Date: Sun, 14 Apr 2019 00:00:47 +0530
Subject: [PATCH 04/12] changed 1121 and 1122 to block and audit modes
Confirmed with following article. https://www.ghacks.net/2017/10/23/configure-attack-surface-reduction-in-windows-10/
---
.../evaluate-attack-surface-reduction.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 307b13fd20..93e5640492 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -53,8 +53,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
| Event ID | Description |
|----------|-------------|
|5007 | Event when settings are changed |
-| 1121 | Event when an attack surface reduction rule fires in audit mode |
-| 1122 | Event when an attack surface reduction rule fires in block mode |
+| 1121 | Event when an attack surface reduction rule fires in block mode |
+| 1122 | Event when an attack surface reduction rule fires in audit mode |
## Customize attack surface reduction rules
From 6550c128814761ed4965ffb1f3e6d863dd4b28d9 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 19 Apr 2019 11:18:41 +0300
Subject: [PATCH 05/12] added clarification about value 1
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3028
---
windows/client-management/mdm/bitlocker-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 7625ab46bb..17e70ad2c6 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -429,7 +429,7 @@ The following diagram shows the BitLocker configuration service provider in tree
The possible values for 'xx' are:
- 0 = Empty
-- 1 = Use default recovery message and URL.
+- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
- 2 = Custom recovery message is set.
- 3 = Custom recovery URL is set.
- 'yy' = string of max length 900.
From dc6c0063ab982be234f2fe9f4931158787ab33a0 Mon Sep 17 00:00:00 2001
From: illfated
Date: Fri, 19 Apr 2019 13:18:34 +0200
Subject: [PATCH 06/12] Auditing: Add an event example in event-5159.md
Description:
The page event-5159.md does not yet contain any example outputs from the
event being triggered on a running computer or server.
Changes proposed:
Add examples based on its predecessor page event-5158.md
and samples provided by audi5411 in issue ticket #3291
(windows event log 5159 xml example)
To do:
- [ ] Verify the validity of the added content
- [ ] Get precise sample images from the docs team
Closes #3291
---
.../threat-protection/auditing/event-5159.md | 129 ++++++++++++++----
.../auditing/images/event-5159.png | Bin 0 -> 24435 bytes
2 files changed, 105 insertions(+), 24 deletions(-)
create mode 100644 windows/security/threat-protection/auditing/images/event-5159.png
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 74fd606119..a1cf9746d1 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -17,37 +17,48 @@ ms.date: 04/19/2017
- Windows Server 2016
-This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
-
-There is no example of this event in this document.
+
***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-***Event Schema:***
+***Event Description:***
-*The Windows Filtering Platform has blocked a bind to a local port.*
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
-*Application Information:*
+
-> *Process ID:%1*
->
-> *Application Name:%2*
+***Event XML:***
+```
+-
+-
+
+ 5159
+ 0
+ 0
+ 12810
+ 0
+ 0x8010000000000000
+
+ 44097
+
+
+ Security
+ DC01.contoso.local
+
+
+-
+ 7924
+ \device\harddiskvolume2\users\test\desktop\netcat\nc.exe
+ 0.0.0.0
+ 5555
+ 6
+ 84614
+ %%14608
+ 36
+
+
-*Network Information:*
-
-> *Source Address:%3*
->
-> *Source Port:%4*
->
-> *Protocol:%5*
-
-*Filter Information:*
-
-> *Filter Run-Time ID:%6*
->
-> *Layer Name:%7*
->
-> *Layer Run-Time ID:%8*
+```
***Required Server Roles:*** None.
@@ -55,6 +66,76 @@ There is no example of this event in this document.
***Event Versions:*** 0.
+***Field Descriptions:***
+
+**Application Information**:
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+ 
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
+
+- **Protocol** \[Type = UInt32\]: the protocol number being used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
diff --git a/windows/security/threat-protection/auditing/images/event-5159.png b/windows/security/threat-protection/auditing/images/event-5159.png
new file mode 100644
index 0000000000000000000000000000000000000000..a2f9134fe87579fbb507e6941f68aee995754664
GIT binary patch
literal 24435
zcmd42cT|(z_AVL~C5jX)NDEfBANC_>80>bBq5EW@6pduh5
z1d(160VOI;1PmmEfOJA=Aqk}3H@Mq5caL%Q_}#JZIDargR@S@TwdR^@&SySr&IcE*
z&q{An+ynxFq|cu_bqNGo+XVc%gEs&z7SDcW03U0DE}cCAD(O(30=`Ii!K`2)(0i;D
z-+evsePh5mryvkWrdj;AhUow11_%TPpFah=9OlNL!oQe0p=q3n1N%rd4@$OLs=-E^
z?%k_AdS2_!aDv?Hg!PYgu3i4rfjy|U=T}%-%F((f(%$`UxsPK4-X%VN{6y_*JK0Hn
z7e(W?!-v$P8a_Q5pZ;q1t~aRLvoBOxVb{ZGoy*ga!po@6!XRtGlsUE6b#9$D+SR_m
zI?LGJRS^D`&N0=dEl%LcYk{doF1GulKj_2KPrST%aQmkFC;BZO^LZ>BCQHro?=22M
zOC5n%C*cnKE^hpW|7(VgNNMO2D|Xvf&|Sm&URja>M(%`6XE*?&ymeLC4HHYMc@;Q#t;@FAjrMMZRP>7`_7n?eBau
z_apW4)du(jgPc6yVMqFcCd+FZDi2s9W#`6P(GLP2x34+iwo?fpA{Jc43PHw-eu(%!
