From 6c12b9a2f033c8d4808438ac6c8b6fd238f5ead7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 13:44:01 -0700 Subject: [PATCH 01/20] testing GFM table instead of image --- ...system-components-to-microsoft-services.md | 68 ++++++++++--------- 1 file changed, 37 insertions(+), 31 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4c0fc7b9d4..67992887fe 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -2,7 +2,7 @@ title: Manage connections from Windows operating system components to Microsoft services (Windows 10) description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, manage connections to Microsoft +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -15,6 +15,7 @@ author: brianlic-msft **Applies to** - Windows 10 +- Windows Server 2016 If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). @@ -22,13 +23,44 @@ Learn about the network connections that Windows components make to Microsoft an If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all. +You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reason why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. -We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. +## What's new in Windows 10, version 1607 and Windows Server 2016 -Here's what's covered in this article: +Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: + +- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). +- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. +- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). +- Added a new setting in [25. Windows Update](#bkmk-wu). +- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). +- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). + +- Added the following Group Policies: + + - Turn off unsolicited network traffic on the Offline Maps settings page + - Turn off all Windows spotlight features + +## Settings by edition + + +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. + +If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. + +### Settings for Windows 10 Enterprise, version 1607 + +See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | - | - | - | - | - | +| [Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + +![Windows 10 Enterprise, version 1607 settings](images/settings-table.png) + +Use the following list for more info on each section in the table above: - [Info management settings](#bkmk-othersettings) @@ -140,32 +172,6 @@ Here's what's covered in this article: - [26. Windows Update](#bkmk-wu) -## What's new in Windows 10, version 1607 - -Here's a list of changes that were made to this article for Windows 10, version 1607: - -- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). -- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. -- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). -- Added a new setting in [25. Windows Update](#bkmk-wu). -- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). -- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). - -- Added the following Group Policies: - - - Turn off unsolicited network traffic on the Offline Maps settings page - - Turn off all Windows spotlight features - -## Info management settings - - -This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch. - -See the following table for a summary of the management settings. For more info, see its corresponding section. - -![Management settings table](images/settings-table.png) ### 1. Certificate trust lists From 265507f2e015267fb70d93b68b2bcd84d778fdd7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 14:14:34 -0700 Subject: [PATCH 02/20] centering cells --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 67992887fe..b211ba3dba 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -54,7 +54,7 @@ If you're running Windows 10, they will be included in the next update for the L See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. | Setting | UI | Group Policy | MDM policy | Registry | Command line | -| - | - | - | - | - | - | +| - | :-: | :-: | :-: | :-: | :-: | | [Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | | [Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | From 49f1cbfcd88035999e28ec7fa184aae975ddb890 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 14:53:32 -0700 Subject: [PATCH 03/20] trying tab in a table --- ...g-system-components-to-microsoft-services.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b211ba3dba..66d615444d 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -56,7 +56,22 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | +| [Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | +| [Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | +| [Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | +| [Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | +| [Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [Settings > Privacy](#bkmk-settingssection) | | | | | | +| [General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | + ![Windows 10 Enterprise, version 1607 settings](images/settings-table.png) From 6bee0bd30141780ce1a633751ae9669e438f6b84 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 15:04:10 -0700 Subject: [PATCH 04/20] trying non breaking space --- ...system-components-to-microsoft-services.md | 121 ++++++------------ 1 file changed, 42 insertions(+), 79 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 66d615444d..266ecd9505 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -55,89 +55,52 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | -| [Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | -| [Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | -| [Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [Settings > Privacy](#bkmk-settingssection) | | | | | | -| [General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [2. Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | +| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | +| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | +| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [16.1 General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.7 Account info](#bkmk-priv-accounts) | | | | | | +|     [16.8 Contacts](#bkmk-priv-contacts) | | | | | | +|     [16.9 Calendar](#bkmk-priv-calendar) | | | | | | +|     [16.10 Call history](#bkmk-priv-callhistory) | | | | | | +|     [16.11 Email](#bkmk-priv-email) | | | | | | +|     [16.12 Messaging](#bkmk-priv-messaging) | | | | | | +|     [16.13 Radios](#bkmk-priv-radios) | | | | | | +|     [16.14 Other devices](#bkmk-priv-other-devices) | | | | | | +|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | | | | | | +|     [16.16 Background apps](#bkmk-priv-background) | | | | | | +| [17. Software Protection Platform](#bkmk-spp) | | | | | | +| [18. Sync your settings](#bkmk-syncsettings) | | | | | | +| [19. Teredo](#bkmk-teredo) | | | | | | +| [20. Wi-Fi Sense](#bkmk-wifisense) | | | | | | +| [21. Windows Defender](#bkmk-defender) | | | | | | +| [22. Windows Media Player](#bkmk-wmp) | | | | | | +| [23. Windows spotlight](#bkmk-spotlight) | | | | | | +| [24. Windows Store](#bkmk-windowsstore) | | | | | | +| [25. Windows Update Delivery Optimization](#bkmk-updates) | | | | | | +| [26. Windows Update](#bkmk-wu) | | | | | | ![Windows 10 Enterprise, version 1607 settings](images/settings-table.png) -Use the following list for more info on each section in the table above: - -- [Info management settings](#bkmk-othersettings) - - - [1. Certificate trust lists](#certificate-trust-lists) - - - [2. Cortana](#bkmk-cortana) - - - [2.1 Cortana Group Policies](#bkmk-cortana-gp) - - - [2.2 Cortana MDM policies](#bkmk-cortana-mdm) - - - [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov) - - - [3. Date & Time](#bkmk-datetime) - - - [4. Device metadata retrieval](#bkmk-devinst) - - - [5. Font streaming](#font-streaming) - - - [6. Insider Preview builds](#bkmk-previewbuilds) - - - [7. Internet Explorer](#bkmk-ie) - - - [7.1 Internet Explorer Group Policies](#bkmk-ie-gp) - - - [7.2 ActiveX control blocking](#bkmk-ie-activex) - - - [8. Live Tiles](#live-tiles) - - - [9. Mail synchronization](#bkmk-mailsync) - - - [10. Microsoft Account](#bkmk-microsoft-account) - - - [11. Microsoft Edge](#bkmk-edge) - - - [11.1 Microsoft Edge Group Policies](#bkmk-edgegp) - - - [11.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) - - - [11.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) - - - [12. Network Connection Status Indicator](#bkmk-ncsi) - - - [13. Offline maps](#bkmk-offlinemaps) - - - [14. OneDrive](#bkmk-onedrive) - - - [15. Preinstalled apps](#bkmk-preinstalledapps) - - - [16. Settings > Privacy](#bkmk-settingssection) - - - [16.1 General](#bkmk-priv-general) - - - [16.2 Location](#bkmk-priv-location) - - - [16.3 Camera](#bkmk-priv-camera) - - - [16.4 Microphone](#bkmk-priv-microphone) - - - [16.5 Notifications](#bkmk-priv-notifications) - - - [16.6 Speech, inking, & typing](#bkmk-priv-speech) - [16.7 Account info](#bkmk-priv-accounts) From 3004fa8129e112f5fc44d4ff7b196b0d69321a27 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 15:19:16 -0700 Subject: [PATCH 05/20] completed first table --- ...system-components-to-microsoft-services.md | 90 +++++-------------- 1 file changed, 20 insertions(+), 70 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 266ecd9505..c7460fa51d 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -77,81 +77,31 @@ See the following table for a summary of the management settings for Windows 10 |     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | |     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | |     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | | | | | | -|     [16.8 Contacts](#bkmk-priv-contacts) | | | | | | -|     [16.9 Calendar](#bkmk-priv-calendar) | | | | | | -|     [16.10 Call history](#bkmk-priv-callhistory) | | | | | | -|     [16.11 Email](#bkmk-priv-email) | | | | | | -|     [16.12 Messaging](#bkmk-priv-messaging) | | | | | | -|     [16.13 Radios](#bkmk-priv-radios) | | | | | | -|     [16.14 Other devices](#bkmk-priv-other-devices) | | | | | | -|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | | | | | | -|     [16.16 Background apps](#bkmk-priv-background) | | | | | | -| [17. Software Protection Platform](#bkmk-spp) | | | | | | -| [18. Sync your