From a24763ffc2e3f2c3885ddc968983243d0077752f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:01:05 -0700 Subject: [PATCH 01/46] Updated applies to about Azure RMS --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f0c94d6dba..fc6d4fbfea 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 54b10176b832d8dbcb5f8381935f1c22e22fb8e3 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:21:26 -0700 Subject: [PATCH 02/46] Added content --- windows/keep-secure/create-wip-policy-using-intune.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index fc6d4fbfea..6560a80e36 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -11,6 +11,7 @@ localizationpriority: high --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune + **Applies to:** - Windows 10, version 1607 @@ -18,12 +19,12 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. -## Important note about the June service update for Insider Preview + ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. From baafc02843c361a2071f9f3e1c00382735c2dafc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 14:25:04 -0700 Subject: [PATCH 03/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 6560a80e36..2ae0e7e014 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From b4437638e9ea92ad1b1e1e465717a4fe8b031af2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 08:36:19 -0700 Subject: [PATCH 04/46] check in --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 2ae0e7e014..cc0b417bfc 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 572a75904fe5db3838f9fc8d682a3f57ba1e8393 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 09:14:22 -0700 Subject: [PATCH 05/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index cc0b417bfc..f7db61c525 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 9f1fd09d560a606000580011f4090bae77b93714 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:43:32 -0700 Subject: [PATCH 06/46] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f7db61c525..5a748154ff 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -19,13 +19,6 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. - - ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. @@ -378,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 51a28ae8968c78887ae3af359af6970312b0b712 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:50:54 -0700 Subject: [PATCH 07/46] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 5a748154ff..d32508207a 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -371,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From dc06f2f49c8ac551826e5bbbdcbf616dbfea1d82 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:01:54 -0700 Subject: [PATCH 08/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index d32508207a..22b83114e4 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -425,6 +425,9 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +### Choose to set up Azure Rights Management with WIP + + ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From 3c749ca9491e215d42e2f87c2b0b8714b592de70 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:17:26 -0700 Subject: [PATCH 09/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 22b83114e4..90a69c59bf 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 1d58cd4012ec4fe42eed86648dc334877373051f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:48:52 -0700 Subject: [PATCH 10/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 90a69c59bf..62bba049af 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -426,7 +426,13 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. + +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. + +For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -475,4 +481,6 @@ After you've decided where your protected apps can access enterprise data on you - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) +- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) \ No newline at end of file From 037e6125ad0da2c8fc150859065a48379fdbf156 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:59:04 -0700 Subject: [PATCH 11/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 62bba049af..3b1d08495b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -432,7 +432,8 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. -For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>[!NOTE] +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From af97f15f3ea771af18102caa256da1cde16af630 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 13:16:12 -0700 Subject: [PATCH 12/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 3b1d08495b..ead8eddf33 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -428,7 +428,7 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. From 8a133bd824f2a7a317959eb39c99c4bff675a245 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:09:57 -0700 Subject: [PATCH 13/46] Adding content --- .../create-wip-policy-using-intune.md | 384 +++++++++--------- 1 file changed, 188 insertions(+), 196 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index ead8eddf33..b1ce416071 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) +![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) +![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. +The **Add App Rule** box appears. - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) +![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,40 +71,35 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - The API runs and opens a text editor with the app details. +The API runs and opens a text editor with the app details. - ```json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` +```json +{ +"packageIdentityName": "Microsoft.Office.OneNote", +"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" +} +``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +```json +{ +"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", +} +``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. +>**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -120,16 +115,13 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ``` json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +``` json +{ + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } +``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -137,70 +129,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) +The **Add App Rule** box appears. + +![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 - Get-AppLockerFileInformation -Path "" +Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +Path Publisher +---- --------- +%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -209,113 +201,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) +![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. - The **Create Packaged app Rules** wizard appears. +The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) +![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) +![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) +![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) +![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - The **Export policy** box opens, letting you export and save your new policy as XML. +The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) +![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. +The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. +**Example XML file**