z47k8~Vvr_i!~8&xSrV;n;0>s
zx@Kf>gr=!--|!Hm+`mB!#CZZDM&zc2nLFuc(}t13u6o3bnNw*z^lEuh;r}4?YL>*aFV|QESqK87{!&
z0sFR$X>+Ae9y@tQIjX#}AS$(9!E=_8
z7VwlxZF&nV%mpfgTv)2^GjEtCEB5NSUs}5?p46ui2L+pr_-V;wyW$=ELzvuv!_aFk
zweYc#71J>{UIt~>ttAW4k^BT1JeTzYm{kL3&>4Ald6_iGnA;$lfs62LQIv>w3p0@*
zy2&#Wtq{n7Gk(nZDnJyzCr2Dv)uDW3y}F)Er;daYM%*B&W<}6dCPHLZB|$D
zr!Zaw8J}9(9wINedcnI5krh61!5fv4^;Vl9!*rWF!B`68;-^tv
z#6!k6BOqsqojZCBDU$lC8G_Ao19U{l>7Tk%dLCVA$2?M?P+!3<$^(IFQYQR>NQO~g
zAJJN_v}8k2zx-IB`je^gl>0qpW_g^umoaTHK-VW?0pX~YFN5k0BrKeiWA{s7_#+TQ
zK&@tMWJJ4X=Lj4QSzCz3lnD43Q4B*H#UBZc=N;`Y+jq4OhKwUR;lQPuqh@v_@ZsL0l+>g5nBJErta+89r{62~hn&_kRW
zDX;G{AModgobOEz$7fZ);Wn~;6%;+g(WR(E
z3&D=j9%CIup;kmGf|>;E*0MB8Z|?D}h8qM{Wi4q@;V(#zP%>rI@y!#L5}szVQ2DTm
zl07uNQXq@Xbld57mb2f;|4H8WpSPTDM@>|{=P%m=Hf|)9Gq)vHpyIx6BK(;Z2AVfbXIfl%J5bT*RQ6al!*XGM2l4_cWjLE41gV$e<
zP_t!RyCQBlbtPB)kwkz`kYthk0q?&;gIV6sCy$
zr2nj4Pq`w*`ITp$pad4}DPt1kA+d6UWm3HNJHe%rj4b3rD*k*4DW}!0Q
ztLR%-PS)0tF5T49sI&p>C)OznoQh%5^E`W1+(i%PIie~IaX=c)>EvJInLro!GDvt%
zBn1~W!;_o!xtZxioUZ&wHXe}rQM#5WuGdU?w<#+#wmTqFN6~5)k^+NnEK|>@9=V2GgEw4O}
z6q~<`ku|G3tfG+Xi8^1Ali5+B`*bEg==~?k<*@@JxW9INsLp;@RE4`xhISZDa@k(q
zvVS_cF2Qidp+v-%d>+orF>#1HqWs~K;4&q`SgR5{Orli^_=c)^h`taM?RDpHRtF#b
zOh9jX0nyGtv%W#U$)y%D4ONQ*sRQrdGkNCEJj{>;R$0jxVFu^aQJOqzcKyV}Wypn*
z%m_`-uVu#=fF1tEZspzo=zKL*L%im0%z}SL9Ue0Q6>MXWYQy2jR4LjR5vK|xfbvJA
z=D~5_DdOpP}oA9CKZTDQ-Qe--`?FvJJu;q0<
ztuRm(o2xZzwwM0t-Z4sifD;$mnsL<@vsAW-ZbRe%_N&ru)cDG#+A>SPkBe7}hl&X0
zm~m|pgB_0-;mR=#nrMX4De|HH5RO6wm264Eoc6O7w_{+a#qc`MgwxR{4L)2vsPU~i
z$8J3S&rh-{0I(=)E}Kp&6%}ux@%Caos+pO3;b)hfHo?LoPbY1JEI-xQx$$u_mg-xV
zUiVEFFAF?zr?|`r%-b^@`d~sEfJ9^A37FC0Ewqv8Kr}h2=1)T^VJt3F>
z8-Bff0Z!1AK%&P}>Xw
z-F4jqUI+Y?_V0eWx;>V_uE3d9^q2#EhK^~)g*f?i{0A_0Hkdy
zYU0OcT3Ior8ynr{qb7Qbw2}skR-e=f9aH1Oct7ddj3Qp%;HjE@;2iQ9TK}wa(!{BT
zlnx?${?09|S4Jvgh19(|v$PsNIRj*j`mAsR)@r#{>m8o;R`xlLK6=#=7?{KhpQ~RC
zF-9p8j)Lg{)6s!JmqIS3-oKh47Dj*tNw#S^d`Nci$)i6SdnCIKKE*S?t#`}7HTf7~
zwm;FMOWdo`j>x(tu*{H;H5u3P>&}jj&=rgG<4@{PQt75wjajb5Senth5~l)<1IKw0
z=>C+L`S=NTSlI2%_bD*Q^`=kMBHr6x!;yV%vQP5hZHZ#5+8Kbi8+BW+6Y6g9O6AsNFYYK>_
ztF!kkQH{0QsA_vqK&D&Aeu
zr5Y=0?`BV_N5929e2Lp8nlREU7BVR>Z)X;oG&Oo`pQ2ra$pO(-^=4RK%2}yY33oud
zTIFJ0cdzP*6s&K@>U{D4zUeUv(4>!!f5@A!i`MxaqHNml3~sVkjwOp*q
z>Imp_yTK-_!wVh(%KTfaci&f=`K_@hH^KUTzcYS&bm>X)ocd%BNw~+07g7qj1a6X9
z)p6+m*8wMB0>9$???|Jqb*A!n|y&1h}y8xEUI%^{DEeOK+A3e7)9X+Pg-QI7N`
zr;YcZ!^|t=?J2eIu&rMzw~lOI5^NGUne99lNC=^5@HB{4WMgGYkoQV&uTe*yfi`u}
zjHLaJCpV{u`)M%uUK^CX23B2SLfc}EGICkIH+-@r#{kk~euEM|F|s?|Z8jC+9aNb|
zA1L$R?+(4u77wZm&fy31Pg*1NTgrOI^C)!_+$!ZFMarUgh3kjTSD`%6?0q#C5_7#f
zfZdZ`N|cWGwbPpyYRpu%1Rtx%;ya!rri`m*oX-zn^H7J2F&g@nPTtHP3~G?TImtc|
z5ne$q>G!g&LxDIaDQp|b@a@)Q
zdZbdJkI6}Ha5rS@UlYfTpqRr!ytnOCZB7KMW{llxF$?z|DDLOI=PHa=ZmFOIF}+;p
zme`C4wlXAD>8oJv{2Opn2;wLhDIbJ!AeqWP+f)+jH2-q=i=-`Nvx`Z=?7HT6@}|Zw
zDM1ug>luoQd93fMVq9|->t*1O88|x(@I3Fmu#6?MQA4O!Pr=ru%`$FRv
z5-5&(JFix|+W9Yb{aGzrYwc~UH|ytA?N1d-Ogz1+I+K%nRokHx;XK`TEF0f$OK3)&
zo6C{D)+`K1qw4D6hPSG^S++Urx`~$($eYGHX*i#3=Y@#j%Aj8cmzWle@uYh@t5PU#
zw+HS}s#=?ZOnc4mo;@qxC1flw+?yOF7YtFn`bY4x&Z`p-WV3~EX9s_u>vh7IKPnDy
zI*XEXpl7IQAyIARQGZUeEFfa1#{AyyA!{;Y>?e$mEtk^$Z9
z=@z8C_Dx|?mHvC`fMoDO^S6J&qkJl^CmuO~>){X3tzThASR+$SWj`F3m=~D2o-k35
zEI7~nOK{+T`p>NA9qkU?{b*+fg`JQ^Yw#PSqA_c-<*_p?o)
z*lX7v#M{+GSrtIvIQ(yM5)?<
zE@XqyhnR$C=B3Npitde`GXm4;mFkrmkO03-01p;W=39T&PKB!HK-)WH>FI)}Y(D+~
z@m)C~&oc{<=`Vvjt$bO{tdrda(^{_8kO%Ct5%Vq)pa4;3SyP<0kwQ_j9VGY{Bc(&b
zj-<^*?BmMEmc2w{{Mw9DS3HiU*TK8YTe?4R^+J*gNKR!C0sk{mttv5$U}gd}^ULa=
zSboTnx*LB=u7utJQ;_Y9x>&Fla`(2x6_BUIa4op0`p+7v9n^419eJ3-@m;Idc;_X!