settings](#bkmk-syncsettings) | | | | | | -| [19. Teredo](#bkmk-teredo) | | | | | | -| [20. Wi-Fi Sense](#bkmk-wifisense) | | | | | | -| [21. Windows Defender](#bkmk-defender) | | | | | | -| [22. Windows Media Player](#bkmk-wmp) | | | | | | -| [23. Windows spotlight](#bkmk-spotlight) | | | | | | -| [24. Windows Store](#bkmk-windowsstore) | | | | | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | | | | | | -| [26. Windows Update](#bkmk-wu) | | | | | | +|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +|     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | +| [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | +| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ![Windows 10 Enterprise, version 1607 settings](images/settings-table.png) - - [16.7 Account info](#bkmk-priv-accounts) - - - [16.8 Contacts](#bkmk-priv-contacts) - - - [16.9 Calendar](#bkmk-priv-calendar) - - - [16.10 Call history](#bkmk-priv-callhistory) - - - [16.11 Email](#bkmk-priv-email) - - - [16.12 Messaging](#bkmk-priv-messaging) - - - [16.13 Radios](#bkmk-priv-radios) - - - [16.14 Other devices](#bkmk-priv-other-devices) - - - [16.15 Feedback & diagnostics](#bkmk-priv-feedback) - - - [16.16 Background apps](#bkmk-priv-background) - - - [17. Software Protection Platform](#bkmk-spp) - - - [18. Sync your settings](#bkmk-syncsettings) - - - [19. Teredo](#bkmk-teredo) - - - [20. Wi-Fi Sense](#bkmk-wifisense) - - - [21. Windows Defender](#bkmk-defender) - - - [22. Windows Media Player](#bkmk-wmp) - - - [23. Windows spotlight](#bkmk-spotlight) - - - [24. Windows Store](#bkmk-windowsstore) - - - [25. Windows Update Delivery Optimization](#bkmk-updates) - - - [25.1 Settings > Update & security](#bkmk-wudo-ui) - - - [25.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) - - - [25.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) - - - [25.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) - - - [26. Windows Update](#bkmk-wu) - - - ### 1. Certificate trust lists A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available. From 68648d8692557c581a16f14902c8af0f6e096077 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 15:32:58 -0700 Subject: [PATCH 06/20] first draft of server content. Still need to add specific differences between client and server --- ...system-components-to-microsoft-services.md | 80 ++++++++++++++++--- 1 file changed, 67 insertions(+), 13 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c7460fa51d..00546b3e79 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -98,9 +98,61 @@ See the following table for a summary of the management settings for Windows 10 | [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +### Settings for Windows Server 2016, with the desktop experience (Datacenter and Standard editions) -![Windows 10 Enterprise, version 1607 settings](images/settings-table.png) +See the following table for a summary of the management settings for Windows Server 2016, with the desktop experience (Datacenter and Standard editions). +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [2. Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | +| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | +| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [16.1 General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | +| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + +### Settings for Windows Server 2016, Server Core installation + +See the following table for a summary of the management settings for Windows Server 2016, Server Core installation. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | +| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + +### Settings for Windows Server 2016, Nano Server installation + +See the following table for a summary of the management settings for Windows Server 2016, Server Core installation. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + +## Settings + +Use the following sections for more information about how to configure each setting. ### 1. Certificate trust lists @@ -112,9 +164,9 @@ To turn off the automatic download of an updated certificate trust list, you can -or- -- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1. +- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot**, with a value of 1. -After that, do the following in a Group Policy: + -or- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. @@ -138,10 +190,10 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad | Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | | Set what information is shared in Search | Control what information is shared with Bing in Search. | -In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. +In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. >[!IMPORTANT] ->These steps are not required for devices running Windows 10, version 1607. +>These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. 1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. @@ -198,12 +250,10 @@ To prevent Windows from retrieving device metadata from the Internet, apply the ### 5. Font streaming -Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. +Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. -> [!NOTE] -> This may change in future versions of Windows. ### 6. Insider Preview builds @@ -211,10 +261,10 @@ To turn off Insider Preview builds for a released version of Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. -To turn off Insider Preview builds for an Insider Preview version of Windows 10: +To turn off Insider Preview builds: > [!NOTE] -> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. +> If you're running a preview version of Windows 10 or Windows Server 2016, you must roll back to a released version before you can turn off Insider Preview builds. - Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. @@ -358,7 +408,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). -In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com. +In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. You can turn off NCSI through Group Policy: @@ -1102,7 +1152,7 @@ You can also use the registry to turn off Malicious Software Reporting Tool tele ### 22. Windows Media Player -To remove Windows Media Player: +To remove Windows Media Player on Windows 10: - From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. @@ -1110,6 +1160,10 @@ To remove Windows Media Player: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +To remove Windows Media Player on Windows Server 2016: + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + ### 23. Windows spotlight Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. @@ -1153,7 +1207,7 @@ For more info, see [Windows Spotlight on the lock screen](../manage/windows-spot ### 24. Windows Store -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. From 47d6a02a54f3ad428d5e9685676e5d2e44e3b4c8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Aug 2016 15:48:34 -0700 Subject: [PATCH 07/20] removing old settings table image --- windows/manage/images/settings-table.png | Bin 60231 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/manage/images/settings-table.png diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png deleted file mode 100644 index ada56513fc8365e0c23374e0223eb3c7c30e9aac..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 60231 zcmb@u2RK}7+xJZbDT9QFP9hS5=xrE;sELw9j~?CVqt_sM3nJQRDI~h+J?aq5B--em zi82fmy?sme-p{-5=Y96QpMAgI9EZbU7R$_9*L9ZP|9?)zV>LyxOZ1lr2nfiOmE@ih z5S)VoUsD%IfM>QJX|n>~2w_hZWeJLrjLX0e=dEN^We5n$;w~SV5(7V9bW+lT5fG5K zpM4P~agj3+5Ufln%gJbZ8m%4s*=cT{hp8wZ7y$ zjaU^YaUo1M<`L3&!JV|h*hfBppp3fUvHRwS@->h__tFo-Yu!a`nHLsxOCg@r;gGi3 zoNv$XGOtx!dzGU?y6(k0T+Q8?>OO{4!OR{%)D~Yg9e#$#^5K{8h6U3g0#TyGaNxm~ zk}m4ldI_pu?a){$clMx^b#~swmby2UZ4N(;7upJ7k&Z`2bwDW# zeN_FB=e{vz-x$y|S@Yc}Ax)eNy1l)veM^j8M8#^v1c?p8WU)w3rD2-n7vfG8K>l9N zUbuO4vy(oFyrvTqVeB%zj^TRmMiK9W&gfLZBG`qn)f%!8?>;zuL!w-@24!`^1MYap zT4CcMHvV13&`;65F@>3t>>5FbtN9RBt z4VG$0zNe_u#pa{g{psVZ)4by!A`WfS7TmX=rYl5lU}kpK$eP^OqwM1gdut`86%Thd zs{PkT>(K|wOPi;wyaCE%b|&Z8Q+ESX;a=UfkcsAcr0Xb|ICPl%@O#Fd%#2C|93$kh zZUB{3f7ug^Nmb}O?Go%*-UCWmO$z?=kF`j-SFq%%-nn;()3vycx1M;$8)NRyJ1 zcHWJj#GTHcma>E(c)KE~*xh~A7@}x+t5_y?hIEWa<7DSoFF6F@nX}EI1DO|2niin0 znayCu6IUM5@y+dYkp+>QF~L2Fq#pQbs2KP(CPl=JCyF$5gh|4E1XevQjoiJ>B3OgN z=j4sf6rFAdR3=YRPFTWwT`(9z7CbFU^}H_*pMf9?L5Rv1DTN$*pi|Y_=o!*at%Hdu zF}3hhhQ*6%*v{+MpLax34~sA~9}hpHfv`lMrZ0+EX4rV*9|@k`qKRK<;Z3t2uhPr9 zYREsnISoF|>qDIvL<7hY!H z^J&rKN-R?K3EJ>#@*hy}wfBudZj>$yTIx!VLgkm-oa;?6$c*}TlHg5ga88p(-$p3j z?y}X5gHu0z%r^e?cqx4t(a?&8?998snDASD)$Aj<~%)~ivb5&g<0`cwX0&^ce;Thy6A4~^Jaxt$Ru%BM(&jxa+ulje%q{~_i5H60!wWnv!AK(B zq%GB4aH-6O=w!jG^k5{}^i8wl$+)FOoN3p2g_8wH9@5{VWrHSf-PcmQdhsvfCc5Z;%X(l`w3XPIco&$ zAO7qPXQ?>4;p&b^xg5?;5>jrG%W9HBA&g%<>EUhGm3}Zw(?BKdDslLYf_(z)dI#7o zO=6>cUtt%~iv#))^6?~UK9ZDm#<1pFneWOo_ELw7dWsmcWF4)IUNS$cD@BcAO7E95k8yIjz>$d`P#Z-&Ok(wY(rD2v%+g!xa}zy^vZ6g@%?fbdXi z8gr_Y!rdo*9Z#|#4cV#OQl(pwPq_xA=kS!G%q4`MQeA8cf6S(ZJ4Oan9GUQ)PVG5H zvD}E*k{_g6%bbDEV3gkPd1qwZJDM=9R{@>BN=2}LQ@xPhNuQk=1wk7??4(}a8X5w> zq&#BGOs{2*TI~fZ9!giJ6&7zYiphI3o;ZwH=I{uby2Y$|uIKg-Q!|fi!c-2^c{|MQ z2G;p7Elxe?c68@P>C6|KI?{}3n-(q6=PAO|El36v)_t|boukRJWA6c`Dg7l#m!@~$ zYTo+ExKLKo>}SIAi*Z&{K6Vlg&~sdIecN!cjfU8m)f&H#A{!tg@b2u|y&n&)PS;y6 zG7R^U-l~_XHJkEk6=j)zW#^hGUW-&YLM(uu8C-|3+%)eLb@f$Ix zRl0pjuX*2Q&NLs-1R&tzhv#Nj7gt5jF2roJpAo6tQd`XGUTQ1qy~$GTkpKpx`F=7` zK?if?Ar9v0aOY(T#j#R>hGfT%r4LTnBNStGM|_(0fYmlr8kMS1bDuhLzYw#LYHU8? z@wv*zqYS&>WJbFPh53i2MU(^@+8=!u>5*-W(^D2fVdU%*m6|lXK;@|Qrqg#3m=^Sm zuV162C|=KIEcQ@TMPzp4#i~kuYNia#4&TIY-|gp=0iK=#u0kB$(VP~6TH3dP%@m;tGYmp+WwJ6h+otFH(nW7ITi%=6Yk_{9 zZVyO#pM8h5`z6|MGhp>#Ei%*GQNy25(225u7i61TM@6<&U(UOcko4o>NNMNk&Gao% zb^$|9R@R7E@GNLQ+xbrQ22p^Ate~vU>n~_U>{1%5 z4rxi~{JrN`PWQru|@E`TC&8ATqcu6lzBKJp9nT)?f!7u7nvo_V?W! zGPV1ZA5t=D#Y?t)RbA5cC-+JbT4;OHa`fYRtlX$Ew z!iF;Y`=9!(YghJaPQY)*_UH}Gxky=VTj7`bI5;_1J|fGuIxs2gQuI>3HI;A~{+e?g z`!i;#W+~m8DW1L5T-qj`(R3c%7<_Nl#GPx*&4q=%X*Eo!4p()Tj8PU8LhtTEQ|;8u z&XTSH!hZjN_F-*rtvv_Q{U!z~Y~O~MVA+MfNquF1Cw|b4Xhdv>}|YwI5ZuYfH9Vg!lSyJJ6N z9QqW4FTOxVPW@aSD9S?4$FWE^-70Hjp2x4AeFG2bFOJ)G_OU46uNkMN7u3x7S)Z?1D! zI&0{0C#}h|Uo{?6#kZqvM6In_z7)dTtIIwwndcifcFgELefk_V8G$j4MMXZfqFqoC zwPPD66`YKYHz_qAS#)l7t9B>d?Z{^%y0tqxx)G`+j2F*HQj6Do9sixBJXbPyhl_Lu zMZoN9$2jb}(WY;aj$8Joc=lQG27cCOw%-4uDm%ryZ+=o&290DKii@96#V=eDDJ%i}Qnj*j zP@z=HFw~&dwC>~yaj=rrw`x&iqh45AGFcL$QCpi1+yP0iGaOui=&8^1co6b^xx6uS zT_{UDsI}p8VD^r!