+This is the XML file that AppLocker creates for Microsoft Photos. - ```xml - - - - - - - - - - - - - - +```xml + + + + + + + + + + + + + + - ``` +``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + +The **Add App Rule** box appears. + +![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - The box changes to let you import your AppLocker XML policy file. +The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - The file is imported and the apps are added to your **App Rules** list. +The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. + +The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. +Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. +- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. +- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. +- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -341,7 +333,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) +![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -356,74 +348,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. - The **Add or edit corporate network definition** box appears. +The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. - The **Add corporate network definition** box closes. +The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: - ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) +![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. +- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. +After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -443,35 +435,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. +- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + +- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. +- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: +- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **Yes (recommended).** Turns on the feature and provides the additional protection. +- **Yes (recommended).** Turns on the feature and provides the additional protection. - - **No, or not configured.** Doesn't enable this feature. +- **No, or not configured.**Doesn't enable this feature. - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: +- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. +- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: +- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. +- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. +- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. + +- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From 024cd88e44c7c649bd1e6a934872f75a5a634b68 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:24:31 -0700 Subject: [PATCH 14/46] Fixing formatting and adding content --- ...ange-history-for-keep-windows-10-secure.md | 1 + .../create-wip-policy-using-intune.md | 374 +++++++++--------- 2 files changed, 187 insertions(+), 188 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 858577af50..1ac38ed7d2 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b1ce416071..9af07a2e91 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. + The **Add App Rule** box appears. -![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,35 +71,34 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. ->**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. -The API runs and opens a text editor with the app details. + The API runs and opens a text editor with the app details. -```json -{ -"packageIdentityName": "Microsoft.Office.OneNote", -"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -} -``` + ```json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -```json -{ -"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", -} -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. ->**Note**
Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -115,13 +114,12 @@ The API runs and opens a text editor with the app details. 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -``` json -{ - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ``` json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -129,70 +127,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. - -![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 -Get-AppLockerFileInformation -Path "" + Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json -Path Publisher ----- --------- -%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -201,113 +199,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. -![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. -The **Create Packaged app Rules** wizard appears. + The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. -![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. -![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. -![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. -![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. -The **Export policy** box opens, letting you export and save your new policy as XML. + The **Export policy** box opens, letting you export and save your new policy as XML. -![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. -The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. -**Example XML file**
-This is the XML file that AppLocker creates for Microsoft Photos. + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. -```xml - - - - - - - - - - - - - - + ```xml + + + + + + + + + + + + + + -``` + ``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. - -![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + + The **Add App Rule** box appears. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. -The box changes to let you import your AppLocker XML policy file. + The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. -The file is imported and the apps are added to your **App Rules** list. + The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. + + The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. -Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: -- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. -- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. -- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -333,7 +331,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. -![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -348,74 +346,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. -The **Add or edit corporate network definition** box appears. + The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. -![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. -The **Add corporate network definition** box closes. + The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: -![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) + ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) -- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) -After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. -For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -435,35 +433,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: -- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - -- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. -- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. -- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: -- **Yes (recommended).