zKyg5N!_U3obqDu?NvBuc$U#7lRvk~`p8tEBLO5zs-fn=KIQopxQHXGpVJr+Zm_sNr
zn5=hoAN46mUguavUeHQ-{)|1Ar<4o0`+`*3k6t2x_MXbc(rf+YQm=*FB98|Y2joQu
z+*xrUd8>Q*$)!eUBZ4ky*4-zM0N(8aV9}`h;2dl`JHV79n)aldddT6ua0R+C!>qD(Eu68au8|V%^EFQmS^7jDEHLsuwJ94OkkOrGkm%3-FVk#!%p*8yXkr3
zg_Ui4*PhH8PAV=!24nStf2@H|uc$qDR-ZXb>-bceIsUypt#}ENPy~
zAkguRVowYB#WUu?w`&4!%}wT?yyBM;ktNmC7=>~$9z0W195361R07s;5%7I3mGqHfdMnFya83p+){xSON)M9F=J2!RYktrJl
zQWMYAHM(@*nDYG}9rIza($;J!y1(u-YUtVf!;oKbb)BIqN{`y>CrQ=kA?;DUIe5)&
z+=0a|gA3ge!e?p&P7RD7OVY%908aYoE8fDOvtgH%Uyo}6xFt+=^`rnhuXI|jWEFCk
z+5$}misC5Y_`f!-;<4Yo>i;q=n86?%`9;l@XSi=M_L;LtE~#%gv<;rxF=P$4|-gm=*Lfno+=zUKs?twC3+g-htJ#qGBp>U
z-C_F+us(bxX2p8_E)J^#+8$M2Zi2iD%U;oE!{*eO4URNn3WkwquV8KW!p
zeBmb^7jBEqb$43n+Mx32Rj73IJfje#wB9{P>#MB(g04MOVLfzabbK8sdo5saz7lc-
zGhQ2;TKfX%b4@ZxU%`>=P9}DzMUmjNwB4p
zN#|nSG1(H007_VMhsnDQ`q&KExcw^}dGs(4X|^5)H)$;|t3xkQTR9^4kN?1AJ~BW+B4h
zA=f0v{hI1{rU`0m6gOOJAb))QYm`bX%5@9tzFJhIG59Reg+}Ed`O+aILqiAv^a0bd
zMXXf@f2p|u78!ujxj@r-A&S{e{BO2h&d1%(N75l3-@UF`5fDIhLxhpZMrZGB@bpra#1uccvUZM%9N|9L6
zlYiBqMw>L_oG571Bgt@z=4R$Fsf^BJhTeq@f*J*r;=m
zXO%VNoP+qE_v^j
zjASWUNWY#S!3dUe?4B6C;X#mf7KE^*m=ZQeuiF=JVJ(k
zm0in~4d@x1O@0JbA
zJa>V}@+OY|5Wd@GXL@AyH1xib#a&i=`a&U!bu1{O=Hq913*JP!z@bnmb9X>`o;j1d
zsm#qg+uMR$G`$(Q&81;vo;3Yq4d#|jWzH<-t^eC3GNvCdl)Bw$5QDG9fgnQdp~9fE
zoesPRBULG)WlLkWY-837w9BiJtYgS09+@+g<@70!%f=m6dx^ajW-pjOB
zpQ+~eItEnwH9|;3wPr7&r_7>b_-?tO2R|9*bjOzw(X4yESjiv$bJz3|(Xbyq;O0&3
z5#DE5p|98
z)2!KMW7sVvfVq^1g=vP5aNG~$z1++6M0jgzi*|WtSdr}1Rh8|^bYtgd<
zU(0t9X6Y?N-;VH?RXznwo}mXVSD->p84HE-n6*X*ZwKFT;NJcBCrX`eo~K2J=NjL~
zpWXztC8!gCR^j{=c|PN_Rn<$owM?B*2b@&rWTUMug_>3
zZwb0b*9tpx-PH~^a0Tzb5PTEA)HoA)UHAn5xjP?+MtLm_bKcYndfeUE`e05_3vBw0
zY%W?5M*UP{r%ZX{U)#{L^nAp$0@Kep&8kH_gw8XV(<3Vn-k*O+9OZRZ>H0Vwbyc2d
zl06hegz6vYN1S2oBidQ|LP_YdhUz)LY(MzVR)qiO${!Oa21GTa;|*<^@G##qsGP2x
z!FN7yGOOOeGZ^9hcx00l+n<4tG3)^ac<5gL{3k=!@8v;y%*&X(OWHtC3X*K!j}D1tmZADTJBI%Sl7C6L$8
zE?!vJ<9IP9suXsK!8I^#<@`8_ZgYH3m!GIG04uyp!ed3I{LKlw3a!vNnN
zl~6Fo`hTG(J3_qG6{s}_M`!qX
zz473gA5K$~o3RP?9e*ye1w9e8u?vqPstgsqZsUSUhZRJZ;2Vb1N0U~<%yi$;$E{RF
zO*P%;RdQZ*yb&zcybpFBu94&H9vEC!zDVEDdRcI6F0s1Ut-d3Vg!Bp}Tp&p_B)X{V
zk`?(EYW?jf-S3ht@z5F?KXF6*ARC(3SNB$w<%<1eS2F1Ix%yptIa_$
zML8mGUlmoJ_#-$Ry}TxsPU$gtHT43g(hm`=S@?eAVGsV|rT
zJ5>j?nb~X*OuIn5H5)kll&xK7S&=*ant%#KO?4*r^aYP+iy|V&p|1P6Pp@icTR;4O
z!o3O4nt%3+NJyqz+_5zN>fzi+Fq%0{k;SP~>o4;%*k|a9D}v0BS@o(sj<%`%H-Q7?