$zkA*pu8NVabA+JyP3c>vF0_pSG{gV4J7vlg^e>zlM3r;pXyT2 z3tNSPiv=qR4eN*fUB^eut+0w;-YX}TdTu`VDTcbax$V6BMjHu7fQq^48<2ewH}geh z4Haqg#}hGVy^mDNw|N`)K%G)vba@omw(WHLAIW}H_V)L1-n{Q>cQ_Olz0S$lb8c;E zo?Q%J)0!pqj&65Gc!Z~|&=ovwFqtl#AJn4`LkW9Wxzn_zdGWBjmkCsq)>*tEP6xv* z5lk5nUMuwbR5;-`o0Y*&!@^z@cMNn`xvVT1)R54hy2^q*UQ=k$lY8nl?B~HL z$If#xR3wfKCd4uJE$HQm*i}!Jcuhn)*_3C|1-&UEYg@Z7mC)pK0~)fAG z2zO^7KG3T`FY^+XXlTj0Y&l+KpCab`_AHNuij3DdGhFv?U>I#voO^z(9PMn_+23&* z*rI%G@aNQ7X#bTpe~Ab}`7 zT%Haf_`0OpX7wmB~%0A>@Z*tFS6lyT$^(^%rB7e;*5qzAfIQu~2QW#@Ly<;3A zJCJ_8h9TtPiIZecV`nk)@<2NUMP2ZTEmJ zZ?i`IhPeMn@$h|WiLxefDtqv)Z|?hy3R141%a5XFT^7gmb0sRR);`+b)_Z^AQ#nxD z8HlDE6f>!7k!k6>zb<6)^>wM1sP=cU$KuK9fqis4Vtf$v6CA-JQf8p9K@VXDPF;jw zyK$S&sdN)BsEvz70Z;!bU~qeMhzqW*V6F&D5=9j>IQg~-RN`ab4$pKC_@14 z#O0}HOR8Y<`)W8203c6wBUyFXGzTx^?zzf83h`;NCcVLvm^vAYNRH6cnnRG^BWIS0~Vh z_O*?b$aGenC+ zUv`MFRu4IBQ6o>rAAVL^+_eP?#IMx#Ol`y>+U2dpY{@+q(kqO+_Car!k%D<%xJN;EeVlyP87)U>Nmw7CCwD=xw=`krV9YlU=-XL zwMRFi;&H1$Z)r@($k8(246a>l5TTkbqPN85t=q%S4pruL{3y)~l1t6M7k&v)U@dsuWBe#haFsbWy zkc)RMw;vZ#fs1|5T$R9LrH&epjQ5J`=uncQEKyS#u}4S6CEIJ4Bl;~flyi4L>`%tQ zdgCH=Q`OyaSwx#{LDvM+TGQSa$sK&Lv9)c9zqRc-7va0GaFpICw8_?!Z1lOpN-Sam z**#Kq3Htp5DsYeAv}nNL@zsd9Fy;gGJ$#np9W3d?w@-XJW5=`;2Ab7XA2M)Gfv}>tBlPj|`e;1^h)0APC<4mkL{%^q@K`6R5xwB3Te|=yz{F zli;T%iYV;jD{=x3msLzv*_11c>^d+|_jj(!OihRURO*t>)NP@b<4}1vt>x*a_gcD# zTRpr*QQL9{*ByUE9OW`MPlrkRsLy0{)Z<1w>oV zTox*HR^kX{z_fp%x*JPv+j$jxF?N3$;;sXKU`(uTfM{8E!xa4d;NHw)?CVCWpKm)0 z-5q_@cDNlx+M|QLzyDcqWW(#4RK+`|t|twLJDwo=k22-*2_YxgM~<#~dh;XMATi4{ zezQ)d;A#XV;^ra&7Q#cCw6Rjd2pxp8S7XeV>gf%P*rXh?y{)LEjGT!Jv{~d5^M;K4 z^W3N1jvl*R!E?Dk_j9{5=Aw{|-2zAZ{-C}7=6c)W*UD-DTV)3v_QNLENi1-BWzR#j zw%^X!zWLO^uM53W$1od~ivZMCNJvOGPSkGX+mqwx z)UipT&zgMqnTCpJj67Q|NgFuk8{WQsJ43riyTmAFwk=G5_G4Wg{f7@9cG7;#`g`%L z4i`Om@+7{px3~PW6%LY-BoX>;hL4>x!r2VJ>3j232dmgA`R?()vSiay9SL(B>9ntY zaKF5?DSnoeK!@$?F#}+ed%HM^s7c-0qwYUEFHOCpWtCpetv5?N(w5uelPT)z@cE^D?BKN zB+jwwcIY=CZb+Qm2V$Z^G*&Gm3C%#uDmJdN;Kd}-WD8` zKRqj4Z<(~dym*zgs5_DUbe7d0KhgBVALJ&*+SqbAcKUB?L1pS+r?${FyWQh@%>S|M zt$Ds}JG2@uN+_n9AwHDf>daKnyWaqC0N1rRjT(Xqpo=avsNIUSS0zSq$60w^a+AvS z(R`oxmr<9yX0rN(ijDP?BCt{L=$#1Crsut6ADL?c*%@_mMQC3PO0yj2sDr>W?^@`xLI7hxK@jrh2YlW#ENddjO zED3}lCB3A||5jsa4G)rW+C2Jjw62lf5eA%cF!Kypu($iEP z&tMOm4`@1U&OmTgqQ}qgZF*~J4x60#~VgYh;`fa-9O}; zFIHecc##R$g(w-@HjYH1&}$0I3F5xHW_L2Z=Qu;j`l`^8;cT&LZE3I4O0%kF^i16R*W^}@jM zV5!YKu*ZoI3S)+GC&BbB*pXs3zChxn+ZwgwN9qDsGF10GJE#kv`CU=X)b`oW81qAK zJ{XeeEg6Z}9!j!^s;i1DC@3fv zpH0RfqKh{`T)K_Ql4S}*7&mx2BbtJUoJ+U1T%Z!`QJ5~m-M+FKWB~jV+PrC#JN{n8yXTAV~!S z+v(YAw$d9iu z6*lX&X;1?Zdx76Z!NCLG6B%euO4a$!rTKkX?ZKn28mnuZ(w`8?#^^8en=|Q-(8qN@ z*zKf_2xd6%Hy1Kki#uO1Ga&N}nC)>|y!$aiX>Qe7S8#||TZ8to%5HM`+g9GK{Cv*U zGJMozMBqz84qY>|ca@G-X!-}*j;RE*6TDo|3}<&Yaa157?o7YM$im$1-9xCQ%k6bc zd$3KCGmeIahKk9y?-2sc%_c{FxDliu7}as!k}6k~@7;QXcD!}>pXz_oDeu2+04~^; z+z{141FzQQhr8~4vJg?!rv|={sq4Igsrl5+UHc)-D^ZgsKQ3qmI@cNuH)R|yE)+^_ zzx;G^egmy1348wHIjz7rxF8tB4oXt9yBwSoa&rh$Ex1-?E}B33W~fkU(<}GU5P181 z01Lz&*VMZa8<<`a5g21QsNi8#pj5H=&v{C9EBym%qH85q0=m?PxHbxGt@NBX2{VSK zKJlU}@^Zgkw?NL(+vun64P`EkgGEiy3X^32TQ~PDouC04t9`z8^JQ3VH zl0iE>;%A%bDEkQKqW1ku)QVS82CVr`FAhT2RTEueHr3$e;mR-01ug6(_Bbw!0cqEZ zq1=|lrEcwsHJE;B&?cE!*BqwJrp@m2a&nn^+yYzjD)pwhs7;#D?9rsaK0tEkv4&NN z78|o?c?&}c_01k10@WC@8h7kdlLMwq4FuoVP|$5^!5L<_mE%3u1V{?sx&23z+6n$u z_T!;|{yhexj4-z@k71}boki5gOZu|$3}>~|qAj=$k638oax$tLeLtT1C;()_UzfmC zVRe&?1fcvs{vm8R!Aj)G%O%7Qk=41a4(r3toEQmLBBP>;93C5%-?4dwHvDg`#E-OJ zDUdB2z}Tz_Yz;=dwma~Skm=&FM{G<$3IwtwDT0p7Jt+`Tnulm7_}G&J>6hMu z*iRvfhLt*L%+A;GHXm)pVuMJNJhbOLjVx=+A9nfS_L18QkN|cmbi)+VhzpDgL(Nyg zfilDI=ji}JgB0|FK)FEaZr2Up(lrAADIEq~SiOEl@d<=eI={6)3FF);%1A`AlwEm3 ztFScq_PNZ(2?ydz*P(Z%olfO0i(g|S844Uh#>iJswY5Xfa?bHYEo^f(jOAI6UPd~^ z%SEw+hxWlM*mSyx{pUA${$P5d^zv3wv(9LVs(BI1>9Za|SvjI|g6~kcrQ75MoX<3< zG8O~GTS!3YXQ$RiZI?{cn|u0&_VRLU$G=e-y(jov^O;XR9=&Ha_BSMoLj*fE70E2W z%_`l;5xpoNIR5OAz1)5?+F5w!IE1$?DKGmCvJM2zJ=fWN{>@Nt$Zun-;t4 zlRK2zpFj6MQxmj8Rs=nKPus=XF;5GMhfu&KmIw0mrB%ZXezBuFs%bCl>coA>wOmar62=$OM4q@ZXI*?Fg=3O^ zYu>7)bvJWhZ`el2#=&i&3`n%>?*9G9K4+bT!o5ki)ihx$cimAJASRpTm0O|4;=E&9 zLaF(wuGA-FWjRXMxg7z@iYp{JQE)GnM?-D%qtm7@?ImD+a)^qO3g*>1JwGL{u-bE; z{-!w7?M?4dd-(;Sk!ML&_Wt12YfFX~&R6OXjZ;))-CZtJoXlR6wX?IUz&OB2@}^8e zqGn&^^m*Cq>3I5T53AG&QE@$6+cFpa#vP>-(xcb-ZpQ2CRb}4)EtXEy_r5l4iORHB zB`Fa!lkai8rEpdq`Cpql>%*k$?rACs)kval86@9+klwO7_uT#rL+_`gU-dMC(_D@J z+3~*s%kj*i!l9qfItACeTXj|I23DQf2nM3P2@_=TLnHV`gGel5p{!MFoVIhsz6X=) zmr^gc@9`aO_`XGyx&0g}Y)A$+$rASo3aEzWxEX^ZY>E22{XHIoT|LZoG<&ie0VZzuag#Z>y|)>L~(vPidM8 z96Dj@JBYU)dAFpe?MqY*yaPHZE=%@WOXe3Uqf*xA9#7T-VbADbm*vH0uL0a>|J^-I z0y>fPqw@4)-Kd*J?=0&K!Kv%dF_l0pO=x2F{vkb!3Sf?a!vo5b!;k*6K%4OL&tdkx z=wN2qyQ(Df_^u5tfO)^4Lu}4(fBab3alGJmU{_Q8%?tifN5W zjVX+E-YQpCscB*TrJMFv_^LFATG8v}$)UTe#1wBz#sar2tV*Zx9KP0yv#;KH?qWA- zg&qe(3Vw%xOj89bB-9ZF3?HXPU&iSewB!$weqXSuOrHKU>A@te$<%%nnW1Z(5m5!d zYF+P3ev3ssG~`2vQ>_d3-ay75sPeRt-dWddm$80XtSstYjl?%FLH+Xc`Gc8tk#e$M z+xd|r|75hKz@(?8G=!9gLJKRXbsvK#D>sJ49x2CXmU~TFN~=u_ueGg-)<_IMre|ih za*Tpowk@-e*j}hm@5W2njOs*K7K4agDPTIwXJQjMIJF@#$`U@Gsz*2CV}3%`B3g9fCtYIW%bob=rTm!oZOG|a z?^M#ln2y4@%)#LJ9I^2i((LM)zKTw37enPSP-7s49RH{S98i>obaco3(6M>zW*34J z&`b-W)3k3_szIyjVpj2P_HCc@0xV55O{>Y@T(|fxO=5^xIDS?0$1mUht}y|!g2G~& zFbTDGpe~)6&a;oaC!wLC5}Xz-Be%akHm#c%OSPqUo;C#ZP{0fc$IO8Y43Lot;5V>S z(AzsT{1ttflH=ZMgCir>8CiH=uanS=dS{Aqe!MRhhwcYC|~%(>MC=wL zM2GQLfC~acdlo+%<>B|?y;UGjkmZ`of&ht-dz;J2StC^yaURwE@>`~XdMA1g)YzWA zJUFzW_I&<7(HQ6}OD$7)8cYCpfDG)a6u3ms?1iaCzGxB?jEu=|Z#FE$T~q+FIacZf z6anT~UIXE8FYjYkoq=Z1h@taK=L`Zz&2vAYT(!4JHGRt~*XK=8$^PXqEh!8cInv$b z(r$g?$c%iMV}tff?hQgAVUd}!%143A9-eAUZPq%M-)Q!}@Nvp)taO$CU84JRU=;IE z*Nph%9?43|8oOFbR^YRvwIbGYseJT3=XX_I#sR8RHI~jX>w7V!_~z86ot- zre&ZLZ3Da{EU^XMwhdtqPAWsz1x1J|r1&{c=Z-1*N+OG&J20FH8DPle8Wu&I-;5pBE?KSTbRVlkA-nn2D<4lPV` z=5tcZm9@xsFzA%&0E3gu>%ZCctR$P(UF~ZE+zF6mm;@eJNc`MnQkGZdQ{E!Y!%8J(aw;~1T6uun0EtMj{ZAwg6%SkWtIB?p`M{gQ zU8K6BJ9L+vwF&S-K*6N67zlgu{3~@3gfV|DHGZhCc(O z+2bWG3Hu z{SDo^9y+EW*Dq7uItFw(60N;}np|{+5;;~0EpwOznu8Qk$4u(yAQHxM-r(`{84;fy zJ54Puy)y~Lg!pcGaYaSNfLU1UJh9GaT29q)bCWs$3|d(-5{=Mm6OfY~4JPG1|iIA$!kvB6&LNJkh7KO?Yr+r24SXX+OHz{5ar*x)J8#2 zeC}sYU0^O%7+>emi(Q%~kWOZhJm0UCm10=lX-mr`cjpFwshC?{&*$Re;&)L)DwB&1 zmVIhBj^4&AqD>jxL=x*b1&7wFTrSmGi0GcoR z1lUvgQF^*&)X{`p=h@UIvAIIDp}O`i>rom)rTLvaIs;7fDm+(C2gE|TVv7}?D*N+E*-SG7-{V+Ty1a0j` z{eo54|7cHIGb>0~L}V$uWx|F}7R6njIxY4`$A?J&<6h`rV1s!Dv|lETcQD@%uf-Crr0dk}skZ13F>EM%-Qj+E0n2 zfcP^vy=HnBFba7JjP=_ zIcoQv^#YhXMU;M2@9cGW0=x*MfaK>TBTugI-FNXR_NWQKls-a6h<&M5pu7_Q_@4+M zogivJ0KrUVGdd<#e{e~Y@F*50$xEfVx;*ip5F-HGeuTi`qVpZ~%!#XvZW-xH-d%q}=>H1~ z&7TRnn{K+eTfUa+t+0(itJBigy>?!ODfH6uoYT` z`e&u@pOZ`k2aHa27dlS93Zv{KyieOTj4Aw{|#aVfIsb z)Td-@-#9lq@Lf@+2qwkMIR^OA_aQuHS2m1j=)z~|1Ef6&08ZkMndKBl^Q@of6JPNv#n z(i^Jw%Qy~<8*@pI)3 zt$4X_HoEgTRm%%`k7;SeDl~M&V%aw=!-sFIcUunRsy5PZMb7rq?esTFChFBs$MH6a zN8i%|QvBiChuLHAmf*z#_iW!$y0u-%C6=)#VhbEoem)QqvcVS%loG%@VvFVBf-(jO z4w@{3Y#4Vn0@;yXm=c#o{ZMS8Fyq;kfJ#2Rk5foaa{LRnVhjpyp-m^MC#*@|7 z6&7o1YQt|(44Aazb-(*)u|0968$R>CbwtsO!>R$xiz$#WcP8#32?xP+AfF7aA8=h6 z0YI=FSj4o?r#z%Wr`n4VdpLgPv>0}FamnPZ7ObJbL&~My!D;qjFqdJjer3UNJdDLs z0Nzu>JBOkZv@|&zwR2f#*Ypw3TD2pBO(8{GGV9xQPNm7dtd@t~5ac5Ai37Eg_K?qD z{3-*5tLxKN{?2&Vo;g*(8u6~DR0Ou90tYBb?CLvOTG~0lLB4jo+9`7q2Cr$V&v^j^ zqF$*Hw=N!OZ5*vgbP|`&GmJ%Vreys*7#Me5A9-_V_KhEa;QChg*c}ut!PPJUlo`#P zO-5j9V5+PH@Upm`=e#s!4Ai;8EWMDdfrakGB0oyh&|21zN~md-yp7GLO6e+gv}%^r z!pobt? z^EVQxYJju*yGp>t-M+$;6@IseW7FCH`bVMiCK_XZQ?$EfEZK zexqgdj=3!RZXay2(WhFNcQg5)S;ldTyO&&GZj*8C$!9m~=G)TFE6?-!K|CPR93BS` z_ex@&eAbpPEhe29iTeFqwT!W=QX+OExUhA!6YWu^-;SP7u@9iu1McnrDv7Ui>M8_b zyH-qas-$a8LRds8O$5MSUNuK4W%2sm`U?_Iv{C*qDBgF!k$%KK`&cD@?<{z1$X^={ zPr5^LTl=-F+a`ZIxc*iKb5ej`1@v)=z3~Auac6dXnLR zpCteQSLp6K*96DXEcY=uR7;o>tBVG(HT`YP%G-RF9Fk-Y-T>Fek87^9^F{mW$1VUl zEP!}hOyAdc#<2jRLx@bMVGcy$elq_`~6@Z#|A+?dyw&tl5YqVP6)BFd8SOEiyZt!e31 zM2+4DevOdngfxHr_#@UqmMW!=>J@x4AFi9UdN-6kGjWt=x98Y{^Z_jqFMBzQ8t8cg z;g_|nxQrxz<}gt{rwqZ@bao!@66wcf*uHI8!pL75h6?X{dW`Bv{FDR&@d5d%L%XVb z{cUj)dXf}#F&$-cz_Z@g9zlhzZ5o(bZ=3Ep4cW*~-<(K1F8eXL+=Xh^vQQNQjGCW# z0F!3wRDqiJ^lw_~3)A(8n$N>%Pf<=TAJ$K~0jGo<>7ry=_cDS4c)TRtz)uRC$1mlhU4Z(c@q3mu!ZjAI}V$;(!B3S=Ok8M%V{A*XpQ)z1`37hsktd zHy=niPdESMAKE4!f&Ov$=-1)D%tsGBKK+ix^`;7*kU?iptf9uU##x;wfPfbW7iZlMdfL=$>UqK>2Tz->3=N-5=M+yxFzw(_=PP>_vx8E7`tnm2c$L$ zH<1$yrz>+zmnV-4PRd%ppA*}YKt%-fWd&$fm!n&;``&O3ZrRND)&GQfIMWXOE?|&v z44vg9%Wm+U+?E@OUBMxuLPDiQoF$N_NvHhM*}8Qr87u_g!`p502?7o|(z+^1^s4t216X+}3;WDm5vvQITXe*n$*?mm(hvsP{G231CiQ z(K22BiWi$_h$SR~eR~!Fx&^a+QkH$*p}Oe^^as*z^QrtT4?(k?tS*?1n1mM;6qF|) zU2P-FGRxOQ5{}UQ9FgxnrVQ@=Me%P_eWZ;R^}=K7Tw)|AOP)j9O_{D%B*xzJd-r|eYxcA#{XZ8@(QlO zgux_;B_UvPiT^Ca@KgXr_QcglIQldH5B`ZO1*RYaQZR1KZ3M=5hCz+ICw#jw#dBm=$skeF2|4Fcq{?mjz&i-xRWyjiK;X z`d|{Gi@{;bbAqN^*BlU>+BNob{7z%pP4&#ptcH4f&z`$^N<=p6-gsH#i5F~JpW-n-_3hr4;xt$O3qB#dB03=l` z*3udPLHXUU-K=x#5>!)9FXGJoHNPIQ%+H#oc-rnk^IEz! z6dH*3q3f$u7ySiX5^R=yn@c+*BwLBdyfh&pLBc4i{80*F0=g57mT>Ii zqZXaiywT$MWbJPaE{16UYSlVvtU|O*c@$Fd$hL(|vZB>pf>iW?FR6;n3&n`GfJ4yAhZwnEP;;ge*W z@}RrgaFuH4uD!r_%>AR%nzrcN((6PGnXy{Z8ceU-Un{YQsjA)+b9v9K4vCNZCH&sW zG~e%k^adCSh#v>jjcc3Ut2-m<9xs3SPoDwvxxX{53igo|DBpg5skgHn5tud=M zINlw>m%ofO9j~dv9Du@DY~J{%=<1%>;0%_PbrKklosTLZH+!UY&lfA@W8>LugfrRC zXW}q+CpnaiYYlV1Mh=ejm}ZWXArih&8_t%?(>As;R8T}XA#quU@p7U}ANWf>%vYVH z`m7`NR$)XBfSh<(`(gjdFcjdk%?#&+{%&ZI^kCN>(gnjvDoq#({P%FPXEV93{|}y< zGvsnLL|D6(woBG6Oaw@8dbiKUnyB}JN_42ME*Je~s^_xxH=hu^l$13%-%|pe+4RKq zRSR<%{-hFN@h5Pi&Ndz<6Uq>K$zM#;(2TRF*}66eI9P%5(;8?DP3s@rsy&GgL>ZKH ze#-@X5p47V0taTp6^QTtiv&k>UxMRe+R`@sJPYioqzpG?9_?H(m-6NHMf2t?FPL7d zLy-oJadq_#2?HijMnH*ZU(v;7q=QU>MkiLx*V)HC%3-9m#fX))U*dl^Z*=41?`1MD z(2G9vqsteTg0-}@pP}EM4Fp*TPUf}{Isz&|7YbF4k(2Y@_&fdY#z$3oqfAcV1sc>* z4~L_(i02Kn8W>&&_8r|5p1NtfPI9{(J^=6~@t~}5B_W(;u&5E2?3-PJGFzetLqrk=?GmT6w})Iz2Ce>UMr%wt*MpaYmtC`XM?wl+At)(H(D z2ZEVgxaZx6e5)H3;9M7df~CVfo_|;7aR%#*@(W_x$3n!7oDWMmJ2`L|Y8k zz-41W&w&Y(VJ0Bi&N*pHN&?ojF`l>>H2J)+71 zU|6U0dB-K-Gj8;NnaI(-2Egf{k4HXM1ikPjFO#*Z;@6UJPZbAB&d00pnkm<^G(-zt z%@WK$ApZy=>Hw{C1K>sk(vS1iLl5V_n3vQ^|M%lP+NFGFvIu!=s4&S#KvtW+ItX&N z5NPLbw;QXt2*V)dEi5b)tJ&KavwFNj>x;R8NyV`@hvqoJ+3=f@ajIHzh6OD-JvQ4b zL&NTcC;WWcIy%$*j!rBFma*O0%OLZKVb}Ss%F?Lh8ZxvqI1g~#>h;Linf+$kxb%vJ zZZ}$Xk$rn_Yn9#;!t9H;CwoY9{IV~Mg}{LLN3t7{Dm%GpbOGT8uPd=|4~T_>4RgM?eo=%lKbTsdtS{OJP|EZDt;J!p=O4`oE+g!q=jIx`@P%2HQ|ARj zRm-Ch3s4)t;kFdfGSJ}e@CeC=@#XISr}m4MxwAqrE&rFEv;thX>hVb%4pVu~VNVdr z-2v>6!r1NW^%8yl!N!mL{hNSK&k6;Th{5`pv+};(kxWWY4^AC05GxBH9TPmNar|)$ zXD%62KSBKE->Fu>f6>nLoYebxzty4L$?