** Turns on the feature and provides the additional protection. + - **Yes (recommended).** Turns on the feature and provides the additional protection. -- **No, or not configured.**Doesn't enable this feature. + - **No, or not configured.** Doesn't enable this feature. -- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: -- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. -- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: -- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: -- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - -- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From b28c22277bb40c535fed8320b0fb9c4ad1447cb2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:30:38 -0700 Subject: [PATCH 15/46] Updating content from tech review --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 9af07a2e91..b3ec476d6b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -418,9 +418,9 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. From 86532a8e914f88c5d274ebe87227e62ebee01922 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:35:30 -0700 Subject: [PATCH 16/46] Added content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1ac38ed7d2..a3fedca01f 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic |Description | |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From c9d828821706dc75d0c3e25546b9d86a71cf8df8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:38:08 -0700 Subject: [PATCH 17/46] Fixing formatting --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b3ec476d6b..44605fccd9 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -71,6 +71,9 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. + > [!NOTE] + > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 86a65acca2bfdcf80ba1eda8cad6c4b8aeb75800 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:00:13 -0700 Subject: [PATCH 18/46] Adding content --- ...reate-and-verify-an-efs-dra-certificate.md | 28 +++++++++++++++++++ .../create-wip-policy-using-intune.md | 9 ++---- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..b05c43ed2b 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -94,6 +94,34 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. +**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. + +>[!IMPORTANT] +>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. + +1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW` + + -or- + + `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW` + + Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Have your employee sign in to the unenrolled device, open the Run command, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 44605fccd9..0067c51efa 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -38,11 +38,9 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->[!IMPORTANT] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->[!NOTE] ->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -71,9 +69,6 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - > [!NOTE] - > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. - >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 4a4c6efe5b9961fe1a6a6078d7468427a1ad9579 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:25:37 -0700 Subject: [PATCH 19/46] Adding content --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index b05c43ed2b..5bfc60d3cc 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -41,8 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - >[!NOTE] - >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + **Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -122,8 +121,7 @@ If you use a cloud environment in your organization, you may still want to resto The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) From 3727fd8bef3d24a2e7bd0bf981b2544fdcc4ecd5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:41:06 -0700 Subject: [PATCH 20/46] Fixing formatting --- ...add-apps-to-protected-list-using-custom-uri.md | 14 +++++--------- .../keep-secure/create-wip-policy-using-sccm.md | 15 ++++----------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 9176b41ff8..b0396cdfd0 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -39,15 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!NOTE] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -87,18 +86,15 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!IMPORTANT] - >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. + >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. - >[!NOTE] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 49801ae337..5a51f50d60 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. - >For example:

- + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. >For example:

- ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", From 5ceb091f25f0a22b11bfbcd023eb9f80a1fb374f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:42:45 -0700 Subject: [PATCH 21/46] Fixing formatting --- windows/keep-secure/protect-enterprise-data-using-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index a37553eb2c..7f5e04babd 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -93,8 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + + >**Note**
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: From 99106b6a79c9f9a212726400a5e95d94c908bbd8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:47:04 -0700 Subject: [PATCH 22/46] Fixing formatting --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 3 +-- windows/keep-secure/wip-app-enterprise-context.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 5bfc60d3cc..58a3228aef 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -36,8 +36,7 @@ The recovery process included in this topic only works for desktop devices. WIP The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >[!IMPORTANT] - >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >**Important**
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..c6fa730a12 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -45,8 +45,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - >[!IMPORTANT] - >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. + >**Important**
Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. From 3399404dd892b2008e434e56644ebc383b2dcd4b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:13:55 -0700 Subject: [PATCH 23/46] Adding content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index a3fedca01f..1cdc7573bd 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 661616568cb3250e73e1358c7c9e95ea221d1a05 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:24:24 -0700 Subject: [PATCH 24/46] Fixing link --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1cdc7573bd..1cf0bcdc14 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,7 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 3662fd52c24d4f140632924e4d27b1fc6fb10d45 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:31:49 -0700 Subject: [PATCH 25/46] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 0067c51efa..4a5f3873fb 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -40,7 +40,7 @@ The steps to add your app rules are based on the type of rule template being app >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -113,7 +113,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- ``` json + ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } From 63c502615dccdfb498758980f417b6d5289da9ba Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 13:07:15 -0700 Subject: [PATCH 26/46] Updated content --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..70b4062521 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -26,7 +26,7 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. From c6d1289421374540d9be2bd6cc53b3c5c3a2b679 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 14:34:39 -0700 Subject: [PATCH 27/46] Updated content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 4a5f3873fb..f36171596d 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From e0f58566e150bab98bc21cb61a6dd36db683cd88 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 10:31:10 -0700 Subject: [PATCH 28/46] Fixing formatting --- ...reate-and-verify-an-efs-dra-certificate.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 58a3228aef..e0d89f176c 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -92,35 +92,35 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. -**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+**To quickly recover WIP-protected desktop data in a cloud-based environment**
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. >[!IMPORTANT] >To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. -1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW` +1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands: + + - If the keys are still stored within the employee's profile, type: `Robocopy “%localappdata%\Microsoft\EDP\Recovery” “*new_location*” * /EFSRAW` -or- - `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW` + - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: `Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” “*new_location*” * /EFSRAW` - Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + >[!Important] + >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. -2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - `cipher.exe /D <“new_location”>` +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: -3. Have your employee sign in to the unenrolled device, open the Run command, and type: + `cipher.exe /D “new_location”` - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` +3. Have your employee sign in to the device again, open the **Run** command, and type: + + `Robocopy `*“new_location”*` “%localappdata%\Microsoft\EDP\Recovery\Input”` 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. - -

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. All your company’s previously revoked files should be accessible to the employee again. ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) @@ -133,5 +133,5 @@ If you use a cloud environment in your organization, you may still want to resto - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) - +

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). From 31c62d89b892b3eca3c3d877bb002fa978f17ded Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 11:01:08 -0700 Subject: [PATCH 29/46] Fixing formatting --- .../create-and-verify-an-efs-dra-certificate.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index e0d89f176c..75e3394ad7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -100,11 +100,11 @@ If you use a cloud environment in your organization, you may still want to resto 1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands: - - If the keys are still stored within the employee's profile, type: `Robocopy “%localappdata%\Microsoft\EDP\Recovery” “*new_location*” * /EFSRAW` + - If the keys are still stored within the employee's profile, type: Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” * /EFSRAW -or- - - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: `Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” “*new_location*” * /EFSRAW` + - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” "new_location” * /EFSRAW> >[!Important] >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. @@ -112,15 +112,15 @@ If you use a cloud environment in your organization, you may still want to resto 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: - `cipher.exe /D “new_location”` + cipher.exe /D “new_location 3. Have your employee sign in to the device again, open the **Run** command, and type: - `Robocopy `*“new_location”*` “%localappdata%\Microsoft\EDP\Recovery\Input”` + Robocopy “new_location” “%localappdata%\Microsoft\EDP\Recovery\Input” 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. All your company’s previously revoked files should be accessible to the employee again. + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again. ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) From cf5bafb51a849a2280d2dfc55050efb155bcca1f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 11:16:26 -0700 Subject: [PATCH 30/46] Fixing formatting --- ...reate-and-verify-an-efs-dra-certificate.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 75e3394ad7..bfd0d8535f 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -28,19 +28,21 @@ The recovery process included in this topic only works for desktop devices. WIP 2. Run this command: - `cipher /r:` + cipher /r:EFSRA - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + Where *EFSRA* is the name of the .cer and .pfx files that you want to create. 3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >**Important**
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >[!Important] + >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - **Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + >[!Note] + >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -50,9 +52,9 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - `cipher /c ` + cipher /c file_name - Where *<filename>* is the name of the file you created in Step 1. + Where *file_name* is the name of the file you created in Step 1. 4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. @@ -64,9 +66,9 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - `cipher /d ` + cipher /d encryptedfile.extension> - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. **To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. @@ -76,21 +78,21 @@ It's possible that you might revoke data from an unenrolled device only to later 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” /EFSRAW - Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - `cipher.exe /D <“new_location”>` + cipher.exe /D "new_location" 3. Have your employee sign in to the unenrolled device, and type: - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + Robocopy "new_location" “%localappdata%\Microsoft\EDP\Recovery\Input” 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. **To quickly recover WIP-protected desktop data in a cloud-based environment**