z4&pVgGkcb|=%LLddhDS~vr=7Y)XLN)jhco+JVg{c-DwvjBMEaQ^$MEuR`<2&Pi^C%
zG{9#S`TjdJ_R!!6Jd&4bO1SBkQ^g$|GUGk{-4o#bK8_4?A2N1}@k>cGfVQyl
zbiK;>e|2{M#{d0iP5+yh{HG_}Ct6(P{5Jf1+UeggQU6&}t(}~CMSH6S@5l3K<51yC
zvuswqb7r?>VRw1KXxW#-+wdE3St9%SRkX!~M`Sf`c`fK}4Il}sE*L^?9?nBp*A5QI
zUDa!I)dO2JghBiZ*^X;Kcb|#7=z}3PM6Jzqlf0mllY7?>M{ekf^oIaEHGsfKsF(ox
z@7C=Wkw)2PneF8(e~3PtU%eJxaG2AbHGbnKWVZUiPYxC?fk-6XeilQH^KV9IuYdup
zT_Wr4No1
zw)>Gyw<+JhL340GqM@~+sL7*@Gxy4AN%>V7WOQ}ICHNEGKAafQ3`hV`g0#eNQf$$3
zl4o$$k1y2T;KrGrU?z{Kx$nz#Wz%<~f%8e^pzcNfqTB_KO9iW8hVNb-vWg)3{_$C;4BVjM*gb8mZL)gIAKQHFXU4x#lW;Szfy_Px5z&)tqzfh-!szz-=(
z`TG^}=Qden?SS=JYR?fz%h4{4056w9enisXHi<#lz-C}M3}86|>@{yRBuNDse`W34
zY?)^G^@yHSw<}=OtToGM`Fxf>top-Sh+TI{&W~|`NERjqm|n3}^5LEUqV1uZVih@b?v
zRolwv=q)!~NtHEv%J)NiTZY3n^HN+>Cq2rv3(@N1W*=p@RXl9Ewf%~}D=;JwwbTMh
zH~dbKDJ-mJ_rQI3Lz!atM>Fdt4ua{|5EPlUZMU+l<-J=%jA6_6FZ(RxQBPkS<%f?=
zc{a0;pw6!^9x#nAO;N~k{<#L^E58~e%r$USVPX16ho0E8OyhbB4Uv2MhSq~d8@jv7
zPMI|GhdbUr2I~hdKc2$7$vwGG4!!MEhJApqUV$xNXs5h)jvF`zkn$A3epxJPW6!v}
zk$rYxzE`H{!OEK38k^q4Iopt{ugZ0BK0iEP<%&TbGxSe;rDMFQsH$WgsPFJ9_SCl~
z?v~qt)$NlbOE#z-CPxU4Y&=-=$SLaR^|{`Wy@=5<${7k@j6hL#OenAzvA3~
z32Mc+2;$K9-!}Oa!q4}LE|gkQg=vnAabzA%;wz
zQ!{P1PxOzsG?J1)>#9rdyu2j6O%h}(`CCAve)Bg)3a6B>kv3e74zMaXU{?7r!xWu6
z*TxSYp2QVPBk32`^y2+$FX}}#AVh~3-(V~YLxYMo4KNURq|ZU;CPs`#IWM4
zKs+}J^l|Sh5r%(S*X-St7p^jxr;cOOwj=-vyZ++@(9LF6hfPrf!)?d=
z+zfZYeMBCf3s}!e*}JXQ8L=t#OqO!7aDB@UE8p#0jp$%-?NjvU!thMCDPCg
z9F!cdXj7fzqFeX@yb%nwDnZok!ld=2q5Y$u?`z!0+w&ZN>?|N
z21AWE7rWn*Sr<}LBHcKG>-MU&ksFj@7F5QMba-q9-BtemHs9qXB#cGOPWwuA)`PC(jQv9N
zeWyddf}8!lRifu_PIk$%LCQ67*ueKIfcBCd<$f{+J}VApXS$yIx-!4q&6!(QBEJ9f&Q@=2iXi4jO1$z=
zZP#Iv$B6@MWo`i1(j)=dKM9C-TpnFiVNU1o9bWLhT1h}S7oWn>TB{)
z1^n<9Kv9sJn@*-Ht<91_)sP-cX-!V46*Z3^Pn}X5K#=0SnU(?DpTr;vKOT!nasmdX
zpDc*{X#{?qdsl18z>XqY=-wu0xl+0?qBH^y50!`8>$a-*FP#t}{o1{^(8|Sce|Lk6X%{&JjO4WVfB9Y^G
z&OQCz-=SBACML)`%6zQ=8j||Hop{S3XYXL)+X@Eus04MPgOI$b4918WZAtqaH&#z$?HsxL)VwhNz}A*GX
zbWLXxPI8B*1XA#vCz!*Z*N^7gdfcEFP&S^|LDxd|fv%}%9|B{BrQmP=sAxX~@S=+^
zJ#@5Rx5-xpCK_0HS3!~)W6=TX;5b=p_G!Vr+zoG)
zq@16{9bnuak@KSr?$C#6_i@hdZ+Dub4`WO^Q)+m}K{(pR`!OP|1w?i9a+!9DIxwnxcUZmUSy>~%@q
zjuw`$Hed@?n5?T7$Zq{gJierGEF<)=%F{I<>|{pFydhzwJz=s^ypm1c3*y_p0A!DD
zqdKYNVrv`MSne}@N2QrJk+WNdxDc^Wf1++7I240&g=78z6Pc<{9};`^N{>rE2*a=x
zLh{Lv$G#qy77Iu<7P>qXV-IdZ{%zQ#jd6kV+iOCJtxY1(4xB?@XrR*7w}VeYdx7!v
z3xR~259F}TxuW_5FAcXi64y9kyMj&1qN36iK=bF=im{j>N%RZBCw243E(gS;ip4Iz
z@?(Kdl~8+*m=&ukJ@Ra%e)D0#;&~rh;Fl)FJ{@`t3X0c5
zUsfZPC}`_-CUezpG~xU$(Ct@hA!CSJzu(psd`B!5xTL$i;Vdy%ayaQ&=z`-ZkE8g^
zBI1_|mC1!tpfJ-&sU~v?(Ii%Qi&toadMkL4v;5$O!T~YHH?1*S?+%IH50a|cdl=?8
z{@Hys@nn9Ky)~AVb#3EEbBRbOQxCc=)_s-pO{ScbWAE;x33}H!b|Zla14q)vPZriE
zDloE{6;6ZrU08IvddTVzCZ$!P!)a1Yfo8v--3#6pYj}{`d(ChRUE#P$!cvQD99vXQ
zj_nf8-(T5rFPC}e0JCVs2(w1*jNAdR|M!NN`Ilys&=)Vqx9wAf1;1;XyNjNut!Tj5
z-^<(WL|bGBJwSf`SeRq{wdnZ+R45R*ZZ%zkqzs+p27V$=FJQAoL7hU{xw2E$QPB7Um_G&irg2nn%pVFIX%+6
zqqFgE_wFWZCZnea);nXWD3r5qtg@ed0!Q!M@z}J;51YDf?T!Fm{`gj6R+y)l|Q{nE><*VE^|+d`giy_5_Qx|#`IDn;GmEE(63uDTTPO*}cY~fOU}@n|xM}qy6&nU#M05yyk5PXgYFSEy_w_IP+VS+A~=P$iXHP5A(wkFL%GerI-hd
zc(VQ6f-W&X2>v8#T6*!~TJMjT&pj`-{4#SQb7S3uS|I1lZsKnFj`bJzx@b=#?_^IW
z`*IGzj4J#s$dY%t;3lSAtp6X(dk2y3F?9`ZlU4$-B8P@@y%CM6LeHDdTg?afzR+JG
z7Tt@+U4~SHD_3=AzsWsEP|aO740nj`j;3b#gO?1J*a+%UxZ|t^H|ozyhQvM0QGe47
zXp~ZV5DH6b)wJl%Vh$#dx>`Xm%%kT`fyIHCFC<;l_a
z5wd%Kv^JGKqMxmw{S^GxUt(B80dg{k9}RKaIx^U4hddHf>z>(YY=u-^YPFkq)W&3d
z8jeVZ}XoIi86F!