*O6_Q&lvEb5qm1z<1P0qyhb%NVuN(UQ#! z1{@O1<%WBVRAX}9D}NjMbXCqm-~ITRLa;GIN&01K6;;uECH2j@y}ylyb#Ko^pdkQ2_MJmINUI%bFc)%n z+$t=M?98@~?Yq0T-k&*B>FCQe!NNkS)3wx_I^Ya3616J+1e>b-8X?LO{z%2bgv#Fz>3{G@ zLf;DU=Oi5ecvh$Okyz?le*-4ce*%(p6D82Flqz;A-}B-Kps%?28a&TZHnbT8G_uLw zN`77*3XHV-?2}4-u)C;V(p0zhWByOVvp5S5T+eG7ytZIKJ!sE zZ7?;Q^#{;1w8sW=Fl_BMRw0rkE}9Uns?cOVi-s$-UIN*O)I~|`waLM960%S8?t*=1 zcfp|h;ap*h^6Z2Il6AY6JbF%)CUo#W9NMqqGB~8)Y4-$cI*kxo*|JMXBv=oyEZSbw znCqqJKr`1QzZF`McxAarXUb`aa4TzNU+q;)T%~xTtmdf>C6RA~8@9}TXQS%qQc#FTD4v0+lvQ?=HAJPxH! z*7{Oe={x>rkfYwDC9^f>Y6vq`LQ#4VFt{HU8eLN ziow!7R*JpmW}-y}H`cYEl&@*He37q-JAqjjbV1frnY`=|GgU;B!$Hn+A`wmf2r=`BZDAaNPwTt9D@ z6<4RWcvACEM`dueFGppXGVt+;n^{M7Z)&>3u*`)LU5J_nmAH;VAV3i1}xPbEkxFE6jKm6Dtjc_BF(L$sq>l3Bn#Q&zohR%FloK%Z<^Z$wl@1+!$h*$~0+ zd)Gd$B7Ee*@~W(ThOnOST}7ov?WyKIipHDzr)=fB zySkM3mayY6Q?2;|@WQ!^HMxDnjmA$8{!kSrJ_6PxMbBq1zwj?23J|?l35*>q7UQCh zGSop>CV3VUHyHQrIJ3M1Yif5xh$o8t-abDVO%tXfdFJCkRD zt(G#uJire3&ucHSAM}r4lPWH8Mu7XIl}<3h zqwu+40Spp(h4Dn78Kix4ICK5+#4hk@E92{;qN0EWu=N`_Kh9HavQ65u*3{I*<92VE z2Tw|5j9Vt^da{m+%^D91$$&l>BXt+anN&_h<>_o>B_%beqs+0!>ug?2*85WZe4~D@ z`ke-!0jo}Mnyje&MVm#JRs6jBv$dk@UX-XwkdAk)5-j6-&hG>Jg7a;baTjVWVX~Ey zs?#F0UUbMcz!b?e?qQl^?E(FJyMq*<#I68S;b`c~m!rT)xjC4Y7b)Oew88a2#e6u2 z!qw8zz&h<1yp(+9=Vp-L?CUnDs`mN{b#MSMufSI$7P(Lv@oqMFT+=RK8G5O&y*`|NI`7~hIie;4^(hZLm#X+Gh7Ox&ksK{tcQ8hah&sZP+`ba=5<@}RY z!pz!-HcIqS_JjAo)A+>5^mCFFx<%jY{Y9&VcLNL@#78pdk3r0TkZGmBlfTeEPW<|B zhywDp!~IHF1`3IaT}HUY`cv~u=rots>K}82y$9bUdjGxFwe9p-UT^KsSoxTgHoon) z;~Mj_lY$sz`~BS3H(nCnCK;t5s}#8f{mk`S04kGFWpR~T3RmO|EmA3BwyMM?55?Q_ z-jo#3YK&h6Of+z~tBQiDHjUmPE@pF2mAU^;DzmQVx{k-;_C#Q}?6@ofxZX}tDU1VQ zytTe7)^o4yCcPrrShb`!r03kjsZ8oLEUzk?QM-6(VLfdxRi;lF64=TeY|k&FYM`FZ ztteADuu`Z`vDJ)R&cuuFjP8NvtBsc)E3psRV__wlbEA>iD#Q{iaS`)~w1U+N+}ibU zEj}&2CSH{a15Jz>6vw==HNpL55y!Le4+YM9HpWB8UbeHSM4hJ_ud4RYYqWcy;|Zg_ zS%gMdRFw{`iRzG=CarS(EGiSWa63%1f<4`Hp{_^U?J5c}Rdi3))5#t3G8eq{XM5AE z;H{w9uy$xAO=r+Kr(I#8U`b3D1GecYoySMyxFk4y{>(EhYAn4Pa~(JA6{W%MMvqv8 z6wnG_2-Wm_>fU1kFH*`c71P3zz2DLaN)63EKlyG5@fyE zhIMWl9tvSGL!UaFhZL&>o)zhwMd7n|qw*SYPo(jFf$X9RcLkIuq>;JSSa$OmdWO$83ZH{v`Z#DfQPh{s=S+6GPLJu0YhVVBkv$Xe3t2{uFN_e*Kol9YUg1H|z_N0dwY2t09sNUiks984k(gNr zLh!Xu^;Kufw?dfUnR6_kY7dj!tOC7K$$<}5+(;rSL!bVR%q;$=mN{e%lRPA^#QEFy zfD5Pv#a`+CPHU6<6T{-Z^7HMbSi~Z zP5SYMnGA?LdnNYsNw!s-d^K17EEFt5YoS=0(f%33+M-&vcq$q+yH$-H8N!Y)GD4T0&r4F1ZSs*oB#;q1j&F% zl|)#fwai1Ho#RQ>Mm|teGfA7MSQ>oa7gnucQQkI6i);Kvb#&O?{&RwL0l51g?vIT; ze|sgJa~PBZAw4OPO@wIr@4?t_m{oiSGO4}L%V67roV83=cxW^Rdd(!`1!s}c z&!Sm%yh`7}poK5J?X-Q2TObkNOmQ|Zhn-50UBkaSy#8g+`{jB~CS>8JAD~(7$G0RH z?xgN`A~BIMp?T&IM5HNd4O|K(sxoC5^q#zVn224Un&uxKUD2Ar(RJ3f3k(9mKKaXa zQowaG>Wo{JuFf%LtnjcStqp@5z(XOe>7gxx7gjvfEo)Pml6A$|lc=_A<>C3P60{GW zdY^z+`1HGxF>Y(D*J{_4?y;gQR@!fNcM$wu1CsmmEYOWhZu!YGqTVpDy^Io7=;8-t zu1rV=7{7{vlF-Cils2XZHZZSh<1t7mys!`0KWsajC1oBNt$L z@Q$|Y1?LNU$6qM$#cAD=J;SMxB)-40IM=XLvH2b9PX|##KYJKNue`TcngSTlTt77! zoK%Kt&94AT@EP(YE56!_&qtXAJGd0cr_Eftk$<~IH^pYZapg9525)$FQ{4e~{OvX* zPyKlgoscNReVI1;Sn;L*S;!**CWH4G6cIT^SGg^2+F)myBA9iyEfL6yxf-N}3R7xY znizmUZo~ivGF&Ae8|+1LyZ@lBbiQYPVZx%NjAY-cG+I>hnB-JQDxVF*fB?Y9Q=+(c9S)sfqOjC8>JoAtw@i)Wgjx%S zJ(v$C^Jv5e9j8HYo-b6nVbZUAFj)rNrh^s&)E`-nZ9
2%#Nv{br6;V+Vxtj-xMTW7@5o6iy6Y5V_>;=|e}q%Y zR+FZxCemv|1ZG)<7GZ0lReR7#F3vPf+5`dV`^7Dy*)_3Om%pK{{0rs4DWT+xv=aR{ zJLSIm0)UfN)HZ5zUQR#HKJ*gUj|(Rp*kG4Vu-cuE$5SQ2wDl)RwSrHtL~*+BAuUA5 z{}Zf|G(V#*`WLDE%d}pMKy-3B+mDlo%bm!KSTp~vvIYP$Uqhb#WiYIHyH}ZHLf{w; z1@mHa*YdaZi*mL+;tLQjS$Wm_Z&ob78Zw>J^-sNvo<@iVS!Mmc`XJ*pt*#2Rz2vwp zt_l|f8vACYqHRGIt`mZC0C2_=BDFvw^C}OPm1n|MViw{ffHv+ec3D41U;&lj{OCV% zU$&kGi+?R6MoaSY$0hOzJ38v2`J_01oE?jY`-HSh-83I}T0*NG4x{?pn{f!|5(Vco0*%+?Lm*PB+ zeg?wpefReo=&z!r!v&~b!Pb~5k-%MUoDQB{|3!E5M+h$m(=pFpR8Mb;3RUWh?OY*( zy;JaT1;=qV&4?ULmvgQl9l-5JSeI&yVwLL~M^|rC+Sl}RhQo#nsbmsSU5I?HV6*M- z!Y?+oG*t{=a$l~@LfN+0FwtyXSatrsKXP}K{p)=K6q(?014MlL7n8VIX`ps7C9kWy z`xRipW84E{LUx`Mi$O&RiAIXGcf6tPSLx}qHY=^Mo?$tnhU4{=E>~fK4Z28u9-lzq zrT^SbmhHQJ)w6buq_W}|W64!}V6`T`<$zZJcX&c&JPU#&Yt?bJ&0ceDJCDG_KjtLV2N%krH?%P;YcjH8cVU zlJN&SonOLNEMyss`LNT?V3e1(P4ChwjM*`oDuTlYGl5V1H(l%u%Ty66M?o(dzTOE0 zBdH~F3@=`PI!!lg@b!?}W7|LAyzRJCzN}`=9_N@PNLb2Cv9ps;-|BPaH#ejaFRk&w zmFm44ku#w8QC$iTJb1|ioIUgk+Wi3i^~XG13T0uK&UX4H$QujGi^Vnk$3`g4+XtWbhJRTrmU zDn}Xkp5lA#*!s$Z2+akORIt{ZP)dN9q)5?wDnD`7{*=%My>v7SOk>b>o#k%esXrOZ zZVtuS6RmYJm%JM%}VbhYL-L<6s zBn(N#xO$Qib1dQr_wHRC;>i2YeNSIDFD78bf;`{u1vc)$ONBQzHML2;3=z4;lGsxf z)5|U;K;5j16~iywND@R$Pf=)C*h9hCr%i>-2!m1B_=aW8hx&@H4<9sJ*Z8 zfGvp1V=l}!69@#05q}7J$m&j+KLu-u$xbnzee}Ocd@Mjq&H%S!1(-q>Rqkp9I(P~H z-aOc*#Ky?8F9wcXdkK2qz4IrJo*zym?FD&UiSq{17o;h#<0kxoj?c8Z=kq+O-jqzo z{hy?7W!ORVt#|bJ$0qp#FAi-ze**g9#}%dx2$mP%m2klgJuz=43KK@Y&`;5dMYpAl zwH_lK^a|zZ^fY=W9>9=%_20Fnzy|*XzLf}R+(K*l;h9Bs^aN%%z$zzJ%a$5gYbcah zP^pp9CkDeVHk0_q3?b&dreM_PohVDft_3$;$Yg6U=~}od^Fs(%r8b07KjG^EIl$!y zt4Uc|#7KjQz3lRnW(6k24#$=qIKYMSrb(~sfMG4gT%pMu*Y<1Me0DIQH)@es&r1rQ z4CPGkRC3-B-yN%6`QeHhfJ=Zv#@AJ2{7Ug;$BER(^KKkOyOIu|wthwK{;b!W0`#NF zaGwSf*PZ6_*OP^4<|{Mpc8H4SmzUb_q-X{iLP9npQ2Tb3jt)`eZkUk@sPLRVQe6es z&?CG0tS=Iwy3eQp@;{fx4OLQ!Gqts~3Y>-yfs=Fm%^XwFpNSz>t;d3BT)BU+)_|I% z``1aPLct6NxNB$xptOkZp|O0$v&27V)SUn*(%3Qb(kI&?1EP}4E20iwKb~P$c|w0f zH82^hpVMtXrz8uRFt#!1y}VdYQpR=a<(iBFLL=W)t)A`BPj|k}oGUL0#@I1B;bW!v zGgX&3{7cnMg>3g7x+5JN3?yP2}Mgn%3AEi>lM`=|~JJ+HC*qxtAf_f~G3RMBg_0gf%<-eN_Wu zP`;kOY-gQ|mFGd&3Mh7n}2iBUlsj9>X3s_Dwd(&;?6Vv)06v0Bw$ z%4+^GV7HrAAp$ssRS?{xh`TTrFFeyBAKKasXby4)8gKFgo`>-cSg*rh)ayAhwFlZE z_ylMXm>k>1+;M$Ka3WtkqdRB@^rZD*Jb>kO2c{|$EbwdK&M!a5th%3Z29n-BAnF0m zyxQdn_)YFi%eoi3FQH;x?OD8dW;nkv%)g$cvi($+ctE``N%d>?8Zbj31zHxchh{Md zXk6fG_l^1pNKb;nR>42#ojk{Q9JiBE)DLSU`W|vRwu?x{!J_MQIO4CT>YXqV#uDI1|z{V5!fg?W<`hQNO3ICzn@lS+~ z6j@;9!6+6Xxfj!$HZxB>wV{C}*yc;j@R0w!(TEqidu5jZ20_EKp``hT)(W+D6fuQ_ zO!u5j#^`;6`|T|D|BX!rl30dh+?vNei+vSdkXfZ$M5BmMwXbhI34mww1-#kCp-H38 z(dX(uG^~xX4P%X7xBmQq;e~}-65@`5;uYHA71G8LYgnAOeH{CXJG;c+Sr2a^Ud04J z_0ZQYs9So-pKjLh2VJet&elo1ucH9A92nc(UjeWm001_-DeBqaU$o|NR+ZErzu-Im z1M2)Ar<^9hy5AY{R~gX8)1fa`MaV=M3vHKv6s7|vz%O$!jluF4o%^1UBG>MTcrx^W zqH~`EXDmsW38lOf-}a)m-KDPa`Ej}ZeP#51U1|_4mowJI>)WMh$WK&qM+wW8fJ14w z8pR56+7qG19NRY+LoRl6(&VS_aS!k=6aGgvIuy_X-o^V4OaLyRV<>RkP^Afdkhb;-B?s`h1J=-l zQ6^CXc_uC^tGu?t_EF!UHTxhIqy!)K)&gAJ6H`Q=tn7+RTgoeC)6Mg$Ct!>5fjfh7 z9;$h{1I}~l1#85Ko0SLcprGq8J}9F+v^r#pLAD>5lNs>xY&B0!7bfOekFT{@npVTc zUixzNZvV6B=+^hV_NQFJcQbAr4;8@r?fv>Ku%iOi`H01^7!S<=TCk_wgt}?e+nn2C z?N8eZ0}=zDR(ZG~x>?^ueC`0db@)`x0u-@xEgryV1B(uC03!RrqyXf&k9B21#V-SS z$4npOKvz3t5is~3oy*D8+}bal71wF#F%jOA?fz6b-S+Q*^xjMrN27Au2O6R~GBypbaoTsv&fi$1Kiz;kYBK7JRfCPn9f= za!2XFMzHR+9YE}tK#UdO9JzV6C#=#$9gHpc_389fqDBPs$6W3!|6GS%;k^Mlf~@I5+Y2&x zz}8oGHo0I(vw|6>AOjHa{V^J!p=ZbI0b(0cGP1M^Eqc+IUg_IvX*$2mNMaeav2?0o z$+saU7B%&POb zLcS9B=j74RPWjLP;uJS``cz9SWj?C=XZ`T2DO?rjPwI)m+4%(XoNd2q7G&jr*t}D9 z-wz6ZeXp_L7V$ zeT2vywik^7m+$(1pJ|)%$g@z^`_}WHRo#kN`xY9RBoEu96yJ}{t55B)((o_2yg9GU~Hk<;uT#rv17t>`=2vg>x4(kch@;?9Ve@pCdMnk!KZ{W<##|w{@?Wy;^Zd z9i58R($uuo%3et6AB(uR{U>m;Gm)|<5`jyQvY(b^XcI#I|dj5jd*B;=}XRYLv7 zl~d8n1fQo*98$Kj_IC5{@LILq7@eiOyN-bqk@y{GIqDp z5#?{xbm#Y_L*C`#N0=k>oD+q#dpaMBJ5fM9p{vp5k2H6pt*=Bvt3VT^t_idXyj+dE znZh!%X8{6MgEEVm?*h!VUm>BteCFaH-3PKZ(^}Ay6|3cVuIltYam@H#A6+s3p_Vp5W?T~|wYHwd zMLC-uo2~wQ-K`HIN9aIyBz~O#BnpgNziJBZ(EL;M-R2I5F}1VU-*D_1^%B3v-*Np@ z{N49CiQkuSfI|`{L}sV*I7=y<%C1l2W_}49q`CeW{%fB2wF4H+X!?N5cc}YnY=mp> zu^ruEY4%ie_y8<+!iCENcWL@r4^>!bP1nynfg7@qS$?Y3q~46<8e>OL?7-#ZbkJXt z%1BOz{YM-yIId|7R*|MYB5w{RxQb1S@4LgW8PmdYdy@Rapz?|(6H=#oU*3tqy6=nCObL~2ZPEcFmk{)92d9$UfS<2hBPn6a*J!Y}$wXhuzu8^#jb#WWY1F+Il@!AHYH!T{$t z^BB-rO@rjNP@_=`AKR>5>;NezHuKMkKlh@>a1QXgzk5^mtLgOSPnu2{!B`%!;A*eI z(^Ly_A@({Y0Ba3=#^oR$Bp!`%Pg=`NmgBCkoV2|E7RF@I&=2PC{5>3Abg&ZOaIu*y ztSriAM&(6rm`-!h>{>hF^8chS;m^J<@SK&JVUwpvB|{~}lWPNrFNu&V%7L+@q@-|P z<&3(zx{R(QQEYy`e2{WA0J9x84*urz<@??)a3!$odEVdOA7Gr*V*PNQ^s8+Yxp*-mUl$?nDa#FoTP)*e>j_WtA(rxC-KptAyx_);@TX5=4UR43tGB- zCcUiCU*Mly!J3e1{4$iwiw(J9Qj!p#=pD*|Y(*_0^cxC7Wl);7A2hQq<`(g+Hyq_& zRXtmVS{5dHHUc=pxDJ0Lk%jW~K!jT@ADq>1*&%0?MY~8;Izc;v0jzXVOtBuqQ_ffS zLkk~z%W0sGD{0R#2xA}RPCq@tVKHrAG8&IOcU9fCZn*&&^$W>0zT0uB+-BhVgc7pf z5rK?6Nl6=e3zdhO!-i8@Ib@C zIVdwU9^^j@0O>BE)H)z9EI48Je1s-HPsduzxDtvh6Y7MfS~IUmMLdCWA_go3RqJ3= z+$-DqyapNgv;O~MVFaJ0Wh^Rz!8lA4$Ze|&9X%B;3;^F(=_v)hfaXV_WABARrnvCE zuA#EAwU61GYj3oWln{Ta(mIFlllPNaH_a7@lqD@s2R$>a!DcVBsf)ym8f@^|hio?I zmG|y$WjcPc(jo=RQiTmhTr7((2zO^6(fi+Ev;HN_?hN7Y7!zM{`sYB`=lT4^)$Jly zTCa*nf&)n;UY zlqBzpJ15aHPkvhwojb?%>tH{{8p?xYB_SulYCU^u(utg@0hqvsU1)Imf1=)9hOZQ{ zDkKs2O7+mt!WJU3n}hJom}XMuKKTf>&qv!ilck4DIDzo1+?L*)MhTkNo>T5Zvz)&D#&cj)*^ZqQISkpU_-FEta$=&preh?VF@QaRvWV$xKtq9LEuA^?7OtRjOQnl!EZkP){te!2tJ+ z=q7S*cZxuEXc0+KJqE zFT`;_lnC~T6vu>y2(4!WoDjiJ1}qx$uDmWOA%~{Xto-tqzNf5{3ukDH#;G!K{ru@FJ^_LC zM2ou`M(eXLoMmCI5+4>NFwL~2n_g|d;CqAn!DIB9F?a=spvn~q0TxAQGVZBQ=-S$+7K^YDej|XS1s+3SRV7HDXB{P1UdmoVong|K&Ihi=Voq!2*l_2x~eQ9{J+En;Hx{juHf+brh zb7xvZqjIvgr(YKb6KB_rMR&F2cVr!neb$Xg+`!7wI?XPXud`F`AjJPx9gUSPDRlQv zHAJ5kmQRp+!ZsA5&t|J1g^-(&$0gs%L>?3`b-(2X|$eyOO#O`KqZUm=$rjA9r?E&j%LrT(U3> zPLjqq>u{Ngp6Q|>^8vGjhXlg+r`QQZf)FJ?#A!c=h^eRPaG{1k9$c+Pv*!7FbzjaS zJdhUO_tCl0=i;*v7)h!jmO7S=K1r&{^e#JPy;bCDCi~zDF_!$aJ-lM$RA4zMKmijk zU%mtph(2eS16+T^+kVS%e8v3%BF;Xsh(!?llc4i#?wZ0pIDIU8&#lm8{+30y+g9g4 zkg+^5)IceKOEd?8Q`o|o4soz#Dl~)ssV$@i@y78Fx^d4l7=J9d`y?@tpcrDIsZ)0p zmhVrE++7_+DX?2N;8Pr}4c;=iET18M9eObwkI1@XY<(=Xfpowt9Ahy`&z3ITUuP>x zoaQfn(x7if~cG8ObN-Aru{xF_D><=mZSfA8VP(d=2QDBx-qYwx;FdS zN|=}24buIoN(**>P>RSPy)ij+NTn|xmEdZ_CD0&RS)z3DMlY}UGAQNlUWnpL+g#<% z-9t=xr?^LGWa7=GvVRO?KWP%)t~DuApOKM6%%q4Yg=XKr;-BY2Oh16z8Ppmr&Ue6a zJ(xDDY6}i-jfQht{r)|N5p z)NO%^b|3z? z7SEBBP6V&I1JY?553AbN8Ie}UB&P&{qSeg{0;ynNGN{F1P-6U2$$Eknw zoqz80b|<4aY-F=kK9ST&C5&%8Mm?fID`vGXjXb{?#UU_4a?*$Md`m2EPh7Fd{`Sh| zrJ%Cvf1NWT9}lFX3^vcRo`(dIBuQ}^s;R}6c3lIT*?MU3*X>=b?+-autTUrbNKjih z%&{!=?eE_GNYT^ivmW|Q>F#de2l?xtuk0G2?GE{LM}Hy*RB z1ffIvJKDd_`{q!JL9k*lIrIe0nDvZ^~TwHZLzv=ccVfAD2EYnyEns z%!^B5P>Lg9&vM);$=a#K+1%V#CUH3e=mY2-+Ezqc9pWUH5A7Ib5{pcB__A@3JKW*k zj%hJ8UH=9D1TmYTH#aoyIZ##nf{ATZV_FUTlR98o-tBgydd|mbQ1JQq5NxueIWS*`N&+59Df*2OWAH^ z5e2(&+`j?M6PE5fw}}b z!=-60e=Q@39|}D6IaUy4qFWYk5!y`HdnH39HP9y!QB>3)hXQ~qWHv{}JqUpD1Jo!6 zM$3^pXzAYwAT75+#Nvh>kOOzG`CNP+nm0PJY|XyU-QIpm0aXTR8CQ=`E1u_0$jtoc zLX&Lxr9vOc?*&=3(>-vx7syW!pAR-JiIA0&tD9j|D%tyaVBl z$DiDFQJ~~3KBv5af&Caur41pDL112W_3G71Zz>nVc59q;Di}y^Hf_Tg1sVppX_tA6 zL!1cRl@Huzlq`WH>aootV{5!~0%4O|9nae}=R?9Rc0UNHmiKwN^l^Ud?mh_^R8hu( z+7IGrm$mpoB-O5lH8|rRzXOZDl1dX|J8(i)a_-_Iz$qCP*JK(-79pyzGJWfsK(1(z z4Mi4dopFE5nq69S_CPSQwqkNHpZ#$b!%O+fNOpsM$-`%%Tr9^VsS7f29#_6b7s;rYp~G26U)-{~@8=*O4 zI{cU!Kw~*T50q>Ke@v^Q>IGy~VB>>?K03530Oc%ABa!nBxbm+q-Y-8)a^Rhm(!?_~ z{ZA+X+7*d$uYC4g!0=$9aC>wvf=$nNqu0;$1*3a$c3MlJB+Kvzyd7!&@1l(yVEh3XImp+EKKYM}cXpdkdB<+>Pi6xGOQ>fl zO9n}din5vTy{=>n6kvAl430L1XX6s5@OF{&c9?zylS^ByhGF?F#-3;$NYth7uovOA zmTO^|cb2=yLIs9+_q=y!f3&CFB(~jlabSmU?csKadp{8YfpW9Yp7~;UJxBY5?k33s zhVHA0U)s{!N!?oDSo8dBXQ&u?pTuu