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. @@ -109,7 +111,6 @@ If you use a cloud environment in your organization, you may still want to resto >[!Important] >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. - 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: cipher.exe /D “new_location From 5587f731050dac9adf1e4a4cf9bf7a5cb35654aa Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 29 Mar 2017 08:09:07 -0700 Subject: [PATCH 31/46] Fixing formatting --- .../create-wip-policy-using-intune.md | 109 +++++++++--------- 1 file changed, 57 insertions(+), 52 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f36171596d..76ded492c6 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -38,9 +38,12 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. - >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>[!Important] +>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - >**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + +>[!Note] +>If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -86,7 +89,8 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -112,11 +116,12 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
```json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } ``` #### Add a desktop app rule to your policy @@ -349,49 +354,49 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

+

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + Network location type + Format + Description + + + Enterprise Cloud Resources + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + + + Enterprise Network Domain Names (Required) + corp.contoso.com,region.contoso.com + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. + + + Enterprise Proxy Servers + proxy.contoso.com:80;proxy2.contoso.com:443 + Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise Internal Proxy Servers + contoso.internalproxy1.com;contoso.internalproxy2.com + Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise IPv4 Range (Required, if not using IPv6) + **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 + Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Enterprise IPv6 Range (Required, if not using IPv4) + **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Neutral Resources + sts.contoso.com,sts.contoso2.com + Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter. + + 3. Add as many locations as you need, and then click **OK**. @@ -463,13 +468,13 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - ## Related topics - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) \ No newline at end of file +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file From bed4d7c02bca53dd51f1bcedf512ffd764080a13 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 29 Mar 2017 08:59:07 -0700 Subject: [PATCH 32/46] Updated content --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 1 + windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- windows/keep-secure/limitations-with-wip.md | 2 +- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1cf0bcdc14..10f723df74 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index bfd0d8535f..a872b455ba 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -12,7 +12,7 @@ localizationpriority: high # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 70b4062521..9d6d1d1907 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -13,7 +13,7 @@ localizationpriority: high # Limitations while using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile This table provides info about the most common problems you might encounter while running WIP in your organization. diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..8582716a30 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -12,7 +12,7 @@ localizationpriority: high # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. From 4c9c10af99947f0b4b4ea2a877c2b63116eacf5b Mon Sep 17 00:00:00 2001 From: jcaparas Date: Wed, 29 Mar 2017 15:46:30 -0700 Subject: [PATCH 33/46] update image remove beta --- .../keep-secure/images/atp-users-at-risk.png | Bin 36823 -> 39706 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png index 4e86dbb2f542b7c3b73cdc01e23fa94fc0558aa3..cd43cdf60711309408e22a5bc72c5196a2408fd9 100644 GIT binary patch literal 39706 zcmc$`g;$hc)HXbTA|N0lCEX!NcT0DJG$P&It#nFDcMT;ijdXV?NSAbX%y;-b-}4{5 z>wRY}mNRGWIp@C5*>UZ?uWgu;f+QLWJ_-Z^L6epeQ-MI>|3Dycq)6~!gR= zFQw%KfuMIk{lO*DqZ5F^7tYf1;xASah;SIO9xM`r{~Hq5bpGJtY;NZWDXAEi0z;_I zU`Wiw$;i>d-r2&=7V-v}i~@|KJdKOm*?Txzn3+36%3clgf>HGUMjcHIpDrbJwy-gQ za9q7Y2Hzk*eWPk;>g;CdXado*hdo{X^1sO~oQ$ju!KIFnhK|}8FpTsx{L#?S*22~d z(m}8l0>)na&+lCvjZ7dHu&;andzq-6jg5(|GvsnOsU3_VK3%3};cRUJDL$N}fj~$h z(qbRf+|&0L-MrP*FCoWHNAy!{@hOz?DAND*#FamUhlh9IEB)Zoy(nsKD$T7Zwpwuc zXkA)S@qB1-o?bkhR9;#5S)i0W60(JH+|EPY-Q9W+hNv(`T$pED*28{?$JwBVU2hB9 zRi+n-VWfDTa^>7hB(gvZk&J%ZhJ^#yPQ1Iz1-th+FUcrp$ezakHGE;gK}8ICMKX%u zPbu9Mj3(U9 z2xP2t_kM57w_)tWdl}M29Ur#6&=!Otf<)%bfF+I`BtjiO@VTm%!J1}ug?n_>9uGBG zArkGsNqq+%hE1J@Ixh)?@Qk?2{#%LY!&L1olLd55_~};QhsB>}O3?luK?-hzHjx?k z0~l9&XUO;ke37Hpsr&3{s*=D)Bye4z3bNB{@DZs1bBp}x_cB!f{{%As?m)O1sTdfLMD)-W;6#|LbOe0VbqIQ_SU!T??p4|~ZsLe5Z;hlS%TX68WTejfzy9yg znv@vHr6-4&+FQJDPESuABYNUuV{>Q+ms-8t_J8MWlY8b#xw>AC=ZFdrkFE7YG`sB8 z``o!o$8kr~GcY(eFO~=*Kb-+lMnzl%C1w~+miKAAqM!qBM#G}(0{B_EMromi%YUz1 z-T>iG7rQflw^LcP1z=mC6%`7Um}7!>WpjH17t^XoEoYl@4%8_~UflC1B! zGo>g*#OwU;pkaBb+08D~4!z9nXeo~J*P}#iZf-7E?JWfH74iMFs^X1zTT!OxI{|@* zI9bLjO@uI0-|F=FIb%YJ?y9ydg8e^27W zq}0`Cp57fcAJuE=YiPLcl{YYI{#dzAmkxJtUBcCOUybHF)NHU_%$W_7$g`TO&};Q{ zVaD4Z{{5fqOj9|=MiFq~U}4FnbDt>fDapKi`O>cSLPLNkh1+3mIEC%%V8IRcaD|JD z3)>+3@@r+XKo-n4Z`wGveRqF0HZ(XGeL)yqT4yz&70%A|B~MpBcVPcMjjg`qFEZX}5fj;oqBd~$poBc_k80P-y>t1_AD-@UINDaN=N9uqAs#Q$9xmown=@2A!BG<%lAjKdBYmNic5Qy> zmvulx6m9o?;AMXYq=JYH0|`S!ml3z1wxpy4Jg`oK?JbjW`||Sm_=+TprV?A-x*pgo}^(oVv0OxpA|Ibk32mzA>{^mc7hjO&%JuLg&PBqQ-0wlmyZ#mLuA z+)YQ*cP>2N8d+FayrGuE~4McI4;1DSCY?+qN?fJm)u=jctmjd@{ z;6OZ0a#E5nkdBY~9-G-8zOu{Tfrk*h+hV%1bu}wy7#=F3R#K~e<*!fnjk<(=DRPCt!xa`% zH!M7q?prGQFn(rDxxGBN13Jv8RlV`oX-r_+(zNCVT3V6HY9gbdp&{ukp{AzBf82qP zFj-pB^e$GaOux0Mw$}OYPY3UvS zFK9NJ4)#kMs|OANQP=+0^YGk+q@-v<9>?+Q4==JxmX8d;Qn}(0jEx&{dlk)$Y;04j z_SV3rZw@BDp;15$>8ddu(Qfm;>5rudK__Z59Z3a7RFh#gj)DL+*qr?qSl+P|HnX+v zu&;<{yoVn#$pXh;Tk25?BTe{q!wWOusA5sk)60(Wiz(M?GEA7Osn2|MitX*~wdWqj zTjw7A#QbkjplNf6W6iaB#MB8$B_-y-(2&*6iG`(Qc+Y1Z9-hE&O-;O7Nyucm zw5Dce4a1ca6DnB|n&q?L)SPFa>PPLcN4lc)xXjF@L(5!RbYlLW>z&8${5tj4DJ(|8 z`o%1tyF<;{p|pdin?uP=2EKnxlI7Dl(IB^1N3b4T18*R9c@j~W&wd%R78Dg_IZsNj z_r<*MpPZcJu$qm;=h#iPs(|yK$djC#nkPYsV<{vv zokn?p<)5!I>H|m03zq%bF!RQ^Xv$+3eD=Bg0|9C;u3W2KE|E8}efD0j$+^QH&TZL; zi);hfQ*(23DOp)7bMx^^Ls8ML79g0w)Vb_V3q9;8n$|R~GtvRiO0j)*gJ>A5-CxP;i)4@f6B-Y-Z>*YkY|(F&gK%`C%Zwl|6Z zc2Vi~96sRd+@D6LZ6M~p3pNeqS~Z1VJI7yg01cd)o_+>VD5}ZMCdEK1)2@S>jb(Bz zI>)zZD=3V9XEEB{+uPgS<&Ku6j(@nlm}+)BcLENqpr8O4N<@e$uBVw*g& zDhVbOY0kcT;c3IEBOwvIXgk*5Kkm1-OOPs8*wVsZG-c7SuxQ&rDLr96ZO*P;K5Nfi zw#-K!8%il{+n}R9BSi_M?$Dll-_>g`I9}n~t?O$DGaf3}l6zj?dJ3PLEjUJ?J;2kJ zk8!AIYd1Lp-J<_^_`AvoXieWFpOgLjm`u~%EG^)rh`o=0nPqxx0kr~-;OEMhm!rUe zNKvkx-GDu@1sF#w3C^FT-t9b*;0Pfw5AlE?N-rWX4#fh*^u zC7=82llO`jRyM%3j`5$#85tQlIGi+YXEu9X9SV3|*5+dgg|QSie5uu9lvXh{-2y^< zaXzKE>~pm!;CYV6VL4qlr*FlY0_pg~Y&~CVu{T>zMMVYh!W=F+*v$74J-M*Yz(k;- zp)n@Yzkh##)DR^`o?6I57@b5#9Z!c7u><48LyeWn2QWxoy;WY^Zuf^K13(#2=qW!5 zN|1Xd7k-o{o1Cg@ykPYOO@whwB>+VjBHGeQ?yWT1H8c4zAK+mSyfe4 zQxh;}3wG^K2#9C+=W^Eycl7#C&i80gXi{?W%P-kxm>Q)Q)kBPXi_O5bH81<#9nfUD zlM}~exz1bgkC~a78F*|azHj_Oilk9mmz^z~#Z~4)pEO{M&*y3legUKufX%CZikR-t zRRp#_b1ob%$p1cBm|z0i@BALsU90^A10KNCU$`yUeBsk<4vTo~!Dlt@7kWI2sjjY8 zFV$#0pOgj9`6L8Ot{>IZj9F7ODs*`~&;PN3qxi>24wM-E6Kl#jNeF-qg@wJ_XDK75 zncEBO;k64Axfb|iXXW%#+OXZF20H_0yy5=-6%YNS&E8%KpTW-K?93u}^mL(6On~M*!