zW9JqCQ<47WWs93%rf!PY=iQ;BQpA37VhUa0TTb9V)Ax~2fqdQgK=?z-!-*PF0gzn9=1Lr?pe7>xr5^B6P6`_+vo|^9eevlai
z>(yfJ){C-Kn@!6OrB8iN+5GB#b$eL04=LWDyJR}DH0w<<8bb|+PprfQh+?A6(Kp}4
z3C46cfFg`X_bog_)VTI$o)_P{PS~YLqM4
zcyUN17ONmSz;y23)Vv061oSa`6$;^=Y`T@DmL7M{Y8Ld3Y9^Yi#;4wfzCV1+
zzdSozOH<=~uk(+RXB~j&XGy`rt|(#iL~(b4=;6=5Jq^BfBHALL%Axo16p#thNVUAJ
z&SD|+1*1pIRLro41ygA$KY>BInfc^Ix;2Wb9dZZOR|1)#?KM{nG%i$wV6hk#6${Wu
zt>3K9^>rD-zi4qLN^WiSwv!>E$6EMiueHqYNv^7r#}V~yrv8d%xjvL9qOg=rPK8s?
zFPoY9zop(Xt|8z{aJZP#w@RE5+n9i(8(@9Ct<_4vE^sVi%X&F0miC1Rv4#9TpED{3
zf@aQg!WKik?Rr=ky)Ac(Y#3)Nz=27xVwamM#Qm>uEC9|QFb$H!my1oC*i()7$IQ=(
zgmbt(r>jw`
z=5^lL8n+*80kWoUWWWCV;%@rG9G6Ag)1(?t{N=YwLC@dFHUraN#gxPjyMTB8b7dqo
z)6@Ux!rmU6wv)P3eB(RxRV=LozrFQtaOY|kXV?*mVIW=kxA*`;WOWzBL0gaB`eDug
zG)n)kMtT3`Nz~q!ON{}}?cJ5sn!49E{io^Dq;C(@4!c5u)%QO0H%#8uiP_LyMDTgwmA3A1yM+<=gMr|LY*
z1k8o+Bo#7U0u_R^np0KAS+(pV`)gN-T7WcHeiUZ&h(}2QgP#95Fg28aqz*yrun0QJ
z*f8;_JJArJN)G_}$u5Rq%22nY%C_=gN5$0sfM-5?H#?4q(Ug>nxnqr&2T$%+K58g|
zOi#^-u-VlXcg-aBdz-MXc4SByD+(Kk5BcRe9J<7$Ev~bYd$4ujJ(49Xf0>B3Loh9`)Ko%u0!FFPiolV-cBIt2^o7?@uQSM%Px)>;a5ngD_Y
zlJw&)1SrBMC
zSu8fi*!C!vJyPy%lP6O(F~HK~4(Ufb39Fs%iAUG_-6pfWwtotybPfey=HVcbUuH1u
zF0g3bgG>YD=)}Xw`gePYGvCXtMC$-DwR#7Tob82@lObH0i?M@TwGUv?3yHhN`CiA&
zpqo1ko@P`=AGhCh@B21!j1cB3|>V<>CF8^UR%8Vr{H=i;KUGG7i~GDg}5e9Xr#0
z=>1GHJIXYeI0xi{QG%yVfi_pbAvo%!aKuU01%J*APM2iZD-@
zCPpN9aH5Fa^%%Rk9hh1A)Ut7L$#DEgcseev&R|rK`p((gqurpPr#5fJ?G-9AQHkrH
zNcl3Go2=sVxm>sQr&jd__0)CxVyP8Hm#)a!%RlksD#UK}jTg*Al`qL(Mcx~1JKe|j
z0$1N3+5-vW#(aLBJS>?W^>I7YSA9pN=(6|B#7^RDe^SAW4M(VQ|3gsZ3~g@l>Iuj0
zUTIu^v%aam*4xA(ZVCMx{j!oz)uAKwn-e}Y!q_LI`!nX#;f3$7+z`pQiq4R(QU*O-
zV&2P(_5H2d;oUcWseAa|ZvY!w{rctK^g624cWjR`2K2f6ua)n+I$$dSK1tMibLAr0
zJA{tw_ZiR>MPAM4_mL$d{W;8q3dcdEuXRsO-hJ3SbWr&KMQ$3kL!e_UlP*=Y3rxz&
zre(}v55A)*!A)Klk2-3gBS#qD3?O5Q4;#eg23OX*Gg~^MD)!4?WNs@-A=DKV#7lji
zPf4j;Cnvtyncmta#W!jtaMyi=&k%|3MrR5=9vNNf_b{JOm=28(kDonx)&@(s(gV2?
z0q2{y;Brx>p%az_%@EZhe82gdg)cK+%jt20sm{bDGrgS+$2@jG2-WCv#wWBav0XbE
z6CdjKEcdqIB<(H7VL*PrUeZF@kL5IMqGG{-F&5qaNbrPt0Vok}j;-uk*-!LPNHcnu
zmrq3e`7+CPC?R_C2O_R1*>@Sd9#RrtPK1O92vNLY;O2end`Jbl?{nUv@8
zVuCU?s%wLiOPQ9W*jUBK38toNMljRSgJG0fl{x`BqlXTCK68X-xN=PeU$!~Tlk*``
z6Mm1oFa>>{?D2A68XZkBuB2wnVXu+dP*cAMr)m{yn$BeB4$kRLZ52`Y2-IySn>Op^
zuF_A8Z@9S(>TQ^%5z!el%r;QJ4ROM*L^@JyIRZ%4N;^BzUWRDdITKG2O$pxwGF!Jz
z+#Mt?I%+hQ-7?AV42|F_ZXSpOszg4RgH6U`+8S!w>GQvK#HI|jmlWiBJ_wCl5td->
zHpx%EdC$X>8vo86fQvZas6?Pq|F}-a^)zm(2w&GbJi9xsGu%UHL2sa$7
zZd5gbni-Uu3bJIIDI;$alhOqFFW}n!Ek@PWlAY@*%DZsR+0b0*kt;CK^=&*OCa$vHAR@(lH1Mvfse_P96OxqX4pX)!EzxmwSOP_JHffNm=
zJCE}x&H3EY57Wx$A63>0j6xV3N^M_p1f}%>=s5dY8QBP!U6Fi>cvoG-uQobd!9!8*`o;CgygnFd(20w8f
zkJFCWI>Uwe{1n4V(IK*%95=ygevK!c)jImBm#{J-b%9{f$
zh3PSF$dtmQhbQ(tH(fSPHt%<3=1rc_^RrEr5L0!`5gg@_P#;$o
zjzDUyxU&N~JBOpRf7fO@EvhDPoVDrcav5C6e9(UK%tTs}sD8mlQwe+4Jdu*cj#xBBX}>~-nqm#m=tO5KwzDMghwH#}bRsi@ox4LAr~rTjjISDgvmdoqTkF(y-)&4$apje0TH?