_}cG=d@Cn*%j+VIW_HAPKb8iErN2sN?Mv z_4hwab(pHr13Ds#t~AIqBILf!zFl~QkA>yfQDP67*1~vKdikhqHayv!ch>{VYklei zPPsQjEaQOIwKMfQ{XpQnbS3~xmQOI-1vv0Fqf}x{s%^~kC^Q7yhxo$x#^x?FAt0%@>w^Qu*OSqieF(|5tDa6(tqO7-KgkiX}Zy$)WZN zi@QedLl=)1N_K$8HWp)LjFxZW^AnyRl@dmB3lfOgqrQQrI)RPkJ(>yQnQq~{tR5^C zEHNLT5_+I(Xn`t2TgIgDKIUnyJ!NG~I@HTjR5q$|PV)((GSQZ)uQ}zRAY0eAcVqXa zU3$Cq`Bzknb-*D;Av*Fib>JgPTU(9f3x9arP;I~euc(LtgC6)t&^sKR8<(n>H5!77 zdi_|0(TfmvVy@zm78jpD=@%eISc~p6{A7*XeIT_nF-W<^$Am(TG66+uU0bTjXpqCd zy4V>bn5u9~L`0Sgvn`Lp4#Sun8>!_=4+K}mBh=TFr6ti+`N`UCKhl&*Fe_~5GlXgQnJ*f`~=*dO1 z+N@eF$l7=_g>?~kFR6!5!Hpu9E1kI*j7#)eNJy2=!`Re3#@tRbh*$QsukhJn0qTT~ z+nY5z$RhPx&=U2s4Lj+4-lT<_hT|JI4Z*GIb0p+!BA#vLPyH4aOH2dyuntRQB3LS2 zUJCsCw1TgIjR62!JyF}2Ha(9$XGD=+&1OrL)lcBmN*Z5p{HX<2Sc*@$i z&LCzY7Tx7wFmTO*E1S=*9R46m2Nly4&$M2L1)nFJJ3UmA=sSW6LHxf_HB?-(Q7vnz zmPSK9X{A`lsu_m|d{-X_Mm?#k(T0CEnWq87?s3|$K9u(Rmdl1S%d){pB?-}N752}@ z$?X^KbRU7V;KJCDOp~s-k8j(bZWmtqg5SOOo0BI6F5w^+HJIrZoYyInCJgSDyw%bBQ!ort~bDBf#I`jOxtN13)JDl`fl z#3{?@(St~sIpX!`+LF|AUR!0aJ)%+v#$z#DC{REVYtmBR!O7LI{Lk9%e+86u#_b04 zQ)n3556h28ArtXRE@CZ-NDMAOOZlh3_jSD7TODZSykkhT0z;gy8;%%HAUek3GGOLqI;stmgyu+~L)nV5&%0@~Q6O>iR8v#VE$K5CSA*^$WOi*%*LPGkyXaS5K;!AA9b-B%^cLcHFF z81*f@d0{kmLkE^{PA%`TGF;Zx?tvdRI0P$Y(LJdywoS;t;7dk3;v=_mP{7n{YZicW z$tjUc?e^B|to;Y^a*kQ)ho{oto)doNr1PLE0qbd$;$euG-Zt|SD_WB9^ADZzZcm)+Jt4)6vw@y#^fJ8p^%akE zJ1t4iIJ`JXD6gwlR&MB{ic#>JT#+KqveIDDOnQ+hr1(ffmjUo3=C1 z&KYY)Z5QAtsvYB>nK!JjeQvN9uyl^c;T-$PAtkjfd^f!2(tcs^Hwp!Rqgz7yb1gF~ ziBB@w5C-gY<1_rPiFHUy4G-n0M4a%iF}|nMc0H7P<=PrW<;&sqAnj~=v&)(G*@bLY ztkZdKBPI*_!eEkl`mLpasuU9Lc-rfMi66epA<^j>pBzhDZ2X9@_RN{n?(-l?o^5|x zaqIP*96OT}(XF19OA#bo&%08?sEJE<)rr6jA1~*uO364GHYfLHa+mz-O%m!{BAk8m z0IaQhZ+t%WmO1kRKQ{91t-#^oGcJmI22Q=7JiQkgYEr@pU%wjfuU?9zQF(l$J1DmE z`Fy0hZhKJmdUKM8&~03=>q9S6&-LBX8nc5ZDSPC1GuFf_2!`YegB!JGhGn`YifnbF z(mZjmlTujsQvTqo#&#|9yTqLJ@>24P9_L=gD-l}(*VVyQ@IT;n5`ft6+NuQmOnvER zc7{W>AA(wMq4sf?HpI<}ZIW}Z>bFLLZ@VbUbSd+SM}uS47>kXI&B^y=rK3~NtS$~< zusYFndz`bE!uQ6`O+;wXs&7|Yp!?=f4`2i_9e<@UveRHW{OmQQvLXVi!{Rf7rCTQ# zBUHyjea9|OxU&@HJ7pAi=gt;pf zmZU7XTw62pWq>YiSnAuiwatZYu5biDu5)^c zt&+_C!ok{@opQJyIdkVCpK_fO=e1K;_dnY4Wv|=d6A+EA9psM%rY}|!6$fmDs-h3& z=EaIu8~ZD*ZAv&1M7piu-LZJLaN%7jrO43pz>CB$Bc6FbW)R(cAqVgC8uKZUZqWcW zQ?(txTEl6%d~4V-6Xvx#Q_CjXeYD?xRMWJOSPm2|z3FH>;sph54i}4;uvOg; zSZk)MT3eNGU2Ht0JC`OIj2vfo_618%~Wze+Ej^MsIyyXx!+6Du@?#!hQ>0%h+PV2lf!M5_{Qh~ep`*u8}!-my+ zuAtb{dARPwXv5NX@l`g5PMx}X;I9L=!8xElfyt?Z!~_&WG{Z@_|Qv%<{Ch*VrrQL(55j{_ByXXYCD%&{gOgfkHz3*x}ptKQKnciWRPEpvDJa*eczp6^~mDU(@&zfF= z@oPI12i@Q<+stJO9QAgB%ZGXRbStOisXu<`?{|9ES)-zVOw_(sYpjMD6XM^> zr|gsA;NJHMr=HMk;gw@N)@9XeqI^K!o2h&E7jN68n`T1zoHAv2iQ{_~YUa2s0)ES$ zrdAX~flaITowdgs%XaZf!T^a|<>IY)q1q@dVXrtE3>u6SyBfUfD+y@c&KZJU_tPl& z`KHIlQDRS43LCoHTlJ#xvk@{)1R2J7P*SBLF>>wX-V~gyenuO2Mx)MrFW=ofre~bw z&L>kkW|snUnZwK-lFzoI-a5P%;~wEf!YNxm=aN@vF5zf)J0s1VmY7tF2Hh<#hkxws z^f%uoFAAWjSYMTkk4U;@Usxg_B9=#>Z6!h1P4{ZhTFl9CO-MSi4lV6k1t;;XNz!E9 zZT_41dRS(W;XbeYwWJXmmYHb9X(p1V1`4%4T2*BhCTjM334b_CRV=C>6z>1Y#|-?l90h|UM6+E z0b3{U4LE+F_BIjvW_? z#;jKE>9)VCS~&NH&YbQ{A(QX&L;NQ;{*_hEs#~IW^)~Da+$_1wTS@A5KyYw@I`7dw z7p=n%TmT2p@sMp(&t_`e`Ca5v{YcwUtgc&SnY-OcD&_#pk34mw65Os#qCAmYnONmJ zT?aEfpZqXKJU?3RpV3Ec)80sVdj@p_##Rlz#PtN~f*86}S89~>fqXH7(=09=H~9tT zjkyK?QQKVCI&Wz;yO}a!xWgk>dirr@#Ri3}uC_uWl>-%7<}74`5E>fC!zN?!Or$2F zV=F{sW`+6dnVdrMwwE(BVv%E}`80@8BJDwr$|3HjybLq`Di)`QF_TAd zJ{q2icXlBzPdBSmp;8SziaA7|mf0g^?rym$kxBU^%iu~7xH?PTQkRFezp%f`sXo+U zK7@6(`9)E|(vNh9yZO$&{dQPE!_UH_Bg|wxGd5!>lAJdf=COx7&p6z*-#byVKEPdI z;&!7ojGrAm6f8ZR3Ka2ta{~ebB9vfTv6F`p9+WrA!~MyMVP@hEFX4lHmWTY8h?rC( zKB?4~?MF8h4>RPOQ7&E?JG?#@75;o8b;g&C?#}0IRTbiUChDg6 zBI=DZ(l+!=BHCpsUC0X7*1YA0Y)s1<2!8f?jq&tmq$2xB(66sK(>47HzH#2iJO(8{ zP*OEP|Er#&ar2yUwSQ@$1aGOu*|TSp($fQ{@HTIsFdXLTUaM~HjgE>c!OwsmZ2IFK z+P-e}{jmGyzD*Aj-@nL6b7i+^bC2#+85x8RuL3^Il;CEs4y%yf+69I9=so}!iU>EX zw(R$qBF9;K}?d_QLQTta`o9fTg^;EY9&PQ_Vssu6kZ8&lyD_z3JoUY7Vrb^^` zEq)1~7+=XRjsXuUe?ICy8g2v-cD2 zR=qHg;SFTBm1LGk>sj%i(r0S>ZUeFA3!=-6-B!?CV{=d#XLX*N>Ca>w_8_ zfmr_VlZLn1GkjS%p_L)du5xiVl_R?kYD6|$$g|QK2h#GicX_FV3|T#KCCU8T2fxtXVrYWQsv4YiYk zF3R;7-~NA{opoGP+y4FyNbKD2J?H%Hz31HXGc#v5_Ot-9!(PO&JPJh!=$4;U|!QF+pAU> zB34FG%CVk&dD8+&WEJJvRQdkG({XyRuY3M#;olrR*wtizU8b)!2^;vQi6J5z+iNXM zEed|JQA%JkJ9?j`LL(F=h7+OJX;mGua;%~6?Ms=s(ch*>o>mj`VQb4sj-$fvkz*~c zA3SJI-jEQD<_4PhY69GF8(rCK#Ae|6H`6;}Oz$H0P7&az&#aHf=?n*t_=Os!dLenx z4W8YDJrSX_U0aM;X6KCyW_VSFRm<#nY%!jtO$NV>ni#Db&DSwJf;q0-h=Oi^h#lo4 z@wA=v3k+yF1}j9`9cMFv#e{roY%SyZY{$A1392TI zQscp6h+lXpbGT#7%jV<0TsddtRPJvXMGwlL}r~0wb)2 z1zJ0Suv9rNl~FN5RzKfZd_Ct(lz%{j;o|-x-fb_>`Zmf2*)2$=-}0CCsE)GdTGTAr z!IRzT!k>i}8%cab^JE4ZlzzQ_@ZRdvbXi#Ge#>{tMT78 zQH|o9*Xv-YG#V~J3msn1Tgn!@8`!H6Jc99#zbur|LnOVo&*!a=4J((ffE|e)P`4*< z3F+m;`#v=~sE?6STu$>8atgB<2E+G=)cZO+b4giKXeG5RzR&>gQgPlpQ?)lXVzBaL zipuMDSI~8bHcVy0F!>iElQXQdiR#QbUgm@k^$);8E^f?zdUwaXPw*bNp0!O(^P)5T z?a+1&hCyu{mUN(Yq0Op{fA`MP!^vs=iH~8bXV|xUcVVxsGZoT>eGd11g{@^iONpRb z&;FmQkz(GD)A2e!9dhX%1M7Ee;4>{fl$Aqc{RgrZ%Vr=_b|bKb2iN;z{A>Y=q4&lo z+5<)~oY2xCtj^ZQM$YM`sF&fo9Jox}fp*5+3QWC^lt80NR(B7FS6ei<$3t~nzTeEN zSkWH7oiS0Wl;g2?sTQqLzjNlLXs;_p@6E{c<)#)2(yx)F%${f++3kn3t%S!%<2K?z zc#cbpf|@5F74i^>D87V*1S5})f}Y-4;%t=y>p=kker{Nn>b-A1-v3Z~;UY_!2GysDt26~$ zw90Kh(UQ_3uNXF~qG8Ap_+ug|Yl!ojeT{~s4!oL6hK9Lu)0))lcD%q0p;xYcowO?* zSW!+K1>j#(Ij)b|JxXFA|H2)VS_L-cO85bZb*Ig-5R_yxQ^Bp-sXI`=cLud<1)6 zRaYON-CI*wG`njO#F~q2qR~Rcf*8cbe%t#AFp*j$`_*o<1i%!_;D37$4DM1E1j^FNs%bDid2H&qEYt(C6X zD^=j>{?Z%grI4N%cXXFh*9_HZVO9AQZ}lF8q0woY3A!es9Z#c_w^S5(2E<}pH9Tj( z*1V}ZeUXq+>9Ylu6^q@6EE&<{Q)HqATNrq~xn zLfd@qR92BE29b8F)ZdTd!#IiB>$*!c;YzE6b3to+-_5Ew>o<407E%qCOY+x@I!K>E za3|e`ifoWkQca~%h@3l*b`<3#`OA!3B77xn51xf4rl_0jl6P|6Q%PG3C$rVO96(2p z%)GO|X}4EUx<e^+=vHM4t#pTVb_unpr>tO26*EN#3q#78jQzCC>XUvWC$GNu2=IH35uBNrW zWzW0tl=1FQpC)Hc0I$c@y4X$5Vcq9w+o#Y8nb* zrf<2@>$!P@0rs8NxUCt?R?G_T#U%M^$KrC`e#UYNmB2>)m<5F~-M?XNCnLO{)WO^vQD67rfPox~G(QsnUZw0`5p^HM>{`SXIIW+NT<% zA3l6&G#8N3V!)W^Ra_P@!+HohdIT>l!-wDx;NDyv6nXU&Gxi{bI;wYv2kgU?Xpzv- z-Ov5~mom?`C^`)5~Iw`&E;23 zlsFr!AWUtPqpqQWz8rc=wAzypNs>|F@GY5$1{;a=}LS}Pm2t|1;3GHqXU{9HP1ddb_Aicx;hi zfl~gigkfHCX1vwEv+J-8`R8Y5zNwMY{J3;RufTByumoFm=tPn?Jb}nG(kRLMj)}QV zNXerJ_FjlO*BIs~`hS_08y#2WuoyLqsV^b%yZ4^ zyI-|}2NmE_s64_*SGWFxGt7DK@kjnPLoq?du;z4rPsctKvwnjftk}=DnqBl?OafUPC}L&FUus z*J(>Ehdg5NXQVQ(JiFridBxuXuujr4Vc33=sa*2B7N6Tkcuv_~;j~s}X)m;lK$6%j z4nnPRorl)e8)^r99o)%q15(?0=_H%%B79rjna;LxSn3G+VTpr?eRd6Xh;r2EhEnDZ z4!dP&HN~%hyr^euR4Yb<8FF(?+xn7UAmL2QGOswZM7a9NZf?Bn%+U0G5ZU?$7TF&TO(^|y8N25w=?!Rlo#&Mom6{{=7f_j$g-f zozH!_Gj(oRXmka$`AQ&l%B)tx)gkv$WR|M<+V`q;ck_eTdD7&yZ~0jwj%SV@?o;u8 z_VNqAr8v)?j81XVHy+|9EOhjsIpr&mp9LcL!rO9%&9|CpxwQB$`0d<~Z3zDaygDNf zh~P#^B{bz-Tw0n)F!V`3$c#P($f5fA?4q!t*9?J%DXJK|G~1hb4K6N90Hy9_5Ha-9 z>;HcJ%5Axmjo~x8@CzQ?z=w3QE$Or>Qbkr<>l_ws;`)!$RAq#PiP04Rh zuBPtSsz|PnSStZVF*-03eDn@a-|T z=(Ulh7m*WRI))O*?$^yv42f7NYuQfP0m*oJGU8N#UkHp(SunsVNz?%&0c9XQugQ0( zq{8?D#J(EVL}pkS9%{PS@DYAC{&s+b`A~u!Ck;H03Y9V{z3UZUvvBZ&_H$Yds3^vB z`#dAANvWKRapx9{w{nR0bDqLV;l$pOjAV8t69;uG3UCNU=CG2wP16g_y=QysR5V}S zj;AwhEHvKNwYvJ71K!8WpMfEPz0T3M!zV)7s7frfUeU8IcXEz6^KSa%H1k%4@KoR? z2N=qhy(ALwRp>Fx@HbU)N(xB1Kn(G*;H88_LM#F{r_OK_bMzHHVJ7!CgjJLMZ-_k4&B{(|dnizG5(e!*Dct$dsrQDjDkTvdpH z#8w+JX9al}2G)sclDu_JprqmBeu^Zuyf>VHp0#w#-y?s-ik0digGf{H7h|FUl%Xo} zi0+h7lucQYuEj22gw z!hlSzh<)rL;xI#UEUS!ZO50-Ds@e-;Tgl-D3l5nD?QUgu*a)z{y2tCDDSz@Z;~5+` zJYIk-dpN?tY@DI*^ARtrSvsQaTw=J3$s8y}Kx;Tnr>zH^w?T9z&`As=NS!HNoCI5E z`?xQrC)$61PwQ@>M)y`jd7|U>>mA@torT_iIyAy>J9s<}{MII_%nDmT`zb{HWfCP9tiueXpZ2-RVMa3iL!-me zvJU(ms5uEOPgt^3p3W5u&&0EVt`It_RaDAn{jVWP7k3ud8+N?B1joLQBlqVvRQcS7 z`rQl72yUV;^MFrn)M885$}Cu2p`}+1yJN2fD@WWcIq6v|t9^OME_zscZ7ITeUvx=} zw$eEK9|0krfge-AeRd&TYf3M9WMdd*xm>q^^hiid>@5P^)^7c_#rGG~`S}u&Zhbx> zo!#`jM-Pz~V^{N=dDrAd*#-vg2Bds?JukK`lr`!|!5OQ`OaWhiI4c3Jq0wSA;2@M1 zcvPH>zs1Cy<0UL4dvDY0gnVkP?nJW3A89BFD;tff|Gip(csZcT4>Xn??Ao=Bl6cCUg`i5T_6Cn3Ni2I2tby<>PqNT}%>TpSLeLanPT@=pUl zY$d&{OgM%Wa_-#O>51*hJ5RU(&61WhCPB^Ko_#G6QD9Fh%$g-;i}_xiw@GQ2ltepc z=mHk0!#zK7Yyx(~?p70&TM5W2@z0e_xxkZ%_P~lN!Hir`u91b*w^nTaDYrSZb;WGA z+8oxZ+TB`siei70ZIAzO>ez352{CP_E+`Ql`J4j&UuvY|+%Y$5z0hNMeLc!dENg(w4trLl(X2a!+-_gZXR-@q%&e_uHp>pCGOsfYdwsD zxI%B16F-Q9(6%)vqm<2iJWQB4{Mq&bnyBHNy$NrCS$8~nQ7hEY)s?zH_0uavQxS`5 z(!C_cC$5oQT{}FUsA_QA;7^zQ5eU+FzRR|lDCBj#ALOE z!?=DFImBWGqJ+-(>V@?3w&trVPdy5crCE*MPiaP}R&xJ(KY7iA9Qhuz^gee4sm9&A zjh*bm@mtiS1U1E<*ScI@`KeB`{yoLOJY<+uV7(jt2t!7|m${9fqU-$&3X0fdKfrvXIkxPYO{> zuZhwWfFR>Hu@n8?@YXGj z3AeDa63?I@Wu?KKj@-{MNcI}3&`?^65dXJsIPok`w24-Tk4@v5Fny&oNa~A{s7uf^olp8T=fO5pC{?KK? zIcdPWJV)>)K`5&H-yz2mGoX0D^bo{X)N<2Of0l17oDJ~uedhmRL`kxy-JcDUpGacil)GW8>t z`cq8_^lOplaIf|cGlZam(;(bV37c- zu|m__*f=xxYmnt~q-A1a^z7`c;S#0z5F*$Ct6F>BDu{wba|d=S)p>H$Wp1tWJ8uuY z_|%O4ExT!|!!J9R^f$s~bG6MS+GmYszH#84GS#~UPFtD^Ei?=tMOoU~ zjvf1t7s>|3MLgLyt`C|`j$l7kJIxjvrI57cTK8t%(p#n((ck*vJl5#`avmGkpOluD zw+PF*r3XDJ(C>^l>Rjqgj;_=13^6v8?mE+ytBs|3Cl_p$y?SkG?LU^L85!MN8@8U+ z2N(OQy{PmRvkdkF)RHVEf-PURAhsusi3pAb!Qd^qLe~~Xw?>7q5MaB#a_G8gD{vbw zK5x0V+vNjO-s3O4W=B(wcmwEzmuD0i^9{$i>S!b7%m<51PtR~v+maBaXLLjJ>+}p%Xbs{rXZ=0R>|O@6moK zOn`iAolCb4vL?6CrJS>d2`pj966-^nMJ9#H^lk>@Na6Xst4@Z}Eg$(Sf+Uof8(04} z(^7qPFSA+)Cd8~@8}+m12xb0ObNV^N=aZfKL%#I)dzv43sX;2o`1)SX^V2;wg+gid z9mhqfa|xB7sh*sxy)aIE)t{G{ZsStbm_lFnTstPwo69<dcC~PB0 zeUyTg9L?ya3st0$G7#p0QY$9O*3Xqivb~BkxAXiqUWwbBs@TDtXd}X{;|D2h9w0W> zW=;iq<=!gddrL7n^jE~4PsJlyB4)>v98cOv+s;JU{i}4a&^Xqc)znb#=WTWE6uc%O zAJq)L$IGpxsMyWfLFQ}+6ptVXgh1*g`PsrBdCc0y{yS?2M*h?|bC6*DnRS=6BKAjD zE9UK|UrY=qEph@$5J2q39N{1f1AtxB>HqHKHQN8;o~&y%K@Iq`r-wT!YW*8t!MwNf zC5hH*#P_|oNsP>+wkG%G2t4DH%hOLR@;}$7*^DH!1h#3FI`I6Z@cGH~0R#_}0;X?= z$0i?vbP0Fl%v!+7y_+SxY`FD_6<9w9PlfggY{IxLK_)7Mew*%1!Nk6FxqD?@f??-E&I2YrV$>oCjRy1{9*&&!$KE7v9a53^dxI}QpuwU)7Hwgw%4WO0p% zZrrTdS8i@@y|YGpZjMLY&T@7XO$oTc%mIGYdo0Z6dfb!Sv-jiA-0IJqLq@pU!W3X@ zl3}(oJdg^=!@T|vTLd$Q8G+&92g7tZGBFNacZVaN?dG+7l8kS68m?M*Xqg?V|2W!U zziwT-KP_rauDR7vJL=kK(}tthh&3*A?C;zC@PCzSKXFUGt)K9e@o|Vnjy$d}nHyPI zSz0ir<_!i@mP<+#y+cFiCFUAZGU}`EZA_DGb(`-2tIw0Y5s$T{%i~Uf{bC>XcwC;n z0apK@Y%`wkSur$`8bTdZ#9c+3lg#!^%?8SgG3ojD`+yvbpgJ1zhJkHeYqsueVffVj z+xeIFX19$N6v_-M8Iw*cUYba1hql&=`E&+NXh!%?8Q!lBUu9>o$&m~``o6ijdD=^T zCqDOE)PKzHLa}o++g^Vg-;w^|dt4wPSfA@+qA=TkaUrcGoLmPOoI&1M1wr56t<*xP z@svR8fy(?Pe~e$sRh&PjL-O$kK^3k7&T5^~sKB_k-GGGHdy9*U8(}U}9txm2w$ER> zM=9^1#HHEZkrjQznXM%O%TJe9a+q*Ih*wpUjYN2-ZYVyj<4Va@qrBdLDq9V`hgp3&*dXcV z-!nEQy~YDZ3IVrw=Gk-0QB}!59c_YCFg1U z)$$OIdV_A|mr6D^OOM&Y`d#F0Bnj4Glx5l1!sV>MtVYka&K&KBS>hdpM)yUc{H6@c z9ORP&XPQW&&NGnX>t`8Od?6#J_AZBvnuXqN;;ZX*$GW{)T95xP6?btj60^gHp{?q1 zahBm|Q{6m}_4wJv798{o#hm$pVm_)+7rg@{RcVieyiOOf)NNAwDqP*7WISR`e(gQ( z0W?rwEHE9j#X#P4rY3-3&-*y*`aE91gqBBAMc1g*+jC&|o$;Yfq~QLa>x zLsu{O_orKgZ|laz%?=!-6uSF`#p#Z$B;vjR43293Z?ih4XUE!5Ig0of6RENCMYidD z(;22Qhy?-Dr}kpSHJ)}i`4~y2c9LfNC5=?VrsueY45Ak&>~RQp0Jmavm>X-^uZ|o} zdNk^|dm*W&&M^8(F_Fns{rDHDM@YcbRk$g#~ zZ~4oAY*~8%a=CN4#`NMvgRK`NvVWTs1oi!l;-*jhTNL-Jd^fKCn;n@)I9~7*(^jYg za*yRNX~JWK5;U#>aaZy7L^-W+c|Bx^=om*|xRCXHrD4lIH7WtP{q0|Y}E|udR zIkHO-tNrI*bpyd{%@yHMGi&_^>VpPSi3K*<`}S6shc5Jn2}N-{?fpl^lu7BwApEm4 ztz7G4te_RD$$EBM#R&mAt8+A?V!PR+li=dU^ltnsPN_`;4$K zO?tL7Sog{++_IdZ@#D-rBD{~)3A+(Lo?7N26o6am37Nud#+NWxM3n3-E!P|=h69qI zk<`esozSC3N%i*PTeSyJ-{O&vzZerXPPZCWNjDKa^P#20O){%4-D#A2;t5}kpYij;|X?jQ*))zzEdm#!Ssnq{Oky(tXjxFYWL{ybgiTUBO@DYI0t zXK?sTXkq5a(qtVFcI5_x91H74I$()4vbLH+vT7V zr$zMK3uK^;ogrsvFyfFaeK7?ijaabO3PB^IqPD#JX%L)>KgoI}a63tKBAG1pc=}-; z96p+NW1^`tf$jy-OdM&}XeDC)@_E`O)~54IiUVwWF>W@C2m~VdW$3c(%C1!Kxf3E- zDJWDLJ-$nmxHj8NQKg)fG2aKJsB}J;d~GXTz`bZ?V*9wAdYSDfS`PTtr|43EM4ptz z{0QUjNFv@>V&M1S&GWa6^w;L+=XYe|dJMFQ>8NcXHh-W+xK!E@Mj0Z4)Zxr9p#LOr zL6gx4_d5fu4P=Cg1L4;^Jw2^$HDZH0?u9Y_kF8zgb-#m*$CGZO4S=$!w01iwteIF6 zQzHvh-jmU68Oyb#T@{3*scP;$G&Z>22O1JH%h4&)WyRtFmVwmlLtHPQfcW08pPLc|Al;9#z_8svxqK3!4ivTZkuXK&jvKVN*h)TtJ z3R|jSkL0BGP4n!9^3yRX#!Nip-hbQC<#{7S3=JM0C zbdCCDO%6Vs( Date: Fri, 19 Aug 2016 15:57:56 -0700 Subject: [PATCH 08/20] clearing file and using redirect --- ...