-2); zO&)UDN-?WffW&+oFm~i7+}zv*mH`;r+fH-#CoBKu3w-OeD3|j;fN(i~v;qJ=LgDX~QdV2av z7CQrxZyTR|{ZKhq>K70xVPt5S1BLdTqV*3wz4#7lr;y0bwnhlpOo#p95U|8q(nf%w z!H&CLfs?-MBk{XuPV58_jW^}jC*~A6&j9FBNTw8}_WTbjX;wT`n{a8KXjQBNmsE1; zxFtHKAxBaSU`MC6@d37cZ-Fv)2IP?teNS3WTU&bwtsf{ng$_c1KX5LmIH^Vnx1O&d zwDk08fkdl26W@Ndqg#oep43tZ< z8J3=&4vb7=ZSA=b>?Wp7OnoLs@b=%6`PnP0VP#{ZlGgrdZ#YDGa&vQ&T9_h7oj1X4 zF-aNIcNXJ!-?ewKdo-HHbySe74-b*Ckj0I$UGI&uYdMh^BEvIcOfIFmo6urN0*fp* zyH)Bn<3QfMd#CSvv+2%X;fKu~?bN6Xl#D7sKr`)YJp)UM95`~n&BTw;($b5d0prP4 zdv2hTo%_IR0mW%m%n}6Kd<`&i%%u#_WZvi&eY+vT60oxvNSfsuA21>%@_v0f_H6a^ z@NY}i51RKpJ3n`pvCz}Y$fbo~pahBJd|Uci0sCV&Aat%**HXK109M&P3(GB@3kvL7 z1!DTJWX77pF26VYtE++8#Yw?|V`|5be1(w~p`v+(t)7=K*lr)>zij zh37@{PArKCR?pce9}|9*;Mp)+Vq#*#q&Yi&L{G)fweS+vqRvN!bRc7l+O<+s08;>^ zF4FURxCs2V+7+_wv7O;bBn=Lk0q4!L4lAfL(nG6bTTC^>l znJ+w6#s~yf?4!E+!BT75wueaQ(n0PklPBROS(c!i>AS6;hJZs;#>$&8H#9VqWowz+ zLwg3FpyIi4RseZT}YIdNB7AqD#UaA9UUc8&&-VaNvT4;S1?G0GkB@ zUs*J?wRf-XE;_S@hlc^u{P&y|#1+7>fiU(q^_Jn{mfthA5P*LY=x^7frB-!y^*Bl% zLUfSGIlBQ63k0li!s;`rsi{!tJ8@<3abb8D2R#H>1|oFHp-gpkAoq66cnpk;z@GqH z1x%}_thB4ED{z?rQBYz6AqmgL!p7dYVBz540E+|R0*eDjU|vZHY^_ldEPE!c37O2M z8cjMbZXjRKq2G{t9UzO_S8AEt9+@Ap#4E+sv8ZCD{@sKCn2IHi5tuabG}(lC?a!Z@ z2Duj6{KR$^^1v_=O*6(xQR3s{GvGuFZK|ld9L(35r8`KxbBfhuxCG+jbNuT?JdI)- zK-B2Oc#c27gSEpRjsO_F=^}Zw2b$^X90-irc;zHGT7Wyiq0lJeE!#524SL4vHM>5^ z8@PP{pQd6d$)7?*zb-T`=H4U*tx1)RfTsZY2?DCA+mvX_HzsV7pSXMfsWt(z6v(l# zv7PmE?JqPO6)Wexqo;2NW-I#TtEWWD#mU_RHa51WxY3-4oX?9web_$Y- zXM#;@JO&f!sx++uKqJB;0N&!f)VN9$%m}g~vo84Jq(STE##)y*-s0loA(bBm@W?3n z_;ma_6kqfNKcykwh2{PpaDoztCDcXGhUdPzx_-L=j#T=8@>k=P!h`eTe{HXTsk}Mc zavlO+6zm1>S(O0T42)e;x*>5?#4c%?jPsfXB7XPdlc*P9T!e0dYRg~pX}|1n{@*9U z{Eo?cHCa>k@0Gw4lb!ETOJf>EVoZ7(F6ahgbm9T%{;#{^zpv6d@ZN}5jda#GA{j-h z?7B9;(#L*!o`0HBaac&t@QliF>!&0UARwjqiP>33?P(Kk%U3)E@lflve)}Fk3oVF9 zUV%jdeRbyLne7SDp5FgoObVWqphKRd6v+tHzqVx(Cf{#ZFZCR8zwc#}ZXm=)G*Dyi zVy>`s17JQ6{><=jl$gFQ&9fKav7hCDWWy821SzU03^0e{JFm@=qpaHyxXFuT)<92P z=bP*oM_ZA>(}=UF_cL+@=RTin_n5R;88Z3e_gFaVlZnM zhC76K_*NE;(h}ooUhdb=*pNn$-xOmiF&4nph2Z&r5BT>1DjeCqhB>CTMJ_KdAA!qM z0fokyq^Jy@9Xu1gyjrzLot>Vp1yKUnzjVLHo40S@W)Ltu9X+p@WgJ7Vrk2*9I4W5H z0kFhD;CHXKh*6NR{?nMX5ky=jLrF6Ly(knv3Dd4p$$+@G;4;XJfovEgTfS&`^@P9D zV!qyHA?dvi4oVO&Ek9zmrQBZGqkM04*D9VrGyn=W1sf5b`91b8cd^}u@A=<$thm8A znQb5MgUR!~tU(MQz_=988$tX7;@nere$RmZ30noE3HI`)CQpFjh+Y#z_RpovTGU(~ z`YwoSVVp@xk`XX{*D><3s(s_drR!r{`Z4z^M?II8PI`HFqoWnG%i#rLo_mez!8nxo zX#}@J0l}MUH_N^jl?xk}d$Sj3XOr1^xio~;w|QO6h_8GmxL3j!zrwWY-M3dq^^8dA zMz$*~ZI;zJlGHR+3}w9D$`94wq8w!Yb27N|5^D5XT&kZ_GO|Bj1^3QXQL_hfrCyi& zf0|tA3G2lJS$gsKrcwCEXyOL|e%;#M#>K`ax*~mpvM@oL5~LtAof}u*pllgR+gBa` zefaX)1O+2GCBGW#-_l1D5+Blhr!ipNg;VUwnwBk&(;rFuY9o;F-bG@^ch+Epvom zW~Q)jMJFX>+?YPNvZc89(fXw-MNtXE0wcdyz+Jv>-s9o!;BSLu_E}G=PF0zei;~77 zH?F#+%ifs1w!hc~@Xw?41g9MqLY>Oi#GVp4ZK&XuVt#$J{>fBmJ>|HV^ zHP%5;oOO+GBtHxChB;f+b3XD{?`_T{r+o~2%=1@`L)ask{Uwt*1gdg(emT|jUQ`L5 zC0-S}?fHMBL$HDTa4}%b`C+&iiQp6&@@L?$&8kfM{kZ$pH{JF5){__Q<}J4m^KOho z1nD;S8zILAI9}-zw|_U%y+iEJ(tVO!bojP+y#-WnEETPL*Lqvwc6P!J+q4iN_NhEp zUL@)LuQ6yFUOiWHDDI5`1SO5Bp+5LD0 zL_Dpq$GgZX*Ek);s)8#kl>`P%pCco4Lwb}Ut?S@8{;7)vWSEh zvLwP$k=h4BXz^9mNS{569@n^wyC8;xeZlqqOXB z5VCB`Z)&OAiu~N~rz)`_N+|GDfgNsjVdZE8^a?*<Rp zP+?I!2F7h=AV8=_9N;^&dbU;<<^FIILl8{~X4U%)9%kE_%FsuHgZL=aeQyjtZbt1{ zJ@;>x;3@Lagbg-z2=$rp%KhD2e%@9Z*6t^+FYUMR>!Z36X=x;!(q#R-sg?(O`ZOc{ zrw3!J??pm+W+1ufJHpF>tBh4pU9F;=Ao{?f@swV)+MO;z523(AC2srYuYw=bS6W&c zBgRSGvVF53J%5Qtj_zEbxts&R#{1@HZrz7)UkxNgEXy z>?WINR`ImrQF$P$P6noB7dj0?j(>cwT4=1&Qo?OVnXlVou;wMNH{Tntpc zTj$E!;%1pcg78y;sS8EqmA1m(LMBnqqtF6`hD$zjC>iaJ80or2yVhAhE+4_iR2*Z@ zddK^1qz}u6TI0o4Y^3E@ysqG+T=11|NI2ZDMq}nGg1f59Hv=Sbko9 zZL)KfED`2G5zs{}btfhAa*;u2{;fm+Gq>Wd6R$&Z@kuRY>E*82lfQ<8K*Dp2p)yFT z9*@Pn`p(qSap%kTUr6(LlPD%jo}3q`*oAn0R8BZQKVN=0bo(zGyOUTRA`OsccrM|c zIX>dCyovYV-b`2cdld`~&HgDTRu%&kA1Y5q+50|^V`DV)MWg9efiMQdG#o8ke zV<}7Sqn*)@5Y=hb5XFXI68(J#okpEtJ__mb;rOyw^bm~1+R59E+1+k5iu5c6dd)^Y z*C9z464ST6m$m))R-v>*vRw;{lO&363izM&n%F#-I}v+Vs?KUKQ5Fso=>qaQv9O`{ zr=t>d=~6;M7Fk5IUg|h zQGK0qWv4#U{?}-gL(?@JMaw?6gm-_|5)5bCRg=7NXdZW{w|_H4J{A#QebvwNHa1<@xDg5RXHc!`~QfjWY7&Z-2rXdxg*x+mFtA6@8I}m^q!C zs~UBh?8ii6ruqdu+7@iqN%WS^*XG)4ytJt=YvBFMShb8G%wD4ACl&uT9xYng#39*` z*nAur=yVo_pn-I(%r~=(_QAK*a?1 zcqLRhH-tw30+|u6<-aqg2xgJ3x4WgXNer=+(&{tP@zi>*e@ygXWbZOkBg|7lz?(CJ zYFh3>WtMFUxGzWvHGCPODQw1SSM=`;t}2TcJ=rzai3|@%P(Uj-Q9d zeUJt?BnR!5jA!p0#b8{;*7w3`OLX6C z*S2iye3bB0$LBbq{oShYh@M@{eR_Er_}<7aTewj)+XRZkZ1^4`$V%{m{sA=9 z0rnyPUP?*fL-1}8-nOc5Jj?8*l7L|KQfA%*)gVz&+@@>1+K&tlJw4uz5aJ)KDfJKD2LOaC2JIEgPJVW>0Wy^43!1bU*4B(5<)r{i^Zy zE2I|WGwjSSYeQs*t4{-kE9I1#w%k8iQ%jO9cEfe_e4WBMifn18a@XcE3J&sHlRffl zfBB^s6MvX6i=(Z9V`>ntgYJ3Zn5!7E!RAo)@pJUYOz|j#gYc#dcruJgE6&)qpPa{6 zCi1_2LW`|GRRGwbC7`#KHB|M4+sbYpwte#JXkRB+$ne>B!JA-=+Ka?i}{O| z%XuphU2loL5>V6Cy$97&P@`@R&((Dr;h>J+DdJMdP#6L5*RxBxxiNHUbmI5#fA-wG zHIj?Cs-@nO&mVNrjm}ydi@=7Q-DXgHQ;M(VtnQzj+*smLCDby$&E>xp*P3R))X(lw zQ1;_m6eFTOoQ7ZjooNcepu^$~TGaROk@waNpc@)2uMArTHV#)E6Qz4C)my1Frq_Sn zB35?%?sc`z{Sl&Oa+2g%?IVG;IVPsNAK*1b)D zEW(tew1RX)>_6)}355nw_$&s0&*$iwZiV}Us~qggR)@-39V#>-W`R?pmCsc9lK;fy z%?k`UW^qG^b%^AWQrb_e1Sc^!RbA5r;oua6AS$f-Qo6=I8X-Zl(lpV~0enU2;2>G* zT450i$VMN<#6`{ci{)KdmRf41WpI#AJC~r5v{51rof9R7y44q`P>zY_%2g3J^{XFn z9Sh4L#0EP)7do(Z*=ogpmL*nx0qPpux!ch+b*j^RQoa35y6OiDG4=}EvWRwex*~(5 z>t9L7QwAP(kIu_!Po^+o7}56l@rzc3)C*GrA?&W-C||~3qac1AN_r3KbWhc{`*x7OJ*zyUoP`YK5K6_FYR(;$Ju7|@t=pO!?e^hJ)5;xS+n#9n-776 z?kcrQM)1#mYVcWSh?+;jxlO|ch+Ena+bE{KITbL@4`91YbgM-podR-O=E(6P0AR%GRkL$N6S=Jk2z2AFR{)8RAd@&DM z$zu}Y>7o`4Q;xPO>ej6UW1j1>M zDCPFPJ_bqN9a&IT76P?*VbX8&9olz5X+d3y&*#=z;EWkR3KUDUTihKOaDc)J<)|Lr zdJ@Th9CAhW&$n3Z4p{z?AUtILS%fr)*-y@Q*10^&-|7o)SEDKoW-x zNn&sX@2^K|>H0+}ia3cKvP#iCBIt{{vj(5!UlaPuMJag+>^-EWZ&HpFw{Aw zy{-6ezjtbqiTE$SLumh-Sc?~C=VVS*Z?3DT$Q_9fOsc!Ce_qslK!(ve`1!sv?DLw$FIdw=I zjgaogSv8_`kTSfXwADkSksGRrWYGH0;bFPoLTM(@E(=Ledl=g$;I{uHiy#Whv?Hbq zO)h&t)B%mfvTI6RLqkPoYI0IL$=K9XCXP~C1tpIcGea9ej&6qDyh&}8-tifp+HHQ) zT?h@--Mc!|Li0HaD(5Vvwn)V*`aR3FuTGKM=hc+hz0sfQokd8g+2jpdYfwE~rEH{- zL$D8NnS><6n4pKYaTm!hWSjAmKZXX;hB*mm60jEuMGTvM)G{>HRNcJPCQ2AVoaYl& zWAAlR!i_7vACdfXkhpCZu~GC=K<{&K5JHr?`z!DAw_japXl!1~m?H+D4s#+UFe7rn zJ&%JztCmtk6qA2ISsCr~6$^jUs4}>sc)0%RkB1LgskYa-q*~Na@GGU&>z7?e;wzd9e=4FB9Swr(cu_8YkpJjA9#-A5{nvi8L1J>$!w zYJ>q2qvPA)PkK^~x0KD|lsyUoaMMATB>35Mg~(X$GS(8KB&yygTMg`pLi@79A_DVc zxMb4>hv?-yQ=hfUXOpP3w6p;42gJLv{ffi(ix!=$KPJqr1)6B+>18njCnr_Jc?x&f z`Lv53t2R6Y>FM{RX7dvsH#F&d#^=_Ey@m^s*aZN<$T=7;Gcbqh;wmzdd%uAAZrUnFu&@`ge@XZaUm?(>VK~4D*;R zx0H9qB9WC7H_F}4$%WYy-9969m=@r$NClv3lHbsl!`Vja!4`i z#zV+q23eE!{h7g?E2qrfW$*GmBi_q*3H~#}M_L;biu~jj1_|N@FvgX72Ol=^=ngM{ z@-y4*oP5aRriry?uP=i;5&|q}wo@Q0r*9^y&+8tSX)X*j#3-Z>2AF)D>VqV))10jD z0|jUKn~(2ecIW20!B>w|Q4y{ZE7@9>=aqdqg;A17E+#L8YQ;#VN@Ii-)YWWi2`I_( z_ZlLcElHwCkpTBZr`@+zko%6=YOwk~zA?1W0@R5L_72U48eS?Y4!4023s!dNbL}IA zRlLw^bweFn1Q{P8Yw`0~%FT$?5iIjFQG)z9BO&QdI34cV)%SEjRo-PkI?C# z?d}1X%rB=I#*53)=$S{FnD6R&&}cMzXeIY0w7;8e(9JYdAO0sC&(Kj3p+_nznlb!F zw)lQiAr~5NaKlSrT$305jVa`kNN_d6X?+tAyyw7r+J^?P!%Nx<3g~InfjoI@0Yi)9mY4*ovJVMTJ&0o+GrWw6BR-F%uHQnt?dD^{N%0&~BW%!0yPf)KkI}Dr)_BGHwaF>z zg2CA6aQ%sv#$id=VKa_9qi0_4r)+q|-t!-23j}skpYr_#hDAPR#6rlN&2I%tU0|_L z=xw^Do>_O9;A@G!h0&4MD`z$~8qv%j4B%l5)a zhO4#kPZ>~|{xsa}!FRH3lTy_g#8?Q5k^GG|`BuB1nsZsAgqZ4CAi8;(8`X99BR5bcWw>srj2753b0c?LOsbVJyk*Mjrr#f!Wyxo>EB%XXp5G_x>e)Mwl9WE*v4^b zOuR-%$Bp*3R&-FjNCaut4<|-ZU%rA!WCHG8(<)X-J~O1h`cyj6BGTmh&4L6klh8y3 zmw__8>zm{%q4|gx3%!