zY_ZD=mgGY>Rg#rTOtrN-vW>Oy6XMn%bYq}$K>rBq2;|a%fm6i6ciVb$$i(2BR?%*a
znF80HB&#Z=xTObUjRqzH^m#)3ihy^r$}S3fzgt|3IkMGVbV}3+S0w&e?ld=0q0J2#
z9}(>;*;PjKgN`|*F^`vl3wOwQGQN)Jx=X!Tgr?vSIvvGQZWp%qm{*N-(
z>875~jY35PaPRuNF6-mD@mZ2)hRKf%^QWn6K;M4XXx+VsstjEE(qy%ah~y^u-`)kf
zw(-AF(e;0Ts`TjjLIjtv;;&zDx#8*!o>k;DJRWsSxzkpFGJ(i?NAatV72G_k?M&2)S#PSTiGf>vJGELIH`teUMo^&+&9)=YCQtWL$FA{J0iX9g3o7>SWnZP&5%^
zVIHmG7feVsWvP`9_dHEXQMJ&phntr#QR~AL&()1y)%9}at)njL1fM6&BCKg4S;aFx
ze=p$j>8x_DB~}l0iO~T`s_B7LY!qS)^9u<*O~E~RB^UXSa3^gA@8=babVyB`wSJ4A
zG@p4=$5eWVb1NYpf#;|_3~8C`9D4si*r1Y)WE;OCrI2dzdL!|J3v3tX#`+S!Ma3N*
zP-X0}P=Y>5&tXJ%3oahQf|T!&TI@*$3+YJ{Jdy?5p5rvWpRD9sYd4xDZ;Xj}D?6ooSTljrL&4Gv7mQZkE475W
zispTP%R4M=FU#Mu<_%8@;kEpiS;XE@){IhH#R%y!i)R>KZhbs8WqM0&_a%=!;*tDm
zNn%Tqw)}ZZi>#mro?R7tT}lQ!8yAzJ-gKfdbo?j5U-`K{Pid9X7iy(@wYTXsc?u%;
zkqJU_^)&YeMYV*0myLkj!ENjA!pqFjs}p}z7#p4u7jxlgoB*eYtZHlTi1CGhZUMVp
zc#5bI;`-c_me0GW*zA;ZpL&GSIS^v>7GgU
z*Z2PlT?+P7LOYG`asRS@Pt`2`t7JgfaF55ae7Y>sVkRqPVZFki`v-Hz*ZqV`4IDux
zD&%Cc{k+*OdUUHO$AU_Ejs`OE$qH=VmcG9-OE65cR4+*^`h+MLpKwFo;Td~ZeUHo5
zO0UT`7ZC6Gx)4ku;M0J5G#nG&>lKyiN9iDUR~L2D@)QpZ
zXzuK1q;T`T@QWmd+bRN60x2WFO-R-NK8gIhpsc4;qaB;NUZA1;AuOV6!O@tZd5rch
z9Ch$;s|s#_e;?5f*=xEDupbj-SYLgYj1?s~&M>pbhT40mVc~-R38!(2O~p&C%Xhqn
zU)5>bd~%T((e3rvb^hm^PJX&(1ZFx&JqRrg3v_fafA?Xyi)yyH={%`&1A5HSGabgXKP1OGktQO5vCiS-ika5<&bUQ5oSqgV=dqN&a5XG?yKC?vyZu;gjK^Srch*#QtYUu7*b=&hhsZ!o)BE4j?P?hTXh*L>d<$coqGXlU@iN^Ob{tih{l&3^PZ1U5qr$^)!)5-F!#JcIc5NYYc|cW`TGRXd
za#nHJ0KL7iCfKqU--+)0YD^7HXFs`w0jT@}o*m%7I>Loh9
zj%kF6SiCp*9$N;z))CfnM3J>Lp+haSQBOgkfpWk_rVewZ%$n+eM>8{Q;O(5ple<>37unmL1&~HvjEodC$uyQJrNtOp%UphiNh;hW_rM(KEBZjK
z--57aOCABZoD1XD5)yeDV|h
z$X>;mO%~6t{~emtnCz3jlc>ra)e6k7)C`T@R;Doqz|?-w^`Tp4ijV8Eu4%P=gJv(i
z({zGWH^0NFL4HpfOOk&7Rd=5VM*0tX6WRVXP6PsShJ?@$_mrNy(Z><-TH;Ra`(6=yvK|wE)Zxug`D2tr!BjuIGFmn
z`VN(G@iAtDml`EANBLM3!|q(vvg*d@t$BcJ$fPCmxBF<__IKG_N^6{a*wkZ9c9Lr?
zM~j;&D|7+WQd#A!5tL04ElM@;>>aB)h8k(x4etnGTr8GnaXs53o-?TjqLSdBE3E?>a8N
z0#cqe>vv7*E?l%l*B*elonrL1gQg#W$aFOkkQ;VOf1pw!jFJ+38}$6=t(cX;-=IwQ
zQJA3HFaI`N>A$%+p{jrbCnPq^O;9PC`ZU+jqsaF%cc6eQHf~r$v_$aV8yyk&yt0JV
z^u{6<7niwAv;;z3+P9I2Xb&p6ieI=FX9Q5Xd(rcxpK9C-jY?MU@>7Y2-R35?rCj*a
z>D_XZa+iMv*~Q#gK%W2Y{&;6X58&yL<~r|orZXDY*In_S*qY)7PoxFHU7uSW(rR2VCU}R(Kq+2?KCkfMUBDw3lx!ZSI?f0FVGPILM
z5Q6k0R^6tP_Kt5eScVSrX6GRoZoIjuYo0zJ|Fy&CJe9Ma@gx{Ao&9Wby^Mch>3HaC
z5b_t`)?tfPRgM7Ry6vHlaol^->5IoxrE?Z6&$@sA
z=&qQ&+gEo!VpD}AULj`8sD(RV9=NJc6yZ#aQygg{xajyw0JfCuiI*j1CX=V8Kkt6h?Ifpx
zSxB1-B{eSh_w6)aQMHHsS}*nJiG;^9G(7=&m<@luJ3j_pr~a0bs9IcFpC9=J9^F&b
z^8$CNj+eOX^^K=AI6tup5xoYd<_rM~N@&&P#XSy!ah-Ax!Pgz;yyXk-5Y+%w`tlEL
ze=g?uduorkW_!ZrB*pQ0C%Vp_KC>0WOPnb3UYcIuvF
z$KuI6J+O8b)%MLyUd1K5T;2JpDQ>VoJ#3v&Fss1Z-EqrM`uACN(oc=$QD~CK4u^I8E0#b|R0x@&g+37(~I&$DqE4l>oI#F#b@4)u+t!C}Lf?FMiuX0HrFu$2nO!^8mt-TtnU8bHj)dCFU)qAqzmM(c_?R)Z@>wk<
zPD-Ig#3-SjqiG1MhkxWtN8d7=%-Ct6XYOaykH_-s_q>tC;$A>ejkO=G>dfDv=ikmx
zxy;i~n{-C?ZFJ)OzH2*EGW+~)!PVr({l3#kUCSDFPHSl^H+QIH3ScIE@%7!8HysE~
zw>$5)lPGfK{4cD6rW|VziB}$L?X5A-Kd*j6t%SV!DwZ`sx$SFazE{U-BZo3S>zQe8
z#e(DY0%6q6ZeQxI9v}2E|7Xv^oOVLye9uGzFc_BC6!&`rH@FlVPDSyb5f(UcVk%dRfn4S{;2{{JbDIdHBySh~
zn+AZ3|9$E!ZhN<|@J}Ynq$!jOaDA31#~KOl&mNsyb?w=%q9*3TV)hkQ-LxTq)LQ{n
z&@*LHZR&bcAb-o*8J%cADMc&%WKqbd-6hf~8Lcd(_(G3xQ(z+fg8UBvN+_YM@;c+G
zMtMhH^M4j$R;gJ$4HW?~h6Il0B_>3F!MbJ1>%-2M|7heWnHnG0&>@&~@L%0u=~?U@
zKQ0l{iV9K+ZvPI@!ir$22Q3U0G?%a*auv~L
zvZZdGA1mgEBGws&l!xiqlmxAUDW9MBBDQ^wH^x-%YNH*$VH=ql)u6VkGiK(GP^lCk
zwTrwg@KsADZ9f}g73IpR*d_p?Q*Tl1NIlM$MCeFD)*@{>fVz+q#Fya`1Hc5gw%E}E
zNj}jQI{Arxoy^tR)y70US`;1zHh{|kQY0p=l<8BLRDSu7ec{Sw-D`H0)6<{nie8l2
zjGgRzT^%WBC(R9kl44VF!mA4qAbGk_yfq!?S{?RX#O}aKf5jh4OUA&m754xcC`HZw
zZRPp+t9()zI7$zr+Hg=DVNC>5wx)*#7p^~4-BQJ`0L|K?TW8__P~^d)1o>ak)kDBO
z{w;bw!jOM_tPp*}_P!4UKf%gFM;W~#a*#t~*QtLBB~(D%q5oOLRIINK=W&8&hJ!AM
ze*DQ1w||J=Tx=p*1eI8x583dWLLDj%o`6m!4_2>bQYVbOL*o{=gJzPqU}m7`>A=1j
zw{uOmWbnM&z~25D`M{%ZM-Dot;q9W<)kWCLn=Vw|1^p8el(5;8
z#s0fYmXVt}!Yivo6UW)sbXc5zB5_ZA#xX*wWMe)gx|>FWW`{Nn{MpwC=-c>bUm{%D
zn&d9O$Z-_cOWFC}{aS$dQGAZbv>e^`SA%`XC4E|C^4yP!$&%x`v7bF4WIt}ZkQeN}
z{@!Z9cVa*yaF}?e4XBM8Pw7PF*86<3>^PGWRe*6k_{#_EU_0dV>{Hb#$jOB}pQ_=?
zDwdT9cOU+ObDIr^l%T(aD)E%NsWF}68fnP4sDF5qk;daJ!FgA@!W%myj5`c8*h-55N`$sCHPFRnkVsTzgdzOnP$)9_#-hyoZnmk)I6vj