-devices-to-stop-data-flow-to-microsoft.md | 1255 ----------------- 1 file changed, 1255 deletions(-) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 377c8066cf..e8569856c2 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -2,1258 +2,3 @@ title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- - -# Configure Windows 10 devices to stop data flow to Microsoft - -**Applies to** - -- Windows 10 - -If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). - -Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. - -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. - -Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. - -In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. - -Here's what's covered in this article: - -- [Info management settings](#bkmk-othersettings) - - - [1. Cortana](#bkmk-cortana) - - - [1.1 Cortana Group Policies](#bkmk-cortana-gp) - - - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) - - - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) - - - [2. Date & Time](#bkmk-datetime) - - - [3. Device metadata retrieval](#bkmk-devinst) - - - [4. Font streaming](#font-streaming) - - - [5. Insider Preview builds](#bkmk-previewbuilds) - - - [6. Internet Explorer](#bkmk-ie) - - - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) - - - [6.2 ActiveX control blocking](#bkmk-ie-activex) - - - [7. Live Tiles](#live-tiles) - - - [8. Mail synchronization](#bkmk-mailsync) - - - [9. Microsoft Edge](#bkmk-edge) - - - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp) - - - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) - - - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) - - - [10. Network Connection Status Indicator](#bkmk-ncsi) - - - [11. Offline maps](#bkmk-offlinemaps) - - - [12. OneDrive](#bkmk-onedrive) - - - [13. Preinstalled apps](#bkmk-preinstalledapps) - - - [14. Settings > Privacy](#bkmk-settingssection) - - - [14.1 General](#bkmk-priv-general) - - - [14.2 Location](#bkmk-priv-location) - - - [14.3 Camera](#bkmk-priv-camera) - - - [14.4 Microphone](#bkmk-priv-microphone) - - - [14.5 Speech, inking, & typing](#bkmk-priv-speech) - - - [14.6 Account info](#bkmk-priv-accounts) - - - [14.7 Contacts](#bkmk-priv-contacts) - - - [14.8 Calendar](#bkmk-priv-calendar) - - - [14.9 Call history](#bkmk-priv-callhistory) - - - [14.10 Email](#bkmk-priv-email) - - - [14.11 Messaging](#bkmk-priv-messaging) - - - [14.12 Radios](#bkmk-priv-radios) - - - [14.13 Other devices](#bkmk-priv-other-devices) - - - [14.14 Feedback & diagnostics](#bkmk-priv-feedback) - - - [14.15 Background apps](#bkmk-priv-background) - - - [15. Software Protection Platform](#bkmk-spp) - - - [16. Sync your settings](#bkmk-syncsettings) - - - [17. Teredo](#bkmk-teredo) - - - [18. Wi-Fi Sense](#bkmk-wifisense) - - - [19. Windows Defender](#bkmk-defender) - - - [20. Windows Media Player](#bkmk-wmp) - - - [21. Windows spotlight](#bkmk-spotlight) - - - [22. Windows Store](#bkmk-windowsstore) - - - [23. Windows Update Delivery Optimization](#bkmk-updates) - - - [23.1 Settings > Update & security](#bkmk-wudo-ui) - - - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) - - - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) - - - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) - - - [24. Windows Update](#bkmk-wu) - -## What's new in Windows 10, version 1511 - - -Here's a list of changes that were made to this article for Windows 10, version 1511: - -- Added the following new sections: - - - [Mail synchronization](#bkmk-mailsync) - - - [Offline maps](#bkmk-offlinemaps) - - - [Windows spotlight](#bkmk-spotlight) - - - [Windows Store](#bkmk-windowsstore) - -- Added the following Group Policies: - - - Open a new tab with an empty tab - - - Configure corporate Home pages - - - Let Windows apps access location - - - Let Windows apps access the camera - - - Let Windows apps access the microphone - - - Let Windows apps access account information - - - Let Windows apps access contacts - - - Let Windows apps access the calendar - - - Let Windows apps access messaging - - - Let Windows apps control radios - - - Let Windows apps access trusted devices - - - Do not show feedback notifications - - - Turn off Automatic Download and Update of Map Data - - - Force a specific default lock screen image - -- Added the AllowLinguisticDataCollection MDM policy. - -- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. - -- Changed the Windows Update section to apply system-wide settings, and not just per user. - -## Info management settings - - -This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. - -The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. - -- [1. Cortana](#bkmk-cortana) - -- [2. Date & Time](#bkmk-datetime) - -- [3. Device metadata retrieval](#bkmk-devinst) - -- [4. Font streaming](#font-streaming) - -- [5. Insider Preview builds](#bkmk-previewbuilds) - -- [6. Internet Explorer](#bkmk-ie) - -- [7. Live Tiles](#live-tiles) - -- [8. Mail synchronization](#bkmk-mailsync) - -- [9. Microsoft Edge](#bkmk-edge) - -- [10. Network Connection Status Indicator](#bkmk-ncsi) - -- [11. Offline maps](#bkmk-offlinemaps) - -- [12. OneDrive](#bkmk-onedrive) - -- [13. Preinstalled apps](#bkmk-preinstalledapps) - -- [14. Settings > Privacy](#bkmk-settingssection) - -- [15. Software Protection Platform](#bkmk-spp) - -- [16. Sync your settings](#bkmk-syncsettings) - -- [17. Teredo](#bkmk-teredo) - -- [18. Wi-Fi Sense](#bkmk-wifisense) - -- [19. Windows Defender](#bkmk-defender) - -- [20. Windows Media Player](#bkmk-wmp) - -- [21. Windows spotlight](#bkmk-spotlight) - -- [22. Windows Store](#bkmk-windowsstore) - -- [23. Windows Update Delivery Optimization](#bkmk-updates) - -- [24. Windows Update](#bkmk-wu) - - -See the following table for a summary of the management settings. For more info, see its corresponding section. - -![Management settings table](images/settings-table.png) - -### 1. Cortana - -Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). - -### 1.1 Cortana Group Policies - -Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. - -| Policy | Description | -|------------------------------------------------------|---------------------------------------------------------------------------------------| -| Allow Cortana | Choose whether to let Cortana install and run on the device. | -| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | -| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| -| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | -| Set what information is shared in Search | Control what information is shared with Bing in Search. | - -When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. - -2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. - -3. On the **Rule Type** page, click **Program**, and then click **Next**. - -4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. - -5. On the **Action** page, click **Block the connection**, and then click **Next**. - -6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. - -7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** - -8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. - -9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - - For **Protocol type**, choose **TCP**. - - - For **Local port**, choose **All Ports**. - - - For **Remote port**, choose **All ports**. - -> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. - -### 1.2 Cortana MDM policies - -The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | -| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| - -### 1.3 Cortana Windows Provisioning - -To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. - -### 2. Date & Time - -You can prevent Windows from setting the time automatically. - -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - - -or- - -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. - -### 3. Device metadata retrieval - -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. - -### 4. Font streaming - -Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. - -To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. - -> **Note:** This may change in future versions of Windows. - -### 5. Insider Preview builds - -To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. - -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - - -or- - -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - - -or- - -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -### 6. Internet Explorer - -Use Group Policy to manage settings for Internet Explorer. - -### 6.1 Internet Explorer Group Policies - -Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| -| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| -| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | -| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| - -### 6.2 ActiveX control blocking - -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). - -For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). - -### 7. Live Tiles - -To turn off Live Tiles: - -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -### 8. Mail synchronization - -To turn off mail synchronization for Microsoft Accounts that are configured on a device: - -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - - -or- - -- Remove any Microsoft Accounts from the Mail app. - - -or- - -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. - -To turn off the Windows Mail app: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -### 9. Microsoft Edge - -Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). - -### 9.1 Microsoft Edge Group Policies - -Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - -> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | -| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | -| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | -| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | -| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | -| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | -| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | - -### 9.2 Microsoft Edge MDM policies - -The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | -| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | -| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | -| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | -| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | - -### 9.3 Microsoft Edge Windows Provisioning - -Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. - -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). - -### 10. Network Connection Status Indicator - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). - -You can turn off NCSI through Group Policy: - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - -> **Note** After you apply this policy, you must restart the device for the policy setting to take effect. - -### 11. Offline maps - -You can turn off the ability to download and update offline maps. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -### 12. OneDrive - -To turn off OneDrive in your organization: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -### 13. Preinstalled apps - -Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. - -To remove the News app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** - -To remove the Weather app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** - -To remove the Money app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** - -To remove the Sports app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** - -To remove the Twitter app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** - -To remove the XBOX app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** - -To remove the Sway app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** - -To remove the OneNote app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** - -To remove the Get Office app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** - -To remove the Get Skype app: - -- Right-click the Sports app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** - -### 14. Settings > Privacy - -Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - -- [14.1 General](#bkmk-general) - -- [14.2 Location](#bkmk-priv-location) - -- [14.3 Camera](#bkmk-priv-camera) - -- [14.4 Microphone](#bkmk-priv-microphone) - -- [14.5 Speech, inking, & typing](#bkmk-priv-speech) - -- [14.6 Account info](#bkmk-priv-accounts) - -- [14.7 Contacts](#bkmk-priv-contacts) - -- [14.8 Calendar](#bkmk-priv-calendar) - -- [14.9 Call history](#bkmk-priv-callhistory) - -- [14.10 Email](#bkmk-priv-email) - -- [14.11 Messaging](#bkmk-priv-messaging) - -- [14.12 Radios](#bkmk-priv-radios) - -- [14.13 Other devices](#bkmk-priv-other-devices) - -- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) - -- [14.15 Background apps](#bkmk-priv-background) - -### 14.1 General - -**General** includes options that don't fall into other areas. - -To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: - -> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). - -To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. - - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). - -To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: - -> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. - - - -- Turn off the feature in the UI. - - -or- - -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Not allowed - - - **1**. Allowed (default) - -To turn off **Let websites provide locally relevant content by accessing my language list**: - -- Turn off the feature in the UI. - - -or- - -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. - -### 14.2 Location - -In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. - -To turn off **Location for this device**: - -- Click the **Change** button in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - - -or- - -- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Turned off and the employee can't turn it back on. - - - **1**. Turned on, but lets the employee choose whether to use it. (default) - - - **2**. Turned on and the employee can't turn it off. - - **Note** - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - - **No**. Turns off location service. - - - **Yes**. Turns on location service. (default) - -To turn off **Location**: - -- Turn off the feature in the UI. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -To turn off **Location history**: - -- Erase the history using the **Clear** button in the UI. - -To turn off **Choose apps that can use your location**: - -- Turn off each app using the UI. - -### 14.3 Camera - -In the **Camera** area, you can choose which apps can access a device's camera. - -To turn off **Let apps use my camera**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - - **Note** - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - -To turn off **Choose apps that can use your camera**: - -- Turn off the feature in the UI for each app. - -### 14.4 Microphone - -In the **Microphone** area, you can choose which apps can access a device's microphone. - -To turn off **Let apps use my microphone**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can use your microphone**: - -- Turn off the feature in the UI for each app. - -### 14.5 Speech, inking, & typing - -In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. - -> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. - - - -To turn off the functionality: - -- Click the **Stop getting to know me** button, and then click **Turn off**. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - - -or- - -- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). - - -and- - - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). - -### 14.6 Account info - -In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. - -To turn off **Let apps access my name, picture, and other account info**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose the apps that can access your account info**: - -- Turn off the feature in the UI for each app. - -### 14.7 Contacts - -In the **Contacts** area, you can choose which apps can access an employee's contacts list. - -To turn off **Choose apps that can access contacts**: - -- Turn off the feature in the UI for each app. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.8 Calendar - -In the **Calendar** area, you can choose which apps have access to an employee's calendar. - -To turn off **Let apps access my calendar**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can access calendar**: - -- Turn off the feature in the UI for each app. - -### 14.9 Call history - -In the **Call history** area, you can choose which apps have access to an employee's call history. - -To turn off **Let apps access my call history**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.10 Email - -In the **Email** area, you can choose which apps have can access and send email. - -To turn off **Let apps access and send email**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.11 Messaging - -In the **Messaging** area, you can choose which apps can read or send messages. - -To turn off **Let apps read or send messages (text or MMS)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can read or send messages**: - -- Turn off the feature in the UI for each app. - -### 14.12 Radios - -In the **Radios** area, you can choose which apps can turn a device's radio on or off. - -To turn off **Let apps control radios**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can control radios**: - -- Turn off the feature in the UI for each app. - -### 14.13 Other devices - -In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. - -To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: - -- Turn off the feature in the UI. - -To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.14 Feedback & diagnostics - -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. - -To change how frequently **Windows should ask for my feedback**: - -**Note** -Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. - - - -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - - -or- - -- Create the registry keys (REG\_DWORD type): - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod - - Based on these settings: - - | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | - |---------------|-----------------------------|-----------------------------| - | Automatically | Delete the registry setting | Delete the registry setting | - | Never | 0 | 0 | - | Always | 100000000 | Delete the registry setting | - | Once a day | 864000000000 | 1 | - | Once a week | 6048000000000 | 1 | - - - -To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: - -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > **Note:** You can't use the UI to change the telemetry level to **Security**. - - - - -or- - -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** - - -or- - -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - -### 14.15 Background apps - -In the **Background Apps** area, you can choose which apps can run in the background. - -To turn off **Let apps run in the background**: - -- Turn off the feature in the UI for each app. - -### 15. Software Protection Platform - -Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** - -The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. - -### 16. Sync your settings - -You can control if your settings are synchronized: - -- In the UI: **Settings** > **Accounts** > **Sync your settings** - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - - -or- - -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - - **No**. Settings are not synchronized. - - - **Yes**. Settings are synchronized. (default) - -To turn off Messaging cloud sync: - -- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). - -### 17. Teredo - -You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). - -- From an elevated command prompt, run **netsh interface teredo set state disabled** - -### 18. Wi-Fi Sense - -Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. - -To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: - -- Turn off the feature in the UI. - - -or- - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - - -or- - -- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). - - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). - -When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. - -### 19. Windows Defender - -You can opt out of the Microsoft Antimalware Protection Service. - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** - - -or- - -- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - - -and- - - From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** - -You can stop sending file samples back to Microsoft. - -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - - -or- - -- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Always prompt. - - - **1**. (default) Send safe samples automatically. - - - **2**. Never send. - - - **3**. Send all samples automatically. - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. - -You can stop downloading definition updates: - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - - -and- - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. - -### 20. Windows Media Player - -To remove Windows Media Player: - -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - - -or- - -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** - -### 21. Windows spotlight - -Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. - -- Configure the following in **Settings**: - - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. - - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - - **System** > **Notifications & actions** > **Show me tips about Windows**. - - -or- - -- Apply the Group Policies: - - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. - - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - - **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - - - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). - -### 22. Windows Store - -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. - -### 23. Windows Update Delivery Optimization - -Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. - -By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. - -Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. - -### 23.1 Settings > Update & security - -You can set up Delivery Optimization from the **Settings** UI. - -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. - -### 23.2 Delivery Optimization Group Policies - -You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