@@G{(IUcNvtapjiXqkgzl#2U}IO8N6dGR)&@lVK{$GR+DTS zwOF3i>GMg`2q`00t3Tz3`nEsyr8i}oeJvdn6a>Jom0pRqzCJoc&!#ZxtBY%{ah*1x9D=&?`pLE7Y2*`4jZcoa z2nt=a6Lu1FA#*xeFoRk`O7EhA2Zxvm*byjY4qTU7J_^6JJpjeG?Gta!m*B{~2yVmVCoeWAf5B4KCt`ufm^-e%m9Ig3lZ;u2Xvf-Sm z1HK0`K1@9$bEXB6oFm{IfJzn@ApG6mdqaNL+oa7{jtmU!@FK7(@Sli9^i3bajT1>b^9-tZjJZ#!)Qm8_L*b}+|GDj(t*Qgg2f)vul zW;RO5>uiqO^4%uCu!oz5W_y@z?C%dlQ6HZN<&nxFT;%QT?HEFy$pcq6^KW|c6;XZ{ zxrEXt(V|yWpg74i4~m9>2Z8nhqv=z_mkINhtyC+(FfJBao!NAB$&iV~0Zf7=uOq-r zPAzmGOpcF_-wlnHvUGeMy{^E!Lzz5O_vsfr;5J#z$40Kq@MMevn%7f!mhr}N?w9gf zcd8^PqozI)759qfWM6;4i1z6aldREX(1X@(N#&Qt0SX(S`a7)mmK(IUwY2CS5m`3` z7{e$DhpjoEi0)v=0l`nNy$AWJf-Fg%sQwW64HO|ZH#Pt@Z|Cl){na!0$STen7^Vnq z0byU`;vwLpUK}iZ#9AQH`HwMRkUJg240xwqpht$^-5%sW)zuT{_G~<4v$OyWF8k+C zZVHM#D-E`%75-`F3*y2-qSpbf5wK|h&jOuzkP4}DjKKEm6aAo~Qg(x!S0t1aslCLo z3Dm*qyVT?n#1YdRj`K?6B@~!3QI-4o|xPumhK{l zuo8avN`$Yv*CvskQg@6MBcB)_S5j7fjUF=ac=Y0lMBvN|$lbb($+WIjOekPCNa($G zqAvWJ$B=ezWs$%5Ft$H-(~umh#N@}e-G?+;aI$a;b;MAKt{v&Gcq&TSsM!?93Nhc5 zK8*FMBF|-LXVU1#V1>-E05)}hwXTLnJs|P{lC0~3I11=3?U-+<0O|@vcX!@2&rZ5pTkIL2c{*a(Q%%QAh4rDAn%w7{8QJy z@ydley#`b_kOj3~Yy#AuUOciu!s+Nfym*sFAocb2^>)i`z`RH+Dk@6Xf&{*6c!oP%* z60+4Q>gpW8(gCiHLKxPQ3J}ph2gHrC+}zKAup1z}B31ou_B=Abq{IRc&H+Fn!pg~I zF_1%}u0@~sBZwPJ&9&tAkPC@d--;+{`~I#}ZsxmCg{P6FinI@jjf$bXG6%KWeov%~ zwyK&uv_!}NEFlS&kYd2O+e)(o<>)C}mwv_E1lC^AYyn7*I`Vtp`2H%yINwGjw!@0s zC|rGijJb)QlFWN-!#`EhN0zP!#y+BZwK>|jwEU&XxSL;UQ#^chwz^i@qsKoJOGwSu zeWSK3D%0%dpk)%J%t1ynh35NfRO*Pvt-YGjz8ISw@$siNu8QTCYMNYgAwg}q+1)QP z@=6v+4L+rHH0|e?-nrfb73M>6#rZSOH&e4GF>aJ43N2TnN?bk^P}6crEYLlBNtMP` zhTI?4MeU?4J=Il#{O%TZ8I;&t4B+F1CU%quxuuN~7+v~ZS^p1}EHGNxY%YSi7o6D> zJ+UGstKp4EXf7?FQvhP+zvXt=NfZVI3(cE_BVj*3?FChL$D7sPh*5idIS^0L`2N=j zirn+Q&?58w){&f$B+h_d|2T8C#>4aT_UIAzQ%?(YG0OLG)B4L8?w<>;04!b3TD$%e zK!v>(Q^Hd6kk(XIHC8YA*p$zLr-6nTH~rga+eDryj@t1Vu;Qw$MUD{oUhR?Htn>fx5Nebcs*B!0E-bT@f(42~`NHt%zMBDq4ly2MkG#Xju;)81a z%^0YFgtV^p9!CDkQOMyf9$qGHbN_J=9m@#$-pXPR`->PI2NLNRJg1_fr}Z9p^>fse z@V|b#MiL1mK>A`u3o<|uS>(3`=bsE}BO0HYoD91zK+u8eJPFa!HEkGPN$V%#X-TB(bLwD8}ro5PpUB$&X##hjB-q(0n;oCgRUjFH` z!5)oJpc%uZvF0^b;l||!1#YtnczcqzD_NrGbZi-AOT8-u-I+%Tfv=M2e00 zP?hfOCxV5cNmh;6BKw8=V6OI;f4x&F#zuvjT6RvzAgIEM`0lY75G|8;2+<zXbVcLJo(TAuFv?`SX1D>bgBa4Y%~D>0=k(o=YN?s00Gvgu>K2U+d! zPj?g2&+fG0R^onH$hwJxyo9@H?9E+MciXpnP~oG9kb{7vkIU+;l#kSN|DVHx3}|p2 zPPji6k4$;5bA#fwnR8eX;U%kW_#t>6pEq9Rk5&)5dKAPrr`(yn<$*7K_t}-=Vg2}A zqzD4x%G~|=P!n8TXl&TzFHZsNy>`(Sd3Y{hp@WvYCMwY}9yw~&4g=Q3KY2I$>&Lm~4;8T;2~_rbUR z>5(Nxm-Y8e=L$NAE^=kRyI(X0Z2rJv&$ug$~X zE+lgo0~mUyw(Cn`BC`ypwp%w^@rb{7MNbdT1We=ye6@n>W*nlwX-W}ubwA!yHfUuR z++o751_WhR+EtzQsSja-OARCO-VTnJzcZ7*DkkNP$B_Ys2q}`-#P?h{h%Wm$XHF%@ zh;Y{Z;GC(bmWdr`I=>&3RSTu6BP=@ZzAj_w!I2>?`QgW4=jjo(Y`NA6cN1gQc*w&h zswl|~pE{U%KY2HwtiRM5vbHO_ZT#0>yGa;%>@_4#DRs~HJRIXeqqRnP5)z(1@&=MV zx8SLvxL18DC9gzhk3{d*SIA_3d~K2!n<|E4zYzi05mFC^nrYLomud!!6(_Bmg8NcV|3k7Te z%g3&CJIg zWS`rRT-sQvZfnkl6g1r__N=iYS`-j%Y}<3Iu<`&#J1XK=Pa#ol?bKi6L8dJN2?`Hs z#Zc(-5lvuirfwn&Xh7leI5jSvNtL2JcT^Ks-gmw04toh8(zA3cE}jTbK6dEFUg+jo4{m)gV%72Y8cQ;B07FE9=& zaA0OjJ!L)WB7M>ptDgJ0b(Oa>LAV7m}T}P!M1LbGp>oUVmjJqN( z*P|px{(JGM1CqIy{Ee=~>n%%LCJ$v}l_zF8H>xOdLxXvL&<*_;NJ|+oKH89TAm6Df z!lP4!QKytuP2P5AZ68@h7S}M2^0YSJq|CGxwVhKNM-^q8GkjAzkg%Lze%Gb^gFu=) z=jQYL23&oC$%N!b_bF7}Wd?_vL-R2P(O1CIG^bL6DhDVJD693V{=nyMj)fQIF44Q! z7zv*5e(`YwZIor{TKd7{XnM4f8dgS(Gyl%;p_v`a__uM@{`(Wh71ntA`n;pT=o0e?*3ijEqIrnv|&>=SE!;pYzzvHYFL4OrgU9GKdn$ zKwow>sREKgO2T{ljq}4oKY8b@2blt2ilt5IwiCTir;vr^v7rq*hm^*YbygHRo$D^Migz##}ge{qc<|#*NGl5vdxXz3_FCH$j9YZ%h6xyhUqZ9lc}7#jr_r3{DaR^)bQ3HgUxO4_% z0RuiccZ2W9$kX-mKFu3S>%~g5 zA(www_Ob0GT6y%%StNwn!r$d^b{vpQL$*=?=S@E|{b8;ks=-IouGU_ckUL&_t*wu@r(w|kA0 zw%vENI(rqOIHOD-hr{@EqrdzxOpF8h2`HF=A_c}{K;{;tKa1o|7-g4d`_>YY4>oqVy|gdJ-M>%a4Z@HCEQ;M z7h^|Wh88(rfqFoWddiM(`>IdA69Yb1ih3_|Y<)exkLswd-(>Qu z(k_3B3SG@5K__1O<3%OtK+H?HeRxFQt_DIsn#!?P>G!Y)dO^?Cb4|}2=$933E z{K~dl%dt#>?a>TCe>hT+IcmGJjVOp`IX%pimFz$wyS>)=jBLq{p8=);ws}4Tv>~mz1{agpf-N_&-CB%G|ZnS;jH3DBvaQvy^LuC*aPruXg3!l@iRBolvQs;rkV;wzRl*ga!4pV(+Y!^Rh4*BRP)bdDr!~fJS1TX_L;$pQH%xEYHL18mQ!)| zLmCr{$KuNvb@@u~O`qenb1%ulbZ)m2OAU0cAtNtsLWzoMtrB$FIGGP*$|>$&pb{lL z{-rtzgQf*d;uExJ;?ho$_DDe{jy`^Oq4kY16XHp-o(umUWp5QwRrf}FZ#qQ~l7(iE zAjiN&rh^iLK_gb9`UYX~oAwi&$K~_vHKa|!N^9hG|_1({Xw)2>YLO2o#sLNq6)uMhpzJB1#^(-VF)8($95F=v=lMfwq}4ePT2@hdp^A_(m0)hGiHc-#hgC zhlbdahwGLcQ2Oi%`rKPqfInI~+KDGfT$Z2~Khnz_(f`UqTDpUVBz~*E1xsj6Xxdzx z(t~x@$6;J0wEF`MJdgs1p|R7e?9ABkVzrnA94KJtloW+6-zb%Mr1+YI#7C{ahkU(a zfXa$6)4Gw0{fXzlg+Lz3V4GhUDd^*T1+&xS^JN(wjsO9tC>2Q5M{%gVoF>Aw?~v97>|VrN zG}m`|A&`^Ko3Q0q6XbgAsKf7*;86KIY_)sc15F`rCtkC03v->7U%VyRPib(Jj#D(s zsK4U~v&oNqA(qlzUB#Qz#!u&)i!$Lqf7nKh*m$CG}c8Fr|=bqLPDY$3?@-gzJRHLdIcC!n*l z@}!!X4`SZior08F63zck99?af-;9?SKebR$d+n$HN1Uv-GD~P!-)5S_?GCiZDXX>j z!Tujl=1bAx5eG%dW2~$;#^21c7B7{0SOila)t=(c%#4yoDg}j?St!X=bw|PFYP4P6 zFD^vU;*}s3GJQB^F_7*cCXJ5PbcPiYR=1E!;-cu|@>QT2o8i!yF}IN%wnuE*o` z9i`3I`lKhnsn{6%S&tA!s@t;t9eKRv_QI-lQeY@OMJWdITKQ>}Z9g~p;8|V<~(5^du`MEWD^{5U|&Nc4#!2weCgk~TJsBHwpz!@|N!BgZyQ5x@SXCTj$) zR57K@ar0S(^DL)5f>*tBmNg=a3yGLQh!`SZzYZihIN{XVCG_@*>UMEpZj4}ZF74gkX73UPv{cUT2~_+%-^7(w zir}yNk%zRMMw=)FtDY46gka_sSXzkQKo8nX*d$iLa4(ngF{l}(SkvNcq(NDo~ z>sq+g)pyOFZUZGB3Heoe_TS}j%z11bC5Tu){uuTvAscZ;wofE7kG^br7Z->f8<>|K zue|<-8&!_<(y#2Y^rz^R2PNJt3v}3T7BR#gDfh*ebRXhRJ}j({%`wTrTxSHGe@%NZ zRTtAWu@$wc81z+>EPlttvDXUF7mgL0_J9Q#-+&`x2bV>J6`IjO(=VhRn{R5B;@2FK zv{XxJeY;=ZSUeBGQl6b&#c3m?Z*ZBi1RFf*zqx=bXTm9pgY?#_C)NeJ=6G{-lkrhM5njNjFV6sKmX;xzfH#MWyp zCv@JfR)fAA>>4*)T8p1&h`%p!ce=~_(=uR6ZxGx=e5UJ zVWV-OoTaN z!q~fkAGz4-w--8c_nA+Z&OZD;$mQ3HPNz?jfeO0yoEM#z>4O2mn|NYqsgqsZq;606 z&)|z919ObXab+qabNDE*hY)D#WVek{`pTffgE1T>?H)2qle|Hcz*?>-)VaXLen@K+&Non81K zm%=k!^~Fxo*A-K+SVwE+j(_9e@o$NT&}so90gDRgOGcyVQ%7 zOYWA5h)+=cEU1tdTO}crg3H&?I#+7KN#;Di2bm(Gc zZ2a=}5KOi^K6yYcp%ss{!3LA}AIIH;$}!F@j8K34D6>LG#65K)hyy{VC+0H!U{>30 zzRP?EjZ#6+P>X}ucDBC@gawIal(Jf(9>;x(T&&+3KLDF+v-X@%967^mD`}-=#e3B3 z61z>y1k2tc_kCAqUXq(P^(}1)?|UQ~L4#n3{s#x!czt$#X<=oHjKw*@!IPor+#U7X zw}E^f7I(zrdHaNO4uoC@(FCyb9Ice{#fCf2(PBhfO#x~Mtv}gcTaD|5%F@EL-&1qYacx> z94w^kT&_$n>UMWFye)m_FKmk8U%`4(Gsy@fh>xrM52^Mt?}N6#U7rG!WG7bcom*E- zU!f=67Fk0sP98i)+NG2ZAMqV}uPRS)Qg!q_E(eDC-f=#;lp=%@m{*$xkqYKGx5&z* zWPhsfu+3WjGBxgkQ?K9xiya?`A&%44NqcLym1?;%#L_02NdwyIT5*dAZ(b~2z)$K; z(~^t{>#q#pY-3=A>=l^-%v>B`aJ?9`LC*?2wshVhjh-jvQf_~#WKfZok&$U~=b4!9 z03}5LDmuXKm06Of1yq#7npVD1Prft-!ABxUhBxLvN-6w#k#}!&?Z610qzjXG^l8A|n5$M)eivSx+6-w#2#hr{6ezU(6riMVC{ZAo?`q!Uysdod4v61)-{@I?K11pf4w?3B zrOdX14mN$FqvsGfpOfs3(NteGnQ=u#V$_7J1^HiDjh63)=3_>#9FNL1>{#bLiSWS> z+MkI8831X@d-Jj1z&NX>p>g1N3Ou>M8wy&H#{-zR3USHF$pt=kk!N7mUE+?ZsPd|7DcvF`g<{t8W z=U!kDa!}S*s+Ry zP0sl+KHvSuD-H)R_8$~??KbDyxx!@YFKs978{Z|uq4qV<@e2xJZ*ng9*Pw&ik0h4}Ue z8ZqPH;o%iNhpL*|Uc*!xzb8Nx0bs^dj}Ctj5bikf>&0DsJb;{oj#Pd3JnOo-6^TC|Vdy|w&$rk>oSs1gB-zL34W{cK>Gwa2BD zcFus*s9*#gTUm!2Sy+A`1q@-@I+nyPvCIXN!ET>i}g zZsMrGy{sKso}P3LuS_RwbdO;J;IcjX_yRPUVTE#@iFBVWMS!9-Aho?f@fM5@<=xO4 z4!xpe%F~>_Arp}oW$-@9nBoLUy?8JH!=~-D7a!dDY@_F3mFxSkL41F)_v>Fh&yEuh zI0h!Q0QkM`!0Sd+xX;HWh~L6?>^ZdpgwP9B0vjO+-DAxk0kQ@-Wm9Z&YSRFd*#PJe zIt0B6KT{0f0el0{%6NlKE5PGPT%wEm|oK2>0kYArtRx$&%Bg9Ou%PkB00tBIa}D27u!>5kErp-X~%sS0UX8KnC~W zUWc@ZH&$i8ow)+6!02qo&$X%=8pKUW2by=8%-=f3z(x$HO(=81WgSTMwGg{l+Kdl} zyBoP%@NX&>K@}X07OS`Z9=pipXSH^~Mt#RO1n`(;&}(fjEoCB#EGk?`i>lTmRX~97 zjeahf0V7Elu4#cjg%0XESKssv!}z}gYO6MxhEXw?cx&aw4YHKrS3P}!%5?*A{LxU1NyQr+-zAGP=ZN?