z$0C}f4|{0HPZUF1rH}Z7K_Fk@(n_{jt_+K*A;7LByM-of!!s1rFjxX+G@dOSn64?%%Nm@(_q4)T?>|eFRk{_
z2ri3_n2XTEf*~-2(%dX)KsIq!0$K?I>EsGvo=}U5J2!2Oi-%rd6;>=_cLls>OzRcHt%t<6j$!lTc@oLCtVn{?yFMZ;Na9S6_D+
z1!=r)27xXJAX+WyHZa0UkCzzNuzUa~8{cwyvVXSVoS@XJ+N>FJqR5BNlLo!G2*VBB
zYw+lkYbzklX*U(%Aok
zOA9GL|G!#j|89g>!@p#sa|pt~;y)h~XGH%J25Z6NZ&fQyI3gXIMiDLX@cc2;Io
zN5E@xeo%ID_I}&~VO9fn>jumtn_@oHlvP$E6d0-`^Qy?yStV^;b#AmlMY9=6A)d~=
zzV3?nWfWJjW0-{klo*j8zDN0~n2<{rK+_KRF~tyw)IAWnKA61gwWBWL%#eRWMY(sd
z^|UdClWkG^z2EZMs*HbrE94l59f3Pam)tMd&`L6`D!s>{aKtBlHJDBdGa%8`^v`;&
zqH?swFPYU;9T86mY+Uc8bhm!nTw4kd1S-JL(yPZsy$p`kmB#8Fv}=B$A<+h|8=Mmx
zAhAUwS8|j5U33`0_`+Cm2l{c1eNBt5NJ{N~;Tp4>T)O-U?dKFF3>5M;uMELOy}U$S
zX;&yIx*}cS#nobS4-IB6spsz)d7OLAfAkN^UyBNkXQBL?cK2TiXT8d$Gy4*+-j{Ma
z6>ZWiB&9hAWVr+Y>V$Xht7<~?Mi|h}DB<+>TObuJ3?J=o<8w#S=J&&twsu`6=U;dI
zp=yKI*4r)tiWbOr;Wv*}k>3zRy)M{11kRO~)XNnu&i*qm+?0i;VfA1C|4(9}+&a>h
zodD9L|6(VHS2O&C<|EWc1kF78N{4N{g9!;?o-m+_^piGk%cRx;?d;vKmF+_N5;QVm
zS2KiU`Ok8l&9IFxa(^|N*IqXJ#|dg)Dm4HN@QmS2$eY9fvr~5sOMz#g^Ji>NSDf<1
F{1ZTYZh8O!
literal 0
HcmV?d00001
From 33cb1fc48603821b47e28278503420c57e3ea3df Mon Sep 17 00:00:00 2001
From: illfated
Date: Fri, 19 Apr 2019 16:00:19 +0200
Subject: [PATCH 07/12] Windows/Privacy: change formatting code to text
Asterisks need to be escaped in Github source text pages to avoid being
treated as formatting code for italics. Here is an initial attempt to
resolve the unwanted formatting by escaping the asterisks by preceding
the asterisks with a backslash character.
Extra detail: typo correction, "micorosoft" => microsoft
Closes #3304
---
...-endpoints-1809-non-enterprise-editions.md | 88 +++++++++----------
1 file changed, 44 insertions(+), 44 deletions(-)
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index 370860330f..b6be3b5acd 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -40,52 +40,52 @@ We used the following methodology to derive these network endpoints:
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
-|*.aria.microsoft.com* | HTTPS | Office Telemetry
-|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update.
-|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates.
-|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use.
-|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic
-|*.Skype.com | HTTP/HTTPS | Skype related traffic
-|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic
-|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting.
-|*cdn.onenote.net* | HTTP | OneNote related traffic
-|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
-|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic
-|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
-|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates.
-|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
-|*maps.windows.com* | HTTPS | Related to Maps application.
-|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps.
-|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry
-|*photos.microsoft.com* | HTTPS | Photos App related traffic
-|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates.
-|*wac.phicdn.net* | HTTP | Windows Update related traffic
-|*windowsupdate.com* | HTTP | Windows Update related traffic
-|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS).
-|*wpc.v0cdn.net* | | Windows Telemetry related traffic
+|\*.aria.microsoft.com\* | HTTPS | Office Telemetry
+|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update.
+|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates.
+|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use.
+|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic
+|\*.Skype.com | HTTP/HTTPS | Skype related traffic
+|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic
+|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting.
+|\*cdn.onenote.net* | HTTP | OneNote related traffic
+|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store.
+|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic
+|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update.
+|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates.
+|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+|\*maps.windows.com\* | HTTPS | Related to Maps application.