  • None. Turns off Delivery Optimization.

  • Group. Gets or sends updates and apps to PCs on the same local network domain.

  • Internet. Gets or sends updates and apps to PCs on the Internet.

  • LAN. Gets or sends updates and apps to PCs on the same NAT only.

| -| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| -| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| -| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| -| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| - -### 23.3 Delivery Optimization MDM policies - -The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

  • 0. Turns off Delivery Optimization.

  • 1. Gets or sends updates and apps to PCs on the same NAT only.

  • 2. Gets or sends updates and apps to PCs on the same local network domain.

  • 3. Gets or sends updates and apps to PCs on the Internet.

| -| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| -| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| -| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| -| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| - - -### 23.4 Delivery Optimization Windows Provisioning - -If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies - -Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next.** - -3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. - -4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. - -For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). - -### 24. Windows Update - -You can turn off Windows Update by setting the following registry entries: - -- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - - -and- - -- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -You can turn off automatic updates by doing one of the following. This is not recommended. - -- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - - -or- - -- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Notify the user before downloading the update. - - - **1**. Auto install the update and then notify the user to schedule a device restart. - - - **2** (default). Auto install and restart. - - - **3**. Auto install and restart at a specified time. - - - **4**. Auto install and restart without end-user control. - - - **5**. Turn off automatic updates. - -To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). From cc105203f735ee3e27fef176bcf0fb3d37958a26 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 29 Aug 2016 12:08:46 -0700 Subject: [PATCH 09/20] tech review feedback --- ...system-components-to-microsoft-services.md | 53 +++++++++++-------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 96fe6801ae..83d65e2ace 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -42,7 +42,7 @@ Here's a list of changes that were made to this article for Windows 10, version - Turn off unsolicited network traffic on the Offline Maps settings page - Turn off all Windows spotlight features -## Settings by edition +## Settings The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. @@ -98,9 +98,9 @@ See the following table for a summary of the management settings for Windows 10 | [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -### Settings for Windows Server 2016, with the desktop experience (Datacenter and Standard editions) +### Settings for Windows Server 2016 with Desktop Experience -See the following table for a summary of the management settings for Windows Server 2016, with the desktop experience (Datacenter and Standard editions). +See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | @@ -124,9 +124,9 @@ See the following table for a summary of the management settings for Windows Ser | [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -### Settings for Windows Server 2016, Server Core installation +### Settings for Windows Server 2016 Server Core -See the following table for a summary of the management settings for Windows Server 2016, Server Core installation. +See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | @@ -139,9 +139,9 @@ See the following table for a summary of the management settings for Windows Ser | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -### Settings for Windows Server 2016, Nano Server installation +### Settings for Windows Server 2016 Nano Server -See the following table for a summary of the management settings for Windows Server 2016, Server Core installation. +See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | @@ -160,6 +160,8 @@ A certificate trust list is a predefined list of items, such as a list of certif To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: + - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** -or- @@ -173,6 +175,9 @@ To turn off the automatic download of an updated certificate trust list, you can 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. +On Windows Server 2016 Server Core: + +- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot**, with a value of 1. ### 2. Cortana @@ -184,11 +189,11 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad | Policy | Description | |------------------------------------------------------|---------------------------------------------------------------------------------------| -| Allow Cortana | Choose whether to let Cortana install and run on the device. | -| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | -| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| -| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | -| Set what information is shared in Search | Control what information is shared with Bing in Search. | +| Allow Cortana | Choose whether to let Cortana install and run on the device.

Disable this policy to turn off Cortana. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.

Disable this policy to block access to location information for Cortana. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.

Enable this policy to remove the option to search the Internet from Cortana. | +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.

Enable this policy to stop web queries and results from showing in Search. | +| Set what information is shared in Search | Control what information is shared with Bing in Search.

If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. @@ -225,15 +230,13 @@ If your organization tests network traffic, you should not use Fiddler to test W The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +> [!NOTE] This does not apply to Windows Server 2016. + | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | | Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| -### 2.3 Cortana Windows Provisioning - -To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. - ### 3. Date & Time You can prevent Windows from setting the time automatically. @@ -257,11 +260,11 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl ### 6. Insider Preview builds -To turn off Insider Preview builds for a released version of Windows 10: +To turn off Insider Preview builds for a released version of Windows 10 or Windows Server 2016 with Desktop Experience: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. -To turn off Insider Preview builds: +To turn off Insider Preview builds for Windows 10: > [!NOTE] > If you're running a preview version of Windows 10 or Windows Server 2016, you must roll back to a released version before you can turn off Insider Preview builds. @@ -1032,12 +1035,18 @@ To turn off **Let apps run in the background**: Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: +For Windows 10: + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** -or- - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. +For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. ### 18. Sync your settings @@ -1106,7 +1115,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. -or- -- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -or- @@ -1122,7 +1131,7 @@ You can stop sending file samples back to Microsoft. -or- -- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Always prompt. @@ -1144,7 +1153,7 @@ You can stop downloading definition updates: - Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. -You can stop Enhanced Notifications: +For Windows 10 only, you can stop Enhanced Notifications: - Turn off the feature in the UI. @@ -1289,7 +1298,7 @@ You can turn off automatic updates by doing one of the following. This is not re -or- -- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Notify the user before downloading the update. From f4ea472b7e3f10ead0390ef32669a15b13b36ef2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 29 Aug 2016 12:11:42 -0700 Subject: [PATCH 10/20] added GP for continue experiences setting --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 83d65e2ace..9faeace866 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -658,6 +658,10 @@ To turn off **Let apps on my other devices open apps and continue experiences on - Turn off the feature in the UI. + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. + To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. From ceb2663f8ca7dd06f2166af7edea4c32796d0f36 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 29 Aug 2016 12:27:44 -0700 Subject: [PATCH 11/20] fixed build warning --- ...-operating-system-components-to-microsoft-services.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9faeace866..8bf2663621 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -230,7 +230,8 @@ If your organization tests network traffic, you should not use Fiddler to test W The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -> [!NOTE] This does not apply to Windows Server 2016. +> [!NOTE] +> This does not apply to Windows Server 2016. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -297,11 +298,7 @@ To turn off Insider Preview builds for Windows 10: ### 7. Internet Explorer -Use Group Policy to manage settings for Internet Explorer. - -### 7.1 Internet Explorer Group Policies - -Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. +Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| From 06d5b37edcb473412709c127e4e7b6f426515f7a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 30 Aug 2016 10:47:24 -0700 Subject: [PATCH 12/20] tech review feedback --- ...system-components-to-microsoft-services.md | 98 +++++++++---------- 1 file changed, 47 insertions(+), 51 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8bf2663621..bc6edfa186 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -56,7 +56,7 @@ See the following table for a summary of the management settings for Windows 10 | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | | [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | @@ -102,53 +102,53 @@ See the following table for a summary of the management settings for Windows 10 See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience. -| Setting | UI | Group Policy | MDM policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | -| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [16.1 General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| Setting | UI | Group Policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | +| [5. Font streaming](#font-streaming) | | | ![Check mark](images/checkmark.png) | | +| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | +| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | +| [16. Settings > Privacy](#bkmk-settingssection) | | | | | +|     [16.1 General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | | +| [19. Teredo](#bkmk-teredo) | | | | ![Check mark](images/checkmark.png) | +| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | +| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | +| [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core See the following table for a summary of the management settings for Windows Server 2016 Server Core. -| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| Setting | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | +| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | +| [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | +| [19. Teredo](#bkmk-teredo) | | | ![Check mark](images/checkmark.png) | +| [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Nano Server See the following table for a summary of the management settings for Windows Server 2016 Nano Server. -| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| Setting | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | +| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | +| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | ## Settings @@ -166,7 +166,7 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server -or- -- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot**, with a value of 1. +- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. -or- @@ -175,15 +175,15 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. -On Windows Server 2016 Server Core: +On Windows Server 2016 Nano Server: -- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot**, with a value of 1. +- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. -### 2. Cortana +### 2. Cortana and Search Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). -### 2.1 Cortana Group Policies +### 2.1 Cortana and Search Group Policies Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. @@ -226,12 +226,9 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the ** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. -### 2.2 Cortana MDM policies +### 2.2 Cortana and Search MDM policies -The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -> [!NOTE] -> This does not apply to Windows Server 2016. +For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -261,14 +258,16 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl ### 6. Insider Preview builds -To turn off Insider Preview builds for a released version of Windows 10 or Windows Server 2016 with Desktop Experience: +The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. + +To turn off Insider Preview builds for a released version of Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. To turn off Insider Preview builds for Windows 10: > [!NOTE] -> If you're running a preview version of Windows 10 or Windows Server 2016, you must roll back to a released version before you can turn off Insider Preview builds. +> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. - Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. @@ -398,9 +397,6 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http | Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | | Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | -### 11.3 Microsoft Edge Windows Provisioning - -Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). From 8c8be0ede6a530ee87bce91f7b020dc86a1d8d87 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 30 Aug 2016 11:07:43 -0700 Subject: [PATCH 13/20] tech review feedback --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bc6edfa186..1b405ee8a3 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -314,7 +314,7 @@ There are two more Group Policy objects that are used by Internet Explorer: | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | -### 7.2 ActiveX control blocking +### 7.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). From ef6a057e63025b3b5cc0d2042228198d55f1a8ae Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 31 Aug 2016 10:00:38 -0700 Subject: [PATCH 14/20] adding telmhelp alias --- ...windows-operating-system-components-to-microsoft-services.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1b405ee8a3..4244f3e342 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,6 +25,8 @@ If you want to minimize connections from Windows to Microsoft services, or confi You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reason why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + ## What's new in Windows 10, version 1607 and Windows Server 2016 From ea72becdd11cf428d3fe158697354c99cd6e56ba Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 1 Sep 2016 16:24:37 -0700 Subject: [PATCH 15/20] tech review feedback --- ...indows-operating-system-components-to-microsoft-services.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 36a5f810c1..4cfb9640d5 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -262,6 +262,9 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. +> [!NOTE] +> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and will not work with Windows Server 2016. + To turn off Insider Preview builds for a released version of Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. From adb86af426c2cfca0ff7b647bc15b5ce0e8d349b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 2 Sep 2016 08:52:54 -0700 Subject: [PATCH 16/20] tech review feedback --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4cfb9640d5..0f1c19b062 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -263,7 +263,7 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. > [!NOTE] -> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and will not work with Windows Server 2016. +> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016. To turn off Insider Preview builds for a released version of Windows 10: From 88aa33bc2a8eddc3b1951a6a85100ac407a7bf64 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 2 Sep 2016 10:23:14 -0700 Subject: [PATCH 17/20] added September table --- .../change-history-for-manage-and-update-windows-10.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 55b7e2866d..001afc958e 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -12,6 +12,11 @@ author: jdeckerMS This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## September 2016 + +| New or changed topic | Description | +| --- | --- | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | ## August 2016 From 0820b34173f5870a4be8793aac5cc457fb975907 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Fri, 2 Sep 2016 14:35:50 -0700 Subject: [PATCH 18/20] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 121 ++++++++++++++---------- 1 file changed, 71 insertions(+), 50 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 16ffd75334..7966cb3e2a 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -290,8 +290,8 @@ DG_Readiness_Tool_v2.0.ps1 -Ready ### NTLM & CHAP Considerations -When you enable Credential Guard, you can no longer use NTLM v1 authetnication. If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections. -- +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections. + ### Kerberos Considerations When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. @@ -315,34 +315,39 @@ Some ways to store credentials are not protected by Credential Guard, including: Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. By deploying authentication policies with compound authentication in Windows Server 2012 R2 or later domains, users can be restricted to only sign on from specific domain-joined devices. However, since devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, authentication policies can require that the device authenticates with its private key. This prevents shared secrets on stolen devices to be used with stolen user passwords or Kerberos secret keys to sign on as the user. +### Restricting domain users to specific domain-joined devices -Device certificate authentication has the following requirements: +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. -- Device domains are Windows Server 2012 or higher and all domain controllers have certificates, which satisfy strict KDC validation (KDC EKU present and the DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension). +#### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains which are Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +#### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 DFL or higher domains. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension - Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -### Additional Group Policy settings +###### Deploying domain-joined device certificates -There are a few Group Policy settings that you can enable that provide more protection against credential attacks: +To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. -- On the domain controllers, configure the KDC support for claims, compound authentication, and Kerberos armoring system by using Group Policy. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- On devices running Windows 10, you can turn it on by using Group Policy as well. To do this, enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** & **Always send compound authentication first system** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server enterprise CA, you would create a new template. -### Compound authentication - -Compound authentication adds the device identity to the user’s during authentication to the domain and resources. Without compound authentication, only the user’s secrets are validated. With compound authentication, the Kerberos client has to have both the user’s and device’s secrets. -Enabling compound authentication also enables Kerberos armoring, which provides two additional benefits: - -- User authentication on domain-joined devices will be armored. This means that network captures will contain encrypted Kerberos initial authentication. Without the appropriate device key, Kerberos AS-REQs are protected against offline dictionary attacks. -- KDC errors are signed, which provides protection against error spoofing attacks. - -### Deploying machine certificates - -If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. -If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device. -The same security procedures used for issuing smart cards to users should be applied to machine certificates. +**Creating a new certificate template** 1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** 2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. @@ -356,7 +361,11 @@ The same security procedures used for issuing smart cards to users should be app 8. Under **Issuance Policies**, click**High Assurance**. 9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. -On devices that are running Credential Guard, enroll the devices using the machine authentication certificate by running the following command: +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: ``` syntax CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -364,53 +373,65 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate.   -### Link the issuance policies to a group +#### How a certificate issuance policy can be used for access control + +Beginning with Windows Server 2008 R2 DFL, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** -By using an authentication policy, you can ensure that users only sign into devices that are running Credential Guard. Before you deploy the authentication policy though, you must first run a couple of scripts that set up your environment. - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: ``` syntax .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` +**To link a issuance policy to a universal security group** + - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: ``` syntax .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:”” –groupOU:”” –groupName:”” ``` -### Deploy the authentication policy +#### Restricting user sign on -Before setting up the authentication policy, you should log any failed attempt to apply an authentication policy on the KDC. To do this in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. +So we now have: +- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring- +so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies. -Now you can set up an authentication policy to use Credential Guard. +Authentication policies have the following requirements: +- Users' accounts are in Windows Server 2012 R2 DFL or higher domains. -**To add an authentication policy for Credential Guard** - -1. Ensure that your domain controllers are running at least the Windows Server 2012 R2 domain functional level. -2. Create a security group that will be used to identify the PCs that will have this authentication policy applied to them. -3. Add the computer account to this security group. -4. Open Active Directory Administrative Center. -5. Click **Authentication**, click **New**, and then click **Authentication Policy**. -6. In the **Display name** box, enter a name for this authentication policy. -7. Under the **Accounts** heading, click **Add**. -8. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account, and then click **OK**. -9. Under the **User** heading, click the **Edit** button that applies to user account. -10. Click **Add a condition**. -11. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -12. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -13. Click **OK** to close the **Edit Access Control Conditions** box. -14. Click **OK** to create the authentication policy. -15. Close Active Directory Administrative Center. +**Creating an authentication policy restricting to the specific universal security group** +1. Open Active Directory Administrative Center. +2. Click **Authentication**, click **New**, and then click **Authentication Policy**. +3. In the **Display name** box, enter a name for this authentication policy. +4. Under the **Accounts** heading, click **Add**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**. +6. Under the **User Sign On** heading, click the **Edit** button. +7. Click **Add a condition**. +8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +10. Click **OK** to close the **Edit Access Control Conditions** box. +11. Click **OK** to create the authentication policy. +12. Close Active Directory Administrative Center. > [!NOTE] -> When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios. -  -### Appendix: Scripts +> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. + +##### Discovering authentication failures due to authentication policies + +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. + +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx) on TechNet. + +## Appendix: Scripts Here is a list of scripts that are mentioned in this topic. -#### Get the available issuance policies on the certificate authority +### Get the available issuance policies on the certificate authority Save this script file as get-IssuancePolicy.ps1. @@ -601,7 +622,7 @@ write-host "There are no issuance policies which are not mapped to groups" > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.   -#### Link an issuance policy to a group +### Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. From 859e4760444796e2757fc7818e87320e86f8b87a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 6 Sep 2016 10:24:53 -0700 Subject: [PATCH 19/20] copy edit --- windows/keep-secure/credential-guard.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 7966cb3e2a..4150359f7e 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -36,10 +36,6 @@ Here's a high-level overview on how the LSA is isolated by using virtualization- ![Credential Guard overview](images/credguard.png) -## New and changed functionality - -To see what was added or changed in Credential Guard, see [What's new in Credential Guard?](../whats-new/credential-guard.md). - ## Hardware and software requirements The PC must meet the following hardware and software requirements to use Credential Guard: @@ -290,7 +286,7 @@ DG_Readiness_Tool_v2.0.ps1 -Ready ### NTLM & CHAP Considerations -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections. +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. ### Kerberos Considerations @@ -325,7 +321,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, **To enable Kerberos armoring for restricting domain users to specific domain-joined devices** -- Users need to be in domains which are Windows Server 2012 R2 or higher +- Users need to be in domains which are running Windows Server 2012 R2 or higher - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. @@ -341,11 +337,11 @@ Domain-joined device certificate authentication has the following requirements: - Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -###### Deploying domain-joined device certificates +##### Deploying domain-joined device certificates To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server enterprise CA, you would create a new template. +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. **Creating a new certificate template** @@ -375,7 +371,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication   #### How a certificate issuance policy can be used for access control -Beginning with Windows Server 2008 R2 DFL, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. **To see the issuance policies available** From e7c3ead8eb3839c4a0ef3246f019e33cf6fe46c9 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 6 Sep 2016 10:28:34 -0700 Subject: [PATCH 20/20] fixed formatting --- windows/keep-secure/credential-guard.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 4150359f7e..e27819e571 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -217,14 +217,23 @@ If you have to remove Credential Guard on a PC, you need to do the following: 1. From an elevated command prompt, type the following commands: ``` syntax + mountvol X: /s + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + mountvol X: /d + ``` 2. Restart the PC. 3. Accept the prompt to disable Credential Guard.