @@ After you have collected all the Chromebook user, app, and device settings that Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. -## Plan for email migration +## Plan for email migration Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. @@ -304,7 +304,7 @@ Typically, the best time to perform the migration is between academic years or d Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. -## Plan for cloud storage migration +## Plan for cloud storage migration Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. @@ -323,7 +323,7 @@ Typically, most Chromebook users use Google Drive for cloud storage services bec - Approximate storage currently in use per user -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan_cloud_services) section. +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. **Optimize cloud storage services migration plan** @@ -339,18 +339,18 @@ Consider the following to help optimize your cloud storage services migration pl Record your optimization changes in your cloud storage services migration plan. -## Plan for cloud services migration +## Plan for cloud services migration -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan_app_migrate_replace), [Plan for Google Apps Gmail to Office 365 migration](#plan_email_migrate), and [Plan for cloud storage migration](#plan_cloud_storage_migration) sections. +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. -### +### **Identify cloud services currently in use** -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan_app_migrate_replace), [Plan for Google Apps Gmail to Office 365 migration](#plan_email_migrate), and [Plan for cloud storage migration](#plan_cloud_storage_migration) sections. Create a unified list of these cloud services and record the following about each service: +You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: - Cloud service name @@ -372,7 +372,7 @@ Here is a list of reasons that describe why you might want to migrate from an ex - **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). -Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify_cloud_services_inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan_windevice_deploy) section. Also, skip the [Perform cloud services migration](#perform_cloud_services_migration) section later in this guide. +Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. **Prioritize cloud services** @@ -382,7 +382,7 @@ Assign the priority based on how critical the cloud service is to the faculty an Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. -### +### **Select cloud services migration strategy** @@ -402,14 +402,14 @@ Consider the following when you create your cloud services migration strategy: - **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. -## Plan for Windows device deployment +## Plan for Windows device deployment You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. -### +### **Select a Windows device deployment strategy** @@ -431,7 +431,7 @@ For each classroom that has Chromebook devices, select a combination of the foll Record the combination of Windows device deployment strategies that you selected. -### +### **Plan for AD DS and Azure AD services** @@ -500,7 +500,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid   -### +### **Plan device, user, and app management** @@ -624,7 +624,7 @@ You can use Configuration Manager and Intune in conjunction with each other to p Record the device, user, and app management products and technologies that you selected. -### +### **Plan network infrastructure remediation** @@ -660,21 +660,21 @@ Examine each of the following network infrastructure technologies and services a If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. -At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network_infra_remediation) section of this guide. +At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. ## Perform Chromebook migration Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan_migration) section earlier in this guide. +In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. -## Perform network infrastructure remediation +## Perform network infrastructure remediation -The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan_network_infra_remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. +The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. @@ -718,7 +718,7 @@ If you use network infrastructure products and technologies from other vendors, It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan_ADservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. +In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. Table 8. AD DS, Azure AD and deployment resources @@ -759,7 +759,7 @@ If you decided not to migrate to AD DS or Azure AD as a part of the migration, o ## Prepare device, user, and app management systems -In the [Plan device, user, and app management](#plan_userdevapp_manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan_migrate_user_device_settings) section. You need to prepare these systems prior to the migration of user and device settings. +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. @@ -821,12 +821,12 @@ Table 9. Management systems and deployment resources If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. -## Perform app migration or replacement +## Perform app migration or replacement -In the [Plan for app migration or replacement](#plan_app_migrate_replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. +In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan_app_migrate_replace) section of this guide. +In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. Table 10. Management systems and app deployment resources @@ -871,18 +871,18 @@ Table 10. Management systems and app deployment resources If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. -## Perform migration of user and device settings +## Perform migration of user and device settings -In the [Plan for migration of user and device settings](#plan_migrate_user_device_settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. +In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. Perform the user and device setting migration by using the following steps: -1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan_migrate_user_device_settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). +1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). -2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan_migrate_user_device_settings) section, configure device-specific setting for higher priority settings. +2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. -3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan_migrate_user_device_settings) section, configure user-specific setting for higher priority settings. +3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. 4. Verify that all higher-priority user and device settings have been configured in your management system. @@ -891,7 +891,7 @@ If you do no want to migrate any user or device settings from the Chromebook dev ## Perform email migration -In the [Plan for email migration](#plan_email_migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. +In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). @@ -910,7 +910,7 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration -In the [Plan for cloud storage migration](#plan_cloud_storage_migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: @@ -929,7 +929,7 @@ There are also a number of software vendors who provide software that helps auto ## Perform cloud services migration -In the [Plan for cloud services migration](#plan_cloud_services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. +In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. @@ -938,7 +938,7 @@ There are also a number of software vendors who provide software that helps auto ## Perform Windows device deployment -In the [Select a Windows device deployment strategy](#select_windows_device_deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan_windevice_deploy) section have already been performed. Now it's time to deploy the actual devices. +In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md index 8868744fa1..3dc13ae7b8 100644 --- a/windows/plan/computer-dialog-box.md +++ b/windows/plan/computer-dialog-box.md @@ -30,7 +30,7 @@ In Application Compatibility Manager (ACM), the *<Computer>* dialog box sh 3. Double-click the name of a computer. -## Tabs in the <Computer> dialog box +## Tabs in the <Computer> dialog box The following table shows the information available in the *<Computer>* dialog box. @@ -89,7 +89,7 @@ The following table shows the information available in the *<Computer>* di   -## Using the <Computer> Dialog Box +## Using the <Computer> Dialog Box In the *<Computer>* dialog box, you can perform the following actions: diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 722d28be44..d7bf4169b9 100644 --- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -22,10 +22,10 @@ author: TrudyHa **In this article** -- [What is a Compatibility Fix?](#what_is_a_compatibility_fix_) -- [Searching for Existing Compatibility Fixes](#searching_for_existing_compatibility_fixes) -- [Creating a New Compatibility Fix](#creating_a_new_compatibility_fix) -- [Related topics](#related_topics) +- [What is a Compatibility Fix?](#what-is-a-compatibility-fix-) +- [Searching for Existing Compatibility Fixes](#searching-for-existing-compatibility-fixes) +- [Creating a New Compatibility Fix](#creating-a-new-compatibility-fix) +- [Related topics](#related-topics) The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages. diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 661ad8bd6a..49362655f0 100644 --- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -22,10 +22,10 @@ author: TrudyHa **In this article** -- [What Is a Compatibility Mode?](#what_is_a_compatibility_mode_) -- [Searching for Existing Compatibility Modes](#searching_for_existing_compatibility_modes) -- [Creating a New Compatibility Mode](#creating_a_new_compatibility_mode) -- [Related topics](#related_topics) +- [What Is a Compatibility Mode?](#what-is-a-compatibility-mode-) +- [Searching for Existing Compatibility Modes](#searching-for-existing-compatibility-modes) +- [Creating a New Compatibility Mode](#creating-a-new-compatibility-mode) +- [Related topics](#related-topics) Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md index 0f9059eb1d..a1ffaec3c3 100644 --- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md @@ -22,11 +22,11 @@ author: TrudyHa **In this article** -- [Blocking Versus Non-Blocking AppHelp Messages](#blocking_versus_non-blocking_apphelp_messages) -- [Searching for Existing Compatibility Fixes](#searching_for_existing_compatibility_fixes) -- [Creating a New AppHelp Message](#creating_a_new_apphelp_message) -- [Issues with AppHelp Messages and Computers Running Windows 2000](#issues_with_apphelp_messages_and_computers_running_windows_2000) -- [Related topics](#related_topics) +- [Blocking Versus Non-Blocking AppHelp Messages](#blocking-versus-non-blocking-apphelp-messages) +- [Searching for Existing Compatibility Fixes](#searching-for-existing-compatibility-fixes) +- [Creating a New AppHelp Message](#creating-a-new-apphelp-message) +- [Issues with AppHelp Messages and Computers Running Windows 2000](#issues-with-apphelp-messages-and-computers-running-windows-2000) +- [Related topics](#related-topics) The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md index d5d0587feb..e5993f73fd 100644 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md @@ -22,11 +22,11 @@ author: TrudyHa **In this article** -- [Modeling the Production Environment](#modeling_the_production_environment) -- [Configuring the Test Environment for Automated Testing](#configuring_the_test_environment_for_automated_testing) -- [Determining When Virtualization Is Appropriate](#determining_when_virtualization_is_appropriate) -- [Testing Methodology](#testing_methodology) -- [Related topics](#related_topics) +- [Modeling the Production Environment](#modeling-the-production-environment) +- [Configuring the Test Environment for Automated Testing](#configuring-the-test-environment-for-automated-testing) +- [Determining When Virtualization Is Appropriate](#determining-when-virtualization-is-appropriate) +- [Testing Methodology](#testing-methodology) +- [Related topics](#related-topics) The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects. diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md index e41f2f89d0..725122266c 100644 --- a/windows/plan/customizing-your-report-views.md +++ b/windows/plan/customizing-your-report-views.md @@ -22,7 +22,7 @@ author: TrudyHa You can customize how you view your report data in Application Compatibility Manager (ACM). -## Modifying the <Operating\_System> Reports View +## Modifying the <Operating\_System> Reports View You can choose which operating systems ACM shows in the compatibility reports. For operating systems that you exclude from the reports, the data continues to be collected but ACM does not display it. diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index 8f2edec923..a7c14e1f47 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -25,23 +25,23 @@ Windows To Go does not support operating system upgrades. Windows To Go is desig The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. -- [Initial boot experiences](#wtg_initboot) +- [Initial boot experiences](#wtg-initboot) -- [Image deployment and drive provisioning considerations](#wtg_imagedep) +- [Image deployment and drive provisioning considerations](#wtg-imagedep) -- [Application installation and domain join](#wtg_appinstall) +- [Application installation and domain join](#wtg-appinstall) -- [Management of Windows To Go using Group Policy](#BKMK_wtggp) +- [Management of Windows To Go using Group Policy](#bkmk-wtggp) -- [Supporting booting from USB](#wtg_bootusb) +- [Supporting booting from USB](#wtg-bootusb) -- [Updating firmware](#stg_firmware) +- [Updating firmware](#stg-firmware) -- [Configure Windows To Go startup options](#wtg_startup) +- [Configure Windows To Go startup options](#wtg-startup) -- [Change firmware settings](#wtg_changefirmware) +- [Change firmware settings](#wtg-changefirmware) -## Initial boot experiences +## Initial boot experiences The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises: @@ -61,7 +61,7 @@ Applying BitLocker Drive Encryption to the drives before provisioning is a much DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](http://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](http://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. -### Image deployment and drive provisioning considerations +### Image deployment and drive provisioning considerations The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. @@ -226,11 +226,11 @@ The following list of commonly used Wi-Fi network adapters that are not supporte IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](http://go.microsoft.com/fwlink/p/?LinkId=619079). -### Application installation and domain join +### Application installation and domain join Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications -### Management of Windows To Go using Group Policy +### Management of Windows To Go using Group Policy In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor. @@ -262,7 +262,7 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can   -## Supporting booting from USB +## Supporting booting from USB The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB. @@ -274,7 +274,7 @@ Enabling a system to always boot from USB first has implications that you should If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkID=618951). -### Roaming between different firmware types +### Roaming between different firmware types Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams. @@ -288,7 +288,7 @@ To enable booting Windows To Go on both types of firmware, a new disk layout is This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware. -### Configure Windows To Go startup options +### Configure Windows To Go startup options Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured. @@ -307,7 +307,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs th 3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. -### Change firmware settings +### Change firmware settings If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode. diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md index 37929da162..401b831c3b 100644 --- a/windows/plan/device-dialog-box.md +++ b/windows/plan/device-dialog-box.md @@ -30,7 +30,7 @@ In Application Compatibility Manager (ACM), the *<Device>* dialog box show 3. Double-click the name of a device. -## Tabs in the <Device> dialog box +## Tabs in the <Device> dialog box The following table shows the information available in the *<Device>* dialog box. @@ -70,7 +70,7 @@ The following table shows the information available in the *<Device>* dial   -## Using the <Device> Dialog Box +## Using the <Device> Dialog Box In the *<Device>* dialog box, you can perform the following actions: diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md index 7161dbdfb1..316e985187 100644 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ b/windows/plan/identifying-computers-for-inventory-collection.md @@ -22,12 +22,12 @@ author: TrudyHa **In this article** -- [Managed and Unmanaged Environments](#BMK_ManagedUnmanaged) -- [Role-Based Applications](#BMK_RolebasedApplications) -- [Software Distribution](#BMK_SoftwareDistribution) -- [Geographic Distribution](#BMK_GeographicDistribution) -- [Computer Types](#BMK_ComputerTypes) -- [Related topics](#related_topics) +- [Managed and Unmanaged Environments](#bmk-managedunmanaged) +- [Role-Based Applications](#bmk-rolebasedapplications) +- [Software Distribution](#bmk-softwaredistribution) +- [Geographic Distribution](#bmk-geographicdistribution) +- [Computer Types](#bmk-computertypes) +- [Related topics](#related-topics) An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following: @@ -41,17 +41,17 @@ To generate a complete inventory and obtain a comprehensive view of your organiz If you decide to deploy inventory-collector packages to representative subsets of computers in your organization, consider the following: -- [Managed and Unmanaged Environments](#BMK_ManagedUnmanaged) +- [Managed and Unmanaged Environments](#bmk-managedunmanaged) -- [Role-Based Applications](#BMK_RolebasedApplications) +- [Role-Based Applications](#bmk-rolebasedapplications) -- [Software Distribution](#BMK_SoftwareDistribution) +- [Software Distribution](#bmk-softwaredistribution) -- [Geographic Distribution](#BMK_GeographicDistribution) +- [Geographic Distribution](#bmk-geographicdistribution) -- [Computer Types](#BMK_ComputerTypes) +- [Computer Types](#bmk-computertypes) -## Managed and Unmanaged Environments +## Managed and Unmanaged Environments In your organization, you may have managed environments and unmanaged environments. @@ -60,22 +60,22 @@ In a managed environment, IT administrators strictly control and manage the inst In an unmanaged environment, users have administrator permissions and can install applications at their own discretion. To obtain the full inventory, you must deploy your inventory-collector packages to more computers. -## Role-Based Applications +## Role-Based Applications Your organization may use role-based applications that relate to job function. For example, accountants may use finance-related applications. Reviewing application use together with job function helps you better identify which subsets of computers need inventory-collector packages. -## Software Distribution +## Software Distribution You can distribute applications in various ways within an organization. For example, you can use Group Policy, Microsoft® IntelliMirror®, Microsoft System Center Configuration Manager, or a customized distribution method. Reviewing the policies for your software distribution system helps you better identify which subsets of computers need inventory-collector packages. -## Geographic Distribution +## Geographic Distribution While you plan for inventory collection, consider the geographic distribution of your organization, and consider application use within each region. Be sure to account for divisional applications, localized applications, and applications that are specific to the geographic location and export restrictions. Consult with technical and business leaders from each region to understand the differences and determine which subsets of computers need inventory-collector packages. -## Computer Types +## Computer Types Computer types can be an important factor in the deployment of inventory-collector packages. The following sections describe common computer types. diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md index 5b6ea8cd28..e8aa0648f1 100644 --- a/windows/plan/integration-with-management-solutions-.md +++ b/windows/plan/integration-with-management-solutions-.md @@ -18,24 +18,24 @@ author: TrudyHa **In this article** -- [System Center Configuration Manager](#system_center_configuration_manager) -- [WSUS standalone](#wsus_standalone_) -- [Enterprise Mobility Suite: Intune](#enterprise_mobility_suite__intune) -- [Related topics](#related_topics) +- [System Center Configuration Manager](#system-center-configuration-manager) +- [WSUS standalone](#wsus-standalone-) +- [Enterprise Mobility Suite: Intune](#enterprise-mobility-suite--intune) +- [Related topics](#related-topics) You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. ## System Center Configuration Manager -For Windows 10, Version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, Version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”. +For Windows 10, version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”. ![figure 1](images/wuforbusiness-fig10-sccmconsole.png) -## WSUS standalone +## WSUS standalone -For Windows 10, Version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS. +For Windows 10, version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS. ## Enterprise Mobility Suite: Intune diff --git a/windows/plan/operatingsystem---application-report.md b/windows/plan/operatingsystem---application-report.md index b784962421..b23b7523f7 100644 --- a/windows/plan/operatingsystem---application-report.md +++ b/windows/plan/operatingsystem---application-report.md @@ -46,7 +46,7 @@ The **<OperatingSystem> - Application Report** screen shows the following 2. In the **Quick Reports** pane, under an operating system heading, click **Applications**. -## Using the <OperatingSystem> - Application Report Screen +## Using the <OperatingSystem> - Application Report Screen On the **<OperatingSystem> - Application Report** screen, you can perform the following actions: diff --git a/windows/plan/operatingsystem---computer-report.md b/windows/plan/operatingsystem---computer-report.md index d54c6212c6..3bfea9a20a 100644 --- a/windows/plan/operatingsystem---computer-report.md +++ b/windows/plan/operatingsystem---computer-report.md @@ -34,7 +34,7 @@ The **<OperatingSystem> - Computer Report** screen shows the following inf 2. In the **Quick Reports** pane, under an operating system heading, click **Computers**. -## Using the <OperatingSystem> - Computer Report Screen +## Using the <OperatingSystem> - Computer Report Screen On the **<OperatingSystem> - Computer Report** screen, you can perform the following actions: diff --git a/windows/plan/operatingsystem---device-report.md b/windows/plan/operatingsystem---device-report.md index 434b34487b..93ddd7cec8 100644 --- a/windows/plan/operatingsystem---device-report.md +++ b/windows/plan/operatingsystem---device-report.md @@ -36,7 +36,7 @@ The **<OperatingSystem> - Device Report** screen shows the following infor 2. In the **Quick Reports** pane, under an operating system heading, click **Devices**. -## Using the <OperatingSystem> - Device Report Screen +## Using the <OperatingSystem> - Device Report Screen On the **<OperatingSystem> - Device Report** screen, you can: diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md index 49b177a81d..d0eb68f7b9 100644 --- a/windows/plan/prepare-your-organization-for-windows-to-go.md +++ b/windows/plan/prepare-your-organization-for-windows-to-go.md @@ -18,15 +18,15 @@ author: TrudyHa **In this article** -- [What is Windows To Go?](#what_is_windows_to_go_) -- [Usage scenarios](#usage_scenarios) -- [Infrastructure considerations](#infrastructure_considerations) -- [Activation considerations](#activation_considerations) -- [Organizational unit structure and use of Group Policy Objects](#organizational_unit_structure_and_use_of_group_policy_objects) -- [Computer account management](#computer_account_management) -- [User account and data management](#user_account_and_data_management) -- [Remote connectivity](#remote_connectivity) -- [Related topics](#related_topics) +- [What is Windows To Go?](#what-is-windows-to-go-) +- [Usage scenarios](#usage-scenarios) +- [Infrastructure considerations](#infrastructure-considerations) +- [Activation considerations](#activation-considerations) +- [Organizational unit structure and use of Group Policy Objects](#organizational-unit-structure-and-use-of-group-policy-objects) +- [Computer account management](#computer-account-management) +- [User account and data management](#user-account-and-data-management) +- [Remote connectivity](#remote-connectivity) +- [Related topics](#related-topics) The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 88498f566b..2ae7930a08 100644 --- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -22,12 +22,12 @@ author: TrudyHa **In this article** -- [Querying by Using the Program Properties Tab](#querying_by_using_the_program_properties_tab) -- [Querying by Using the Fix Properties Tab](#querying_by_using_the_fix_properties_tab) -- [Querying by Using the Fix Description Tab](#querying_by_using_the_fix_description_tab) -- [Querying by Using the Fix Description Tab](#querying_by_using_the_fix_description_tab) -- [Exporting Your Search Results](#exporting_your_search_results) -- [Related topics](#related_topics) +- [Querying by Using the Program Properties Tab](#querying-by-using-the-program-properties-tab) +- [Querying by Using the Fix Properties Tab](#querying-by-using-the-fix-properties-tab) +- [Querying by Using the Fix Description Tab](#querying-by-using-the-fix-description-tab) +- [Querying by Using the Fix Description Tab](#querying-by-using-the-fix-description-tab) +- [Exporting Your Search Results](#exporting-your-search-results) +- [Related topics](#related-topics) You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md index 0541523ece..bb0891ee24 100644 --- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md @@ -18,11 +18,11 @@ author: TrudyHa **In this article** -- [Backup and restore](#backup_and_restore) +- [Backup and restore](#backup-and-restore) - [BitLocker](#bitlocker) -- [Disk discovery and data leakage](#disk_discovery_and_data_leakage) -- [Security certifications for Windows To Go](#security_certifications_for_windows_to_go) -- [Related topics](#related_topics) +- [Disk discovery and data leakage](#disk-discovery-and-data-leakage) +- [Security certifications for Windows To Go](#security-certifications-for-windows-to-go) +- [Related topics](#related-topics) One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. @@ -41,7 +41,7 @@ We recommend that you use BitLocker with your Windows To Go drives to protect th You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. **Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg_faq_blfail) +If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail)   diff --git a/windows/plan/settings-dialog-box---preferences-tab.md b/windows/plan/settings-dialog-box---preferences-tab.md index f0849a0e99..faf33d73e4 100644 --- a/windows/plan/settings-dialog-box---preferences-tab.md +++ b/windows/plan/settings-dialog-box---preferences-tab.md @@ -24,14 +24,14 @@ To display the **Settings** dialog box, in Application Compatibility Manager (AC In the **Settings** dialog box, on the **Preferences** tab, use the following controls to join or leave the ACT Community, send ACT usage data to Microsoft, or be notified when there are updates available for ACT. -**Yes, I want to join the ACT Community** +**Yes, I want to join the ACT Community** If this check box is selected, you are a member of the ACT Community and can share application compatibility data with other ACT users. If this check box is cleared, you still receive compatibility data from the Microsoft compatibility database, but not from other ACT users. For more information about the ACT Community, see [ACT Community Ratings and Process](act-community-ratings-and-process.md). -**Send ACT usage data to Microsoft** +**Send ACT usage data to Microsoft** If this check box is selected, the following ACT usage data is sent to Microsoft: - The version of SQL Server being used by the ACT database. @@ -46,7 +46,7 @@ If this check box is selected, the following ACT usage data is sent to Microsoft If this check box is cleared, your ACT usage data is not sent to Microsoft. -**Notify me when a newer version of ACT is available (recommended)** +**Notify me when a newer version of ACT is available (recommended)** If this check box is selected, ACM notifies you when an update is available for ACT. ## Related topics diff --git a/windows/plan/settings-dialog-box---settings-tab.md b/windows/plan/settings-dialog-box---settings-tab.md index 4d9773ed8c..28bde93086 100644 --- a/windows/plan/settings-dialog-box---settings-tab.md +++ b/windows/plan/settings-dialog-box---settings-tab.md @@ -24,28 +24,28 @@ To display the **Settings** dialog box, in Application Compatibility Manager (AC In the **Settings** dialog box, on the **Settings** tab, use the following controls to modify the settings for your ACT database and ACT Log Processing Service. -**SQL Server** +**SQL Server** Lists the database server name for the SQL Server database server that contains your ACT database. Click **Browse** to search for available database servers. A **Select Server** dialog box appears from which you can select the database server that contains your ACT database. -**Database** +**Database** Lists the database name of your ACT database. -**Change** +**Change** Opens the user interface where you can create, open, or migrate an ACT database. -**This computer is configured as a Log Processing Service** +**This computer is configured as a Log Processing Service** If selected, indicates that this computer is used for the ACT Log Processing Service. Clear this check box to use a different computer to process the logs. If there is no designated ACT Log Processing Service, log processing defaults to the local computer. -**Log Processing Service Account** +**Log Processing Service Account** Specifies the account information, including the account type and account credentials, to be used to start the ACT Log Processing Service. The account must have read and write access to the ACT database. For information about setting up database permissions for the ACT Log Processing Service, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md). -**Log Share** +**Log Share** Specifies the absolute path to the ACT Log Processing Service share where log files are processed. Click **Browse** to search for a location. The **Share as** box automatically updates to show the directory name. For