+|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps.
+|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry
+|\*photos.microsoft.com\* | HTTPS | Photos App related traffic
+|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates.
+|\*wac.phicdn.net* | HTTP | Windows Update related traffic
+|\*windowsupdate.com\* | HTTP | Windows Update related traffic
+|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS).
+|\*wpc.v0cdn.net* | | Windows Telemetry related traffic
|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related
|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
-|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
-|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
+|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
+|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store.
|fs.microsoft.com | | Font Streaming (in ENT traffic)
-|g.live.com* | HTTPS | Used by OneDrive
+|g.live.com\* | HTTPS | Used by OneDrive
|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry
-|mscrl.micorosoft.com | | Certificate Revocation List related traffic.
-|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities.
+|mscrl.microsoft.com | | Certificate Revocation List related traffic.
+|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities.
|officeclient.microsoft.com | HTTPS | Office related traffic.
|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates.
-|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
-|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata.
-|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata.
+|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store.
+|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata.
+|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata.
|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager
-|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
-|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration.
-|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update.
-|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store.
-|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store.
-|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions.
-|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile.
-|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation.
+|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration.
+|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration.
+|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update.
+|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store.
+|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store.
+|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions.
+|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile.
+|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation.
|v10.events.data.microsoft.com | HTTPS | Diagnostic Data
|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled.
|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic.
@@ -111,7 +111,7 @@ We used the following methodology to derive these network endpoints:
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
@@ -127,10 +127,10 @@ We used the following methodology to derive these network endpoints:
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
-| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. |
+| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values. |
@@ -151,7 +151,7 @@ We used the following methodology to derive these network endpoints:
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
From 1159f22a0d8aba1cbb33044e1706728627b9a5b9 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 19 Apr 2019 22:08:32 +0500
Subject: [PATCH 08/12] Spelling update
There was hypen in semicolon which has been removed.
---
windows/client-management/mdm/vpnv2-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index de1463fa2b..3d8006f882 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -401,7 +401,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
**VPNv2/***ProfileName***/PluginProfile/ServerUrlList**
-Required for plug-in profiles. semi-colon separated list of servers in URL, hostname, or IP format.
+Required for plug-in profiles. semicolon separated list of servers in URL, hostname, or IP format.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
From c96e4a6aae583758f9ea1ef87c9bbf8eb6d66112 Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Fri, 19 Apr 2019 16:20:22 -0700
Subject: [PATCH 09/12] update topic with links
---
windows/security/threat-protection/TOC.md | 1 +
.../windows-defender-atp/TOC.md | 1 +
.../onboard-offline-machines.md | 55 ++++++++-----------
3 files changed, 24 insertions(+), 33 deletions(-)
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 3feed9a1fa..e65fbfe36a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -228,6 +228,7 @@
####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md)
###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines without Internet access](windows-defender-atp/onboard-offline-machines.md)
###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md)
###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md)
###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 3a56abbd31..bf7a2585b8 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -227,6 +227,7 @@
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines without Internet access](onboard-offline-machines.md)
##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
index b6f6a6cfa8..bb3ca24f03 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
@@ -17,49 +17,38 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Onboard machines without internet access the Windows Defender ATP service
+# Onboard machines without Internet access to Windows Defender ATP
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+To onboard machines without Internet access, you'll need to take the following general steps:
-- *On-Premise Machines:*
+## On-premise machines
- - Setup OMS Gateway Server to act as proxy / hub
+- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
+ - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
+ - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- - OMS Gateway Agent
+- Offline machines in the same network of Azure Log Analytics
+ - Configure MMA to point to:
+ - Azure Log Analytics IP as a proxy
+ - Microsoft Defender ATP workspace key & ID
- - MMA (Microsoft Monitoring Agent) point to MDATP Workspace key & ID
+## Azure virtual machines
+- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
- - Offline Machines in the Same Network of OMS Gateway
+ - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
+ - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
+ - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+ - Offline Azure VMs in the same network of OMS Gateway
+ - Configure Azure Log Analytics IP as a proxy
+ - Azure Log Analytics Workspace Key & ID
- - MMA point to
+ - Azure Security Center (ASC)
+ - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
+ - [Threat Detection \> Allow Windows Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
- - OMS Gateway IP as a proxy
-
- - MDATP Workspace Key & ID
-
-- *Azure VMs Machines:*
-
- - Configure and Enable Azure Log Analytics Workspace
-
- - Setup OMS Gateway Server to act as a proxy / hub
-
- - OMS Gateway Agent
-
- - MMA (Microsoft Monitoring Agent) point to Log Analytics Workspace
- Key & ID
-
- - Offline Azure VMs in the same network of OMS Gateway
-
- - OMS Gateway IP as a proxy
-
- - Log Analytics Workspace Key & ID
-
- - Azure Security Center (ASC)
-
- - Security Policy \> Log Analytics Workspace
-
- - Threat Detection \> Allow Windows Defender ATP to access my data
\ No newline at end of file
+ For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy).
\ No newline at end of file
From 77e38a31db7f02c8cb9a3d028af55a1052212484 Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Fri, 19 Apr 2019 16:29:01 -0700
Subject: [PATCH 10/12] Update onboard-offline-machines.md
---
.../windows-defender-atp/onboard-offline-machines.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
index bb3ca24f03..fa757a9964 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
@@ -1,7 +1,7 @@
---
-title: Onboard machines without internet access to the Windows on Windows Defender ATP service
-description: Onboard machines without internet access so that they can send sensor data to the Windows Defender ATP sensor
-keywords: onboard, servers, vm, on-premise, oms gateway, log analytics,
+title: Onboard machines without Internet access to Windows Defender ATP
+description: Onboard machines without Internet access so that they can send sensor data to the Windows Defender ATP sensor
+keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
From 4069f16ca288464e663b67b7cb81d2830482bbd6 Mon Sep 17 00:00:00 2001
From: Liza Poggemeyer
Date: Fri, 19 Apr 2019 16:32:32 -0700
Subject: [PATCH 11/12] Corrected casing and punctuation
---
windows/client-management/mdm/vpnv2-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 3d8006f882..2d985ec8b6 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -401,7 +401,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
**VPNv2/***ProfileName***/PluginProfile/ServerUrlList**
-Required for plug-in profiles. semicolon separated list of servers in URL, hostname, or IP format.
+Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
From 6b6115bbf7292077bdd75050c84ba47c391d8349 Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Fri, 19 Apr 2019 16:44:25 -0700
Subject: [PATCH 12/12] fix broken link
---
.../windows-defender-atp/onboard-offline-machines.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
index fa757a9964..0cda2cfeab 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md
@@ -30,7 +30,7 @@ To onboard machines without Internet access, you'll need to take the following g
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+ - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- Offline machines in the same network of Azure Log Analytics
- Configure MMA to point to:
@@ -42,7 +42,7 @@ To onboard machines without Internet access, you'll need to take the following g
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
+ - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- Offline Azure VMs in the same network of OMS Gateway
- Configure Azure Log Analytics IP as a proxy
- Azure Log Analytics Workspace Key & ID