information about ensuring that all computers can access the share, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md). diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md index 2bd004159d..415fa85dee 100644 --- a/windows/plan/setup-and-deployment.md +++ b/windows/plan/setup-and-deployment.md @@ -18,13 +18,13 @@ author: TrudyHa **In this article** -- [Configure your systems to receive updates on CBB](#configure_your_systems_to_receive_updates_on_cbb) -- [Defer OS upgrade and update deployments](#defer_OS_upgrade) -- [Pause upgrades and updates](#pause_upgrades_and_updates) -- [Create validation groups for deployments](#create_validation_groups_for_deployments) -- [Peer-to-peer networking for deployments](#peer-to-peer_networking_for_deployments_) -- [Use Group Policy to configure Windows Update Delivery Optimization](#use_group_policy_to_configure_windows_update_delivery_optimization_) -- [Related topics](#related_topics) +- [Configure your systems to receive updates on CBB](#configure-your-systems-to-receive-updates-on-cbb) +- [Defer OS upgrade and update deployments](#defer-os-upgrade) +- [Pause upgrades and updates](#pause-upgrades-and-updates) +- [Create validation groups for deployments](#create-validation-groups-for-deployments) +- [Peer-to-peer networking for deployments](#peer-to-peer-networking-for-deployments-) +- [Use Group Policy to configure Windows Update Delivery Optimization](#use-group-policy-to-configure-windows-update-delivery-optimization-) +- [Related topics](#related-topics) This article describes the basic features of a Windows Update for Business deployment. Use this information to familiarize yourself with a simple deployment with a single group of machines connected to Windows Update, in addition to more complex scenarios such as the creation of Windows Update for Business validation groups that receive updates from Windows Update at different time intervals, as well as Windows Update for Business deployments integrated with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, or Microsoft Intune. @@ -39,7 +39,7 @@ To use Windows Update for Business, Windows 10-based devices must first be conf ![figure 3](images/wuforbusiness-fig3-mdm.png) -## Defer OS upgrade and update deployments +## Defer OS upgrade and update deployments Windows Update for Business allows administrators to control when upgrades and updates are deployed to their Windows 10 clients by specifying deferral windows from when they are initially made available on the Windows Update service. As mentioned, there are restrictions as to how long you can delay upgrades and updates. The following table details these restrictions, per deployment category type: @@ -135,7 +135,7 @@ Administrators can establish validation groups to maintain a level of control ov ![figure 7](images/wuforbusiness-fig7-validationgroup.png) -## Peer-to-peer networking for deployments +## Peer-to-peer networking for deployments Windows Update Delivery Optimization enables Windows Update for Business enrolled devices to download Windows updates and Windows Store apps from sources other than Microsoft. With multiple devices, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all of your Windows Update for Business enrolled systems up to date. It can also help ensure that devices get updates and apps more quickly if they have a limited or unreliable Internet connection. @@ -156,7 +156,7 @@ Delivery Optimization configuration settings can be viewed by going to: Settings ![figure 8](images/wuforbusiness-fig8a-chooseupdates.png) -## Use Group Policy to configure Windows Update Delivery Optimization +## Use Group Policy to configure Windows Update Delivery Optimization You can use Group Policy to configure Windows Update Delivery Optimization. To do this, use the following steps: diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md index 7e2111d90f..031d5e3122 100644 --- a/windows/plan/troubleshooting-act-database-issues.md +++ b/windows/plan/troubleshooting-act-database-issues.md @@ -22,11 +22,11 @@ author: TrudyHa **In this article** -- [Connecting to a SQL Server Database](#connecting_to_a_sql_server_database) -- [Verifying SQL Server Version](#verifying_sql_server_version) -- [Creating an ACT Database](#creating_an_act_database) -- [Granting ACT Database Permissions for the ACT Log Processing Service](#granting_act_database_permissions_for_the_act_log_processing_service) -- [Related topics](#related_topics) +- [Connecting to a SQL Server Database](#connecting-to-a-sql-server-database) +- [Verifying SQL Server Version](#verifying-sql-server-version) +- [Creating an ACT Database](#creating-an-act-database) +- [Granting ACT Database Permissions for the ACT Log Processing Service](#granting-act-database-permissions-for-the-act-log-processing-service) +- [Related topics](#related-topics) The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md index f4a138dc96..8b23e635e9 100644 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ b/windows/plan/troubleshooting-the-act-log-processing-service.md @@ -22,12 +22,12 @@ author: TrudyHa **In this article** -- [Reviewing Files in ACT Log File Format](#reviewing_files_in_act_log_file_format) -- [Uploading Files to the ACT Log Processing Service Share After Setting Permissions](#uploading_files_to_the_act_log_processing_service_share_after_setting_permissions) -- [Working Around Windows Firewall on the Computer That Hosts the ACT Log Processing Service Share](#working_around_windows_firewall_on_the_computer_that_hosts_the_act_log_processing_service_share) -- [Viewing and Assigning "Log on as a service" Permissions](#viewing_and_assigning__log_on_as_a_service__permissions) -- [Starting the ACT Log Processing Service](#starting_the_act_log_processing_service) -- [Related topics](#related_topics) +- [Reviewing Files in ACT Log File Format](#reviewing-files-in-act-log-file-format) +- [Uploading Files to the ACT Log Processing Service Share After Setting Permissions](#uploading-files-to-the-act-log-processing-service-share-after-setting-permissions) +- [Working Around Windows Firewall on the Computer That Hosts the ACT Log Processing Service Share](#working-around-windows-firewall-on-the-computer-that-hosts-the-act-log-processing-service-share) +- [Viewing and Assigning "Log on as a service" Permissions](#viewing-and-assigning--log-on-as-a-service--permissions) +- [Starting the ACT Log Processing Service](#starting-the-act-log-processing-service) +- [Related topics](#related-topics) The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md index b57ec7ab74..330b5b6aa3 100644 --- a/windows/plan/websiteurl-dialog-box.md +++ b/windows/plan/websiteurl-dialog-box.md @@ -30,7 +30,7 @@ In Application Compatibility Manager (ACM), the *<websiteURL>* dialog box 3. Double-click the URL for a website. -## Using the <WebsiteURL> Dialog Box +## Using the <WebsiteURL> Dialog Box In the *<websiteURL>* dialog box, you can perform the following actions: diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md index bd313c0ef8..86f1c43f4b 100644 --- a/windows/plan/windows-10-compatibility.md +++ b/windows/plan/windows-10-compatibility.md @@ -18,8 +18,8 @@ author: TrudyHa **In this article** -- [Recommended application testing process](#recommended_application_testing_process) -- [Related topics](#related_topics) +- [Recommended application testing process](#recommended-application-testing-process) +- [Related topics](#related-topics) Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md index d6002441ce..c09e9413bc 100644 --- a/windows/plan/windows-10-deployment-considerations.md +++ b/windows/plan/windows-10-deployment-considerations.md @@ -18,10 +18,10 @@ author: TrudyHa **In this article** -- [Migration from previous Windows versions](#migration_from_previous_windows_versions) -- [Setup of new computers](#setup_of_new_computers) -- [Stay up to date](#stay_up_to_date) -- [Related topics](#related_topics) +- [Migration from previous Windows versions](#migration-from-previous-windows-versions) +- [Setup of new computers](#setup-of-new-computers) +- [Stay up to date](#stay-up-to-date) +- [Related topics](#related-topics) There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index d9398f8658..f2d31ce529 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -18,11 +18,11 @@ author: TrudyHa **In this article** -- [High-level requirements](#high-level_requirements) -- [Deployment tools](#deployment_tools) -- [Management tools](#management_tools) +- [High-level requirements](#high-level-requirements) +- [Deployment tools](#deployment-tools) +- [Management tools](#management-tools) - [Activation](#activation) -- [Related topics](#related_topics) +- [Related topics](#related-topics) There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. diff --git a/windows/plan/windows-10-servicing-model.md b/windows/plan/windows-10-servicing-model.md index 14a2df977f..e8eebd62bf 100644 --- a/windows/plan/windows-10-servicing-model.md +++ b/windows/plan/windows-10-servicing-model.md @@ -19,13 +19,13 @@ author: TrudyHa **In this article** -- [Key terminology](#key_terminology) -- [Windows 10 branch overview](#windows_10_branch_overview) -- [Current Branch versus Current Branch for Business](#current_branch_versus_current_branch_for_business) -- [Long-Term Servicing Branch](#long-term_servicing_branch) -- [Windows Insider Program](#windows_insider_program) -- [Switching between branches](#switching_between_branches) -- [Related topics](#related_topics) +- [Key terminology](#key-terminology) +- [Windows 10 branch overview](#windows-10-branch-overview) +- [Current Branch versus Current Branch for Business](#current-branch-versus-current-branch-for-business) +- [Long-Term Servicing Branch](#long-term-servicing-branch) +- [Windows Insider Program](#windows-insider-program) +- [Switching between branches](#switching-between-branches) +- [Related topics](#related-topics) Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. diff --git a/windows/plan/windows-to-go-feature-overview-scenario.md b/windows/plan/windows-to-go-feature-overview-scenario.md index 4c02107052..56a9a7a9f0 100644 --- a/windows/plan/windows-to-go-feature-overview-scenario.md +++ b/windows/plan/windows-to-go-feature-overview-scenario.md @@ -20,20 +20,20 @@ Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education t PCs that meet the Windows 7 or later [certification requirements](http://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go: -- [Differences between Windows To Go and a typical installation of Windows](#BKMK_wtgdif) +- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif) -- [Roaming with Windows To Go](#BKMK_wtgroam) +- [Roaming with Windows To Go](#bkmk-wtgroam) -- [Prepare for Windows To Go](#wtg_prep_intro) +- [Prepare for Windows To Go](#wtg-prep-intro) -- [Hardware considerations for Windows To Go](#wtg_hardware) +- [Hardware considerations for Windows To Go](#wtg-hardware) **Note**   Windows To Go is not supported on Windows RT.   -## Differences between Windows To Go and a typical installation of Windows +## Differences between Windows To Go and a typical installation of Windows Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are: @@ -50,14 +50,14 @@ Windows To Go workspace operates just like any other installation of Windows wit - **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows. -## Roaming with Windows To Go +## Roaming with Windows To Go Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically. The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers. -## Prepare for Windows To Go +## Prepare for Windows To Go Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. @@ -83,7 +83,7 @@ What remote connectivity solution should be supported in the image if Windows To For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md). -## Hardware considerations for Windows To Go +## Hardware considerations for Windows To Go **For USB drives** diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md index f4066d339f..0d59e94106 100644 --- a/windows/plan/windows-to-go-frequently-asked-questions.md +++ b/windows/plan/windows-to-go-frequently-asked-questions.md @@ -18,109 +18,109 @@ author: TrudyHa The following list identifies some commonly asked questions about Windows To Go. -- [What is Windows To Go?](#wtg_faq_whatis) +- [What is Windows To Go?](#wtg-faq-whatis) -- [Does Windows To Go rely on virtualization?](#wtg_faq_virt) +- [Does Windows To Go rely on virtualization?](#wtg-faq-virt) -- [Who should use Windows To Go?](#wtg_faq_who) +- [Who should use Windows To Go?](#wtg-faq-who) -- [How can Windows To Go be deployed in an organization?](#wtg_faq_deploy) +- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy) -- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg_faq_usbvs) +- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs) -- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg_faq_usbports) +- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports) -- [How do I identify a USB 3.0 port?](#wtg_faq_usb3port) +- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port) -- [Does Windows To Go run faster on a USB 3.0 port?](#wtg_faq_usb3speed) +- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed) -- [Can the user self-provision Windows To Go?](#wtg_faq_selfpro) +- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro) -- [How can Windows To Go be managed in an organization?](#wtg_faq_mng) +- [How can Windows To Go be managed in an organization?](#wtg-faq-mng) -- [How do I make my computer boot from USB?](#wtf_faq_startup) +- [How do I make my computer boot from USB?](#wtf-faq-startup) -- [Why isn’t my computer booting from USB?](#wtg_faq_noboot) +- [Why isn’t my computer booting from USB?](#wtg-faq-noboot) -- [What happens if I remove my Windows To Go drive while it is running?](#wtg_faq_surprise) +- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise) -- [Can I use BitLocker to protect my Windows To Go drive?](#wtg_faq_bitlocker) +- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker) -- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg_faq_blfail) +- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) -- [What power states does Windows To Go support?](#wtg_faq_power) +- [What power states does Windows To Go support?](#wtg-faq-power) -- [Why is hibernation disabled in Windows To Go?](#wtg_faq_hibernate) +- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate) -- [Does Windows To Go support crash dump analysis?](#wtg_faq_crashdump) +- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump) -- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg_faq_dualboot) +- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot) -- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg_faq_diskpart) +- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart) -- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg_faq_san4) +- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) -- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg_faq_fatmbr) +- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr) -- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg_faq_malhost) +- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost) -- [Does Windows To Go work with ARM processors?](#wtg_faq_arm) +- [Does Windows To Go work with ARM processors?](#wtg-faq-arm) -- [Can I synchronize data from Windows To Go with my other computer?](#wtg_faq_datasync) +- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync) -- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg_faq_usbsz) +- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz) -- [Do I need to activate Windows To Go every time I roam?](#wtg_faq_roamact) +- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact) -- [Can I use all Windows features on Windows To Go?](#wtg_faq_features) +- [Can I use all Windows features on Windows To Go?](#wtg-faq-features) -- [Can I use all my applications on Windows To Go?](#wtg_faq_approam) +- [Can I use all my applications on Windows To Go?](#wtg-faq-approam) -- [Does Windows To Go work slower than standard Windows?](#wtg_faq_slow) +- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow) -- [If I lose my Windows To Go drive, will my data be safe?](#wtg_faq_safeloss) +- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss) -- [Can I boot Windows To Go on a Mac?](#wtg_faq_mac) +- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac) -- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg_faq_api) +- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api) -- [How is Windows To Go licensed?](#wtg_faq_lic) +- [How is Windows To Go licensed?](#wtg-faq-lic) -- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg_faq_recovery) +- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) -- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg_faq_oldos) +- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) -- [Why does the operating system on the host computer matter?](#wtg_faq_oldos2) +- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2) -- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg_faq_blreckey) +- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey) -- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg_faq_reformat) +- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) -- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#BKMK_roamconflict) +- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict) -- [How do I upgrade the operating system on my Windows To Go drive?](#BKMK_upgradewtg) +- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg) -## What is Windows To Go? +## What is Windows To Go? Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. -## Does Windows To Go rely on virtualization? +## Does Windows To Go rely on virtualization? No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. -## Who should use Windows To Go? +## Who should use Windows To Go? Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. -## How can Windows To Go be deployed in an organization? +## How can Windows To Go be deployed in an organization? Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: -- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-feature-overview-scenario.md#wtg_hardware) +- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-feature-overview-scenario.md#wtg-hardware) - A Windows 10 Enterprise or Windows 10 Education image @@ -128,37 +128,37 @@ Windows To Go can be deployed using standard Windows deployment tools like Diskp You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](http://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. -## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? +## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. -## Is Windows To Go supported on USB 2.0 and USB 3.0 ports? +## Is Windows To Go supported on USB 2.0 and USB 3.0 ports? Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. -## How do I identify a USB 3.0 port? +## How do I identify a USB 3.0 port? USB 3.0 ports are usually marked blue or carry a SS marking on the side. -## Does Windows To Go run faster on a USB 3.0 port? +## Does Windows To Go run faster on a USB 3.0 port? Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. -## Can the user self-provision Windows To Go? +## Can the user self-provision Windows To Go? Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise and Windows 10 Education. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](http://go.microsoft.com/fwlink/p/?LinkID=618746). -## How can Windows To Go be managed in an organization? +## How can Windows To Go be managed in an organization? Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. -## How do I make my computer boot from USB? +## How do I make my computer boot from USB? For host computers running Windows 10 @@ -192,7 +192,7 @@ Configuring a computer to boot from USB will cause your computer to attempt to b   -## Why isn’t my computer booting from USB? +## Why isn’t my computer booting from USB? Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: @@ -205,7 +205,7 @@ Computers certified for Windows 7 and later are required to have support for US If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. -## What happens if I remove my Windows To Go drive while it is running? +## What happens if I remove my Windows To Go drive while it is running? If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. @@ -215,12 +215,12 @@ You should never remove your Windows To Go drive when your workspace is running.   -## Can I use BitLocker to protect my Windows To Go drive? +## Can I use BitLocker to protect my Windows To Go drive? Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. -## Why can’t I enable BitLocker from Windows To Go Creator? +## Why can’t I enable BitLocker from Windows To Go Creator? Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. @@ -241,29 +241,29 @@ When you are using Windows To Go Creator, the Windows To Go drive is considered Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. -## What power states does Windows To Go support? +## What power states does Windows To Go support? Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. -## Why is hibernation disabled in Windows To Go? +## Why is hibernation disabled in Windows To Go? When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). -## Does Windows To Go support crash dump analysis? +## Does Windows To Go support crash dump analysis? Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. -## Do “Windows To Go Startup Options” work with dual boot computers? +## Do “Windows To Go Startup Options” work with dual boot computers? Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. -## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not? +## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not? Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. @@ -273,7 +273,7 @@ It is strongly recommended that you do not plug your Windows To Go drive into a   -## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? +## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. @@ -283,62 +283,62 @@ It is strongly recommended that you do not mount internal hard drives when boote   -## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? +## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? This is done to allow Windows To Go to boot from UEFI and legacy systems. -## Is Windows To Go secure if I use it on an untrusted computer? +## Is Windows To Go secure if I use it on an untrusted computer? While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. -## Does Windows To Go work with ARM processors? +## Does Windows To Go work with ARM processors? No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. -## Can I synchronize data from Windows To Go with my other computer? +## Can I synchronize data from Windows To Go with my other computer? To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. -## What size USB flash drive do I need to make a Windows To Go drive? +## What size USB flash drive do I need to make a Windows To Go drive? The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. -## Do I need to activate Windows To Go every time I roam? +## Do I need to activate Windows To Go every time I roam? No, Windows To Go requires volume activation; either using the [Key Management Service](http://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. -## Can I use all Windows features on Windows To Go? +## Can I use all Windows features on Windows To Go? Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. -## Can I use all my applications on Windows To Go? +## Can I use all my applications on Windows To Go? Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. -## Does Windows To Go work slower than standard Windows? +## Does Windows To Go work slower than standard Windows? If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. -## If I lose my Windows To Go drive, will my data be safe? +## If I lose my Windows To Go drive, will my data be safe? Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. -## Can I boot Windows To Go on a Mac? +## Can I boot Windows To Go on a Mac? We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. -## Are there any APIs that allow applications to identify a Windows To Go workspace? +## Are there any APIs that allow applications to identify a Windows To Go workspace? Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. @@ -347,27 +347,27 @@ Next, check if the **OperatingSystemSKU** property is equal to **4** (for Window For more information, see the MSDN article on the [Win32\_OperatingSystem class](http://go.microsoft.com/fwlink/p/?LinkId=619059). -## How is Windows To Go licensed? +## How is Windows To Go licensed? Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](http://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. -## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive? +## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive? No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. -## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista? +## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista? Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. -## Why does the operating system on the host computer matter? +## Why does the operating system on the host computer matter? It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. -## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? +## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. @@ -397,7 +397,7 @@ The default BitLocker protection profile in Windows 8 or later does not monitor   -## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? +## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: @@ -415,7 +415,7 @@ Reformatting the drive erases the data on the drive, but doesn’t reconfigure t 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. -## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go? +## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go? One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. @@ -424,7 +424,7 @@ In certain cases, third party drivers for different hardware models or versions This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. -## How do I upgrade the operating system on my Windows To Go drive? +## How do I upgrade the operating system on my Windows To Go drive? There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md index b1b949c1be..13b46e9498 100644 --- a/windows/plan/windows-update-for-business.md +++ b/windows/plan/windows-update-for-business.md @@ -19,10 +19,10 @@ author: TrudyHa **In this article** - [Introduction](#introduction) -- [Deploy Windows Update for Business in your organization](#deploy_windows_update_for_business_in_your_organization) -- [Eligible devices](#eligible_devices) -- [OS upgrades and updates](#os_upgrades_and_updates) -- [Related topics](#related_topics) +- [Deploy Windows Update for Business in your organization](#deploy-windows-update-for-business-in-your-organization) +- [Eligible devices](#eligible-devices) +- [OS upgrades and updates](#os-upgrades-and-updates) +- [Related topics](#related-topics) Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. @@ -42,7 +42,7 @@ Together, these Windows Update for Business features help reduce device manageme ## Deploy Windows Update for Business in your organization -For Windows 10, Version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution. +For Windows 10, version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution. ## Eligible devices @@ -56,7 +56,7 @@ In Windows 10, Windows Update for Business recognizes three deployment categori - **Upgrades** - - Examples: Windows 10 (Build 10240) to Windows 10, Version 1511; CBB 1 to CBB 2 + - Examples: Windows 10 (Build 10240) to Windows 10, version 1511; CBB 1 to CBB 2 **Note**   In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year. diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index c880033513..3f368f2155 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,4 @@ -# [What's new in Windows 10](index.md) +# [What's new in Windows 10] ## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md) ## [AppLocker](applocker.md) ## [BitLocker](bitlocker.md) diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index 48a670fb52..e319a3db06 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -18,7 +18,7 @@ author: TrudyHa BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -## New features in Windows 10, Version 1511 +## New features in Windows 10, version 1511 - **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. @@ -37,7 +37,7 @@ BitLocker Drive Encryption is a data protection feature that integrates with the ## New features in Windows 10 -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#BKMK_Encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. - **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. diff --git a/windows/whats-new/business-store-for-windows-10.md b/windows/whats-new/business-store-for-windows-10.md index 06133f7f07..f68e1e67af 100644 --- a/windows/whats-new/business-store-for-windows-10.md +++ b/windows/whats-new/business-store-for-windows-10.md @@ -52,7 +52,7 @@ You'll need this software to work with the Store for Business. - IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. -- Employees using apps from Store for Business need Windows 10, Version 1511 running on a PC or mobile device. +- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device. Microsoft Azure Active Directory (AD) accounts for your employees: @@ -153,7 +153,7 @@ Line-of-business (LOB) apps are also supported via the Business store. You can i The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. -For more information, see [Apps in the Store for Business](../manage/apps-in-the-windows-store-for-business.md#licensing_model). +For more information, see [Apps in the Store for Business](../manage/apps-in-the-windows-store-for-business.md#licensing-model). ### Distribute apps and content @@ -302,7 +302,7 @@ Store for Business is currently available in these markets. - Vietnam -## ISVs and the Store for Business +## ISVs and the Store for Business Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this: diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md index 5cc7b5634a..26c3211564 100644 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md @@ -11,7 +11,7 @@ author: TrudyHa # Change history for What's new in Windows 10 -This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [What's new in Windows 10] documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## February 2016 diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index d293ee989d..8ffb2e5965 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -17,7 +17,7 @@ author: TrudyHa Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -## New features in Windows 10, Version 1511 +## New features in Windows 10, version 1511 - **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md index 50626e7b3f..f3732a26b0 100644 --- a/windows/whats-new/device-guard-overview.md +++ b/windows/whats-new/device-guard-overview.md @@ -86,7 +86,7 @@ The following table shows the hardware and software you need to install and conf - + @@ -110,14 +110,14 @@ The following table shows the hardware and software you need to install and conf - +
[Customize and export Start layout](customize-and-export-start-layout.md)Added a note to clarify that partial Start layout is only supported in Windows 10, Version 1511 and laterAdded a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)

Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

[Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md)

Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)

Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component.

[Disconnect from Microsoft and configure privacy settings in your organization](manage-privacy-for-windows-10-in-your-company.md)

If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.

+

If you’re looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).

[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)

IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)

Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.

The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.

[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

UEFI firmware version 2.3.1 or higher and Secure Boot

To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) Windows Hardware Compatibility Program requirement.

To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.

Virtualization extensions

Secure firmware update process

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.
  -## Before using Device Guard in your company +## Before using Device Guard in your company Before you can successfully use Device Guard, you must set up your environment and your policies. @@ -146,7 +146,7 @@ For the Device Guard feature, devices should only have Code Integrity pre-config   -### Virtualization-based security using Windows 10 Enterprise Hypervisor +### Virtualization-based security using Windows 10 Enterprise Hypervisor Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. diff --git a/windows/whats-new/enterprise-data-protection-overview.md b/windows/whats-new/enterprise-data-protection-overview.md index ba25a51b27..d56f40ee4e 100644 --- a/windows/whats-new/enterprise-data-protection-overview.md +++ b/windows/whats-new/enterprise-data-protection-overview.md @@ -142,15 +142,15 @@ Privileged apps are allowed to access your enterprise data and will react differ EDP lets you decide to block, allow overrides, or audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and audit just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action. -### Persistent data encryption +### Persistent data encryption EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place. -### Helping prevent accidental data disclosure to public spaces +### Helping prevent accidental data disclosure to public spaces EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your privileged list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the privileged list, they also won’t be able to sync encrypted files to the user’s personal cloud. -### Helping prevent accidental data disclosure to other devices +### Helping prevent accidental data disclosure to other devices EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device. @@ -158,7 +158,7 @@ EDP helps protect your enterprise data from leaking to other devices while trans   -### Turn off EDP +### Turn off EDP You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info. diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index ec93bfe783..bf51d2d3b9 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -29,7 +29,7 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise

[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)

-

**This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).**

+

This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).

[AppLocker](applocker.md)

diff --git a/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md b/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md index 788a239d0b..460a0a1dde 100644 --- a/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md +++ b/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md @@ -46,7 +46,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391) -

Keyboard filter is added in Windows 10, Version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

+

Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 3368032ca3..aba4ed1510 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -18,7 +18,7 @@ author: TrudyHa Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. -## New features in Windows 10, Version 1511 +## New features in Windows 10, version 1511 - The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. @@ -28,10 +28,10 @@ Security auditing is one of the most powerful tools that you can use to maintain In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#BKMK_AuditSubCat) -- [More info added to existing audit events](#BKMK_MoreInfo) +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) -### New audit subcategories +### New audit subcategories In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: @@ -45,35 +45,35 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. -### More info added to existing audit events +### More info added to existing audit events With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#BKMK_KDAL) +- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#BKMK_LSASS) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#BKMK_LOGON) +- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#BKMK_LOGON) +- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#BKMK_SAM) +- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#BKMK_BCD) +- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#BKMK_PNP) +- [Added new PNP events](#bkmk-pnp) -### Changed the kernel default audit policy +### Changed the kernel default audit policy In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. -### Added a default process SACL to LSASS.exe +### Added a default process SACL to LSASS.exe In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. -### New fields in the logon event +### New fields in the logon event The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: @@ -105,7 +105,7 @@ The logon event ID 4624 has been updated to include more verbose information to For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). -### New fields in the process creation event +### New fields in the process creation event The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: @@ -133,7 +133,7 @@ The logon event ID 4688 has been updated to include more verbose information to A pointer to the actual parent process if it's different from the creator process. -### New Security Account Manager events +### New Security Account Manager events In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: @@ -150,7 +150,7 @@ In Windows 10, new SAM events were added to cover SAM APIs that perform read/qu - SamrGetMembersInAlias - SamrGetUserDomainPasswordInformation -### New BCD events +### New BCD events Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): @@ -162,7 +162,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur - Integrity Services - Disable Winload debugging menu -### New PNP events +### New PNP events Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md index 8250797922..1af9749c28 100644 --- a/windows/whats-new/security.md +++ b/windows/whats-new/security.md @@ -14,11 +14,11 @@ author: TrudyHa **In this article** -- [Threat resistance](#threat_resistance) -- [Information protection](#information_protection) -- [Identity protection and access control](#identity_protection_and_access_control) +- [Threat resistance](#threat-resistance) +- [Information protection](#information-protection) +- [Identity protection and access control](#identity-protection-and-access-control) - [Windows 10 hardware considerations](#hardware) -- [Related topics](#related_topics) +- [Related topics](#related-topics) There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. @@ -35,15 +35,15 @@ Today’s security threat landscape is one of aggressive and tenacious threats. Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks. -### Virtualization-based security +### Virtualization-based security In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised. Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services: -- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config_code) section. +- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config-code) section. -- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section. +- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. **Note**   To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window. @@ -54,11 +54,11 @@ VBS provides the core framework for some of the most impactful mitigations Windo ### Device Guard -Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization_security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section. +Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section. -Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section. +Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. -For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section. +For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section. New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. Going forward, all devices will fall into one of the following three categories: @@ -70,7 +70,7 @@ New desktops and laptops will be available to expedite your Device Guard impleme For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). -### Configurable code integrity +### Configurable code integrity *Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards. @@ -109,7 +109,7 @@ Configurable code integrity is available in Windows 10 Enterprise and Windows  You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). -### Measured Boot and remote attestation +### Measured Boot and remote attestation Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state. @@ -140,7 +140,7 @@ Unlike some current DLP solutions, EDP does not require users to switch modes or In addition to EDP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements to BitLocker](#bitlocker) section. -### Enterprise Data Protection +### Enterprise Data Protection DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes an EDP feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device. @@ -148,7 +148,7 @@ You can configure EDP policies to encrypt and protect files automatically based To manage EDP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about EDP, see [Enterprise data protection (EDP) overview](enterprise-data-protection-overview.md). -### Improvements in BitLocker +### Improvements in BitLocker With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further. @@ -158,7 +158,7 @@ Microsoft has made the following key improvements to BitLocker: - **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk. -- **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](1f015738-3bf6-4abb-a1cd-21c04e9ef24f). +- **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md). - **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required. @@ -171,9 +171,9 @@ Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechani The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section. -Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section. +Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. -### Microsoft Passport +### Microsoft Passport Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user. @@ -183,7 +183,7 @@ Microsoft Passport can use the biometric information from Windows Hello or a uni In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC. -### Windows Hello +### Windows Hello Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent. @@ -203,7 +203,7 @@ Pass the hash is the most commonly used derived credential attack today. This at Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash. -For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization_security) section. +For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-security) section. **Note**   Because it requires isolated user mode and a Hyper-V hypervisor, you cannot configure Credential Guard on a VM, only on a physical computer. @@ -212,7 +212,7 @@ Because it requires isolated user mode and a Hyper-V hypervisor, you cannot conf The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md). -## Windows 10 hardware considerations +## Windows 10 hardware considerations Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements. diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index 1cde0948c8..9edee75813 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -18,7 +18,7 @@ author: TrudyHa This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. -## New features in Windows 10, Version 1511 +## New features in Windows 10, version 1511 - Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). @@ -28,12 +28,12 @@ This topic for the IT professional describes new features for the Trusted Platfo The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#BKMK_DHA) +- [Device health attestation](#bkmk-dha) - [Microsoft Passport](microsoft-passport.md) support - [Device Guard](device-guard-overview.md) support - [Credential Guard](credential-guard.md) support -## Device health attestation +## Device health attestation Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md index 304f847ce9..cf91b05b60 100644 --- a/windows/whats-new/windows-spotlight.md +++ b/windows/whats-new/windows-spotlight.md @@ -18,10 +18,10 @@ author: TrudyHa **In this article** -- [What does Windows spotlight include?](#what_does_windows_spotlight_include_) -- [How do you turn off Windows spotlight?](#how_do_you_turn_off_windows_spotlight_) -- [How do you disable Windows spotlight for managed devices?](#how_do_you_disable_windows_spotlight_for_managed_devices_) -- [Related topics](#related_topics) +- [What does Windows spotlight include?](#what-does-windows-spotlight-include-) +- [How do you turn off Windows spotlight?](#how-do-you-turn-off-windows-spotlight-) +- [How do you disable Windows spotlight for managed devices?](#how-do-you-disable-windows-spotlight-for-managed-devices-) +- [Related topics](#related-topics) Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.