>O#!vdooA|(I z<{k$O@TIoRjAUJNu-@VQzNAZLg_S$9-Zh0;=}!uoxF<1MjFzQ^h5xKfzK;gvHz}+6jfa4%S%vy$u8#~)8(i} zQ)tDp11*Mrn0wj|mpnSGFnTm0A$Y-g7lp55a|Kk*C2Ee4Xz*l0;z~(rhdlW!ww137 zcdaUgq@Ow7l>7-VgpuC&6JHEMr6GaJU=V5>l9_M{)fSE0lB7@u>T~c1fMAgWDWu+r zjqf?}q{_z+#)6qTKHiKC&;HtuaR{7B@ZZ{y>+JJiAM)&dP7}n7$4h>*#{=S&KW^*P zE|ez2j{Do3QM6)hQX7mxRx5w+bW@k|c}V`QDx1KOJZ5_1ts_@l+H_yaI%wueL_1=< zY(Z@RdI8K>U}w2dry~7UEJTzH2ti_$m9T&+M_O7MfXj54G~U2~Ti-z5?~ODRjd=;D za8>{XXSTc|v?$C39tHX<8vehS(O)6vV;&TXzBeY)rc7jmXD^7KVoeNG_{HGk3*rSk zWoZl%0BZzXo7h+YywUMG?Ez~BDU_Fi$}JFp0d1b1CEV`ZC$mM0ngFxpa>_jl{Ks2*z%EjdaD$+0>^)I6(EU!yeRM^S?oab5V9HM$kSAm19-|;OkIq7l zV*B(reh_af&h1Ph@~eGiov`JPl$FGhpz_8%VPvU4zHQ)x4MoNVcmUNy zkBz<6{w=(=df%SMxnn$kL%&+WbWM9K`(>49YJ6|Q2$}JEP$?1O=clNYw9Dc$gwn+d zw)K^VUO)EoMpc*=h+Frv8qJube4U&u^Ij{meZp1zWGI?7MX|QBm)TEvtIsB0ZP``~ zjpH`O+4a*+BQt*HF8%Y~y|u#;dydC2_f+uIf?p;S4%`y+$4&bK%niB{WSWk8aT?86 z^>&RJU47-bVg;`YVIedZBj|*^8?D#9-_<8GY3KrL`ElGR^t%nf-ht(WhU{0@u(T=_ zR=dHbN8U3l_QrcK!DWKw29_A0G3NDcaM$t#C>Iu5deUP&<_chBjgC|c5*ZcK41l>5 z;CsMR>a+?$3JOsuei)LIP%m(s+Zm&>pJDjn%eTsKoOaW-Fg_mg!8JCAg1C{7<4NI$g^YxxI_HUI#s*h^cAr z>hWxyepppiRk(Q83e51%Ipw?WUkI?#g2CfXz(orQ)^;63+^=ar#@?X9Td#{>GBm?u^LmX!KE*Jtf&Zh_?j*m~xst`9jnL!=m=^tcI_c^%lFzgD#pG_nB z78%aT;QdtiP!XYAA3ip?`EI@r#jpAYp4-N$iDq}p4|n%F?v;lRprGcf+T>VjW@Y1b zMR-e&BKz8F&-;sROIP=*OYS#8(_m4t2+Yl#wTm2|c%9F>UhgI{J*|1R zm9`x&Jk^pPW37!eTt2VNJ)F>JqSLzaMyA*V4J*XJBcn3ptDZW*<<2JLbq8L3O zE&*nWh>4sAMAFTZzg++`WiJ|l{uNzXL1A=slo)^|!*D;Ss!;|2EHV-%70r)M`;-oS z&1Sb#;A>4!=+F=A`g;OanlC`z58dJho;KPOG{G69#YhtAhioEsv%MzJi2h>TaPl3t z-4OIRDQBVgXI!PxLSZ;=F~?XF3`?!z^Tg9!ekoX_eJdV6DPxbUV#rwGAVeQu$0ykS zU2u&yT(7kDk|djE{2|sIAmlB%h0ZmsU7E@nsyS|Mqo{_&j#4j>Elsxtg*?%Xih=;K zkDaNd@gtdK`hsKmtuR};F15~ufUA}9wrKhilVVeB11t5m&twu)zOKVuhV|sN{9O2 zMA6^4PjP;n3MO;mlzb(;wMEZ5GVlSa{kzw>l}HtJHl%&%mA}}1=dt{kbQOJQzakkM zN7rCe8@q<`IqeuaODwc|6Ft#MFvD=+P>U?$KkfjE zt;&_SmRHI$vYz{y)dG8Dkd(zPR?pA*v?7pp?CEVUVg~uQdTn$?8fL#}YZxu%LPcnB z;MiCe^V{~i6{J)|K`po?zk8yK7P>t*DPeJBm1D|+T_19D$W5zazcw-a|7!tuJY1%F zJShm?2N}F^2LR<+8Cv#4S-=-X@3Bp)mmtF^n+0okiweyP#+V5p3KSyo13Vrx6B9s& zrKE2bB2oPOxoGr5{jzP|WMZ+Tye_EK|Hyo)+cVzXNJvTjQPa?&L=>R_Y>?gIVZciU zLdq()Q^TTZkDj+0V4RtP4Z@F13Kud!4Jjztn}V4{d@wUQx7+cMW({Y}sFX&xA;iwW z!Xw+y}f5?=SExIVuxU7?Z`A;b$ zZL*G^pQ4Q(PJ#&PQsdcqJk3s?;8tW&5d0o6E}O~D!}Lt@wCbndj?=G{v^u&CgcVh( z6aQFYDXN{L+~f-E3U?sM{ez|3zv@j;Gj*=TF=^=nu58ANns98&MAwZ^B~gS$n@+VScQ z4<9Q<)Xa4i-(3Y%f5p1%NjrH&*=G;oDNYgfLuaWm(Fsm^3lpimJ#$+CiWuUXi8E?F zdt5JgV_ zwL>G|`WYSlCR`lAGC6?7Fq3lP{FjsXuBpWQO1)f*@-02TA(*2}bN z{@@Y~m(>^`Z(lU`tMttc4Yz^Vx^q=#uSN2K{&y;0$#vN|e(~@~o&P3sIwx3avU+=a zySw0>$oC#YTt2t*Spc7PEfWy`icS{rV$|N70GfONgal~Vkjw3GMiCnK{cCM$?{d125S3%8(E5?S^7zv{1MkomM`^pw3 zpV99z%afttI7#k0S7wXfzyllsA~d#Qia`ET_0v)82s7KUPyWp^zN5(d!(XW#Lb4ky z-}wr!B!giFiZo1*({wL7%Fa26B33RF^SE>EanP%uW?j7GU3_u`G6}7JBI}5xZR97# zqJ`#WA>Z!QJyB!3<)x-p-gm6OwjF`;Yh$omm?R0NINQw(QmCsQs^{Ua?o8gfccn z%O@jVHmi4(`TxHT}WFv|^e~4m!3)bwdo6$1cpq2fCbWiiJ1hd-n-E12Gem4p9 z|9^B|(4b7`bv?S+n*`SM`%mA89me#t<(!aFgM0%XSN^i1_kC!e}d&e0BG0liakjs@;5VRu7WWoB52^g?J&dMC%D2 z5eKm~PbD?>$=|bB3FjB@`gf=JfWiyt-|n`PO>GhX6~-^QJY^`AR-Mb1m0BmASuEE! z-lUpwBQ%C@37ELHq!?_yp;rrsjzfa-W4;ce^FBk_U=4b4(z@={+v03OVv%tOFaF#o zZOYP{y-{4p+`tQ=p;+z|bXWRhUwHCwHe5xZqzEnF^|k9h9D!2cC)kI)obX?Q1f63t0&2$SUZXTtZK>Y4U9p5$v#LwJVVa6G>l`qtlDY;u(d)R&! za5WK37GK-jlG8g5_44Gp8<~ld6lMSN-GmI)u^40o5D9qQfZ=ht+{6iaiDmilL4_Da z0qAVJKxD$-FE_w(l>|W7B#22a*=ijv*DIc&MudwB4|ySyi$@T=kOsR^lAXeZNXkKB z4OBG+n3-QgN*nhJK^ewwzLF9h(aD}dP(424t%|gX*34um+9D~b@c3R9c~Wj{T%4}M zAIkgdu8$FrL%tIjFV-WcSC(-2xcGx@rcVp=!w_A1tb|f*P-c=ePg(*Z zoNl|k$^jDBaA&HX`JKL1=o6Pn{@~CScjUv2H5ojVM0P~*g)utvmcZ>ad+Y1gOF?g& zD;qPH*1Nh?>TD14{aEjkR|X{l1Y&+@Y=208C5RZuLI>k@?KckK!2N)z!DDHW35R?^ z6npDnqGx4cdVnFoyUN$tfA%!rZqTcZ|5s|>wfh9dqDn&} zBQtdXsS7-0uHf1D0%HewVTUfO7s`Ap_zMDbS3#J9m0dlu;4(Eh;^X1*@$tLy=MDitGe#U)8KJd)jcnC~*st(h@G5njdca(q^hgC1PMcVGFcSm7bQO$-}x9fXca3NG;6uyRUr$_4%s5cDW1 z9Z5z9BsC}#-(NA7y;lJoRvhFzq4_YC;p~h9f~_Gpi+Hu-#tviD*OC~QT`TAl6qo%K zr0X z$S^hpYLG4#2@cW}`)uf7dp{&*X$>x|B+KRhgf_pDouer{j1DFV!90f0Wk@f|U!-GVqKIXYV2EXT z)C3^uk6a5^`7zPd4lTdsSqphS+#kx|?v<-K{VvM_-C{~s__JI#qC{f+Fh9Olt+$le z@>&9b8?s8;ULgk-h}eo?1T9@n+zn^gZggcSA1CWvPvEWEjW|HJQ}cc`kvm&u8m=!) zKisR>Q}EhjH*`|-#fLQ4_X;wM-UOpesESaAtFsTBUk9KER*LU!)jVaQ+A9K4fH-#Y z&LJ9qQ>E0TdBitg=Mpf?|?MLQPAKZ?5ohn~#OvLDG+1 zmBHlBH$c%Y$Yf)E@`rdSO)r`%E;|IjFhzmEViO8}2k*I|S8s)4)w8y!omP8(w9(Di zZ2|i-TI9|c2eLNa^U9atmyZ-P3dE~Mu(^T5Mc%*RBhy(Yp0Be|8sFSsHv33s3+oVb zy`?C-j+09h4?^$6(`(@Q-#zrD~FE&FtN z{|NpSv=H4rIb1=y2iOMh{bIjkPykRRT}CfD*5U^}W+~1Px7*f}YImZhkaVv0zeokQ zw9pVxK%XreXmmDzh={bz^VWSGkh>VzrnleN9QhWKLUmLu;y79>pX5SLq@_QBf(B`) z_}yV^l=g809n}F}u(`wgcC{ z2aSMhK84T2D3FZnNa@GRM2W`rP2ND#p6!1DrZ~Ug=P|zS#Bs_Ml^{Sw{{qcR&=wxl zTC1ZrPDk?UO}wh8pJHC(EOtZo=bI0XVcrOf$z%)F4MYJM{ge+|>lcom)f{A1xFLc2BPn_Bj52!(TGn28Y+k;Xum(tMe7@ zRaq$bt)#rPjfIU^Z7P7rHOAL%Ap;S0Nl$hq=?-fyKZsX;&I=AALR5md55h?DhPY?sR?f}HB;cy!{02|;zi*K1-uC@_&LD?3#og35q# zkUhkX??8O@=Y2RG>*6bkN0sALs#0D8Z!dco5@YuDvSUL+4cuHuFf>4$_Y(le$;pMU zkPRJNf*3WBs!3g8G#3e)t0y-bk)ACpAmvU*4><-4h^uv*-701e7-?w66jDLFf=An! zaiCK)dX5vwJ^)6PF|%kk@avYyDJXCz%I0lcs;Vu6>?$CBFwr_N|=Kkn0**|P&Y(otaCiSnY z%8H-69>vW|7UD?9u4k`PKor%NTuhzf4UnAp()b3}77h@n0?`D$;nkl|81d}hYoDXdUhn_%x&w8=6_5)Ag1=5d3w712nBM#2e>8acs zVIM%(P{F8pd0Oh-5OjOQ-3@U(8yuPC{fnR@Z2Vi6awH?G3D6S6fqawK_#FSvM+NIN z89?hAfJA9&XmD7KB`Y`fQy2z8224xaOPC2r)B|UKO~f|``sCQ8=prCk1PF{8D>rlM z>)n8z=q1z*5a?`ekH9aGQMkYCy1MNBCTc^fGv26aSpeuK^jS1Ne;%~gHdMIo4kl#A z9`BO@fsilqro(Auc?1#C+@Iy5F~8)+nP@7D8;U%g6+zFFTU}Ro1?0TE>@8b>?*cIc zs6GU5H-73Y*pGBevh4pmrfLg|3=ErUIP*Z!2p}Z&jlSj(33{_xjF6w z1REgD1N3%Zgk(GCz+nvXo7AS+UKue|gGe;+V}YATe}`C|+E0J! z-U9uHE!+R(0CnWi#gH%P6LxgJEh=uLv_-0|3he0u{j6F9uwq4ocyvA4Z_TmH^ACgI z*`UWN2ydC;|LgWAq=(n!lkEJf5-UI8R72z)+5J|3#10=h;o;b0^fTkq5Kk4ETt?jC zBhR~a1SoUA3z-7UfT~5GC%FF!3C^o%Q}`;roOK&ZoWcZPTqBVm$+%z%LO!R-xghG~ zd2SWHeB!Q$GK2po-NFBjfMF`!quna$9RNdABxKSApof7V8|$YYj=yF=WI`FDIt@#Y zW@z5@k05{hAHnBQvVf*>4ZU^dJkr;lC1yg>swpc7iIdUzY6z;!uc{jk+2o*bF=i2d z(*7|>C0ZuK21!$Z5&;M|fY}O?DgJ)ZjHXb+B18k%=L=6Nh-m~nF_7E2(iiW`hy`Yqqqlv~uW1!q#~5O4i;p-C z!S(GhdHaX&4g~#z7&eg97a^X7V1?jVonfMrt2GID&AbIlNTm>LoP8=J8 zfz}v5BRF#Cn~CAnCpe3!D5AgoUIZd!^DNx?x=mI}rcxwh>?MeiNe95%-P8K0Q=~-^ z?Fpz6zs??{3i>{QGAGD8s#L^%xzV`2qkn~ha8Xb@w^^#kfXJr=I<=pB$;b=>VMCqG zqBt$T4b*?*d{Qi$MIy^$0nC5kLC|Txq>x~V0ZaNO1Voqd07sXg;Ioq`PF%l>!V=xO z@KGsEt!0=wuhoVv^(trA$uHLlf=L%o6WB3k6)f)RLHZu71!|q4O6NAIvGmU}DgRET z34$hMzlr@zSn%kw)XMtDYTq&;3gf#pnk-m&X!A21dOzNP1u4&pp}JV<3N|)_o2uy) zoA-DS-1tV$mmxotKk4YSxSyL!?(eADvNxi}&O!FyoqSoO7ivbsD! zV}m@x;A?SPublOLl*#So==)!;l@&Zb^NZ62?VXF~m4{1e$7-I*F`U#}OZIV9lYN|` z)h)WTIJ4_`a1cd{bZet$1{laxb^fBIk$o(*Uz9`_$`J0mqd9)nIvNvaW#T&0(bKL# zi)qGzxWWXH4!^N^vF(chLUs5Un`z)n!N`c}*;aKt(0OHG^I3-hhup8@`&a|zHkJ{! z0i^w!$YNcB9gRHATjdBhk?_1B2Z5~4cfX-J{_1C5m!@0@YSr_EWub)1kAyo#Lya7)4~PFld3YvCV%B3qahwGC%fk=p9IY?wg2m z{-QSd`ag|Bg^>iv2yE4)I%Rrcg}`?y?Yxl&k+v_&n?+8t0I=F<^YsN0h9L6D=ZfS# zSR;n#9S+(f+{!;?8jLui$QJ}l$AyEXYy_mzx_R<@*}m0zz!X`$TXP>XKYGLM#)1>3 zMhX)&q`QC9QTal9bD7b9N1Y?q6c_4uvlP*4-`y1Dp8H6a{Ag?b)mmrJJbjXGE93F? zPNO`*VutBf+9-ch(FS*cp_VhCW#7wanC|UK2I?j9)E)UrI5c&)s8v`6@uU%_7vzzb zm7M$5w@^-YLj}8N^irkn-7Ib;GC5LHyPZXF)81XUU6MqMV?`DiOHUaaOxfUVA z<{t$^l#cToeN9&d|E~7Lz>TBL?xW;mohs&~wsvET_vl}=8U*$X^BTVQlM8n*F*m@5 zgJ+<`!M=7jn0bneQ5RkP|iAk&ibLxCz?D{*5!f8RiN>--*P8$);RstB)HHwEpLL%XWFzn0&~str19PIn_={p88|3|ha8xQX zk8LI3F#}Rcu68*7k$4F!gQ2pgM($9+3*v%fC z<;++Jswjhs3mjJHaeo%N#^Z3HAQ)Nx+`VM+5QrRxO%rvR)y};!4j%c!^`(7$q6#~W zT{Ijju1hQ1u=*ux2@^U9YCroPCbDn{=v|<<`&q+8jx&{E#YtMk zk(N~X!$QUo-?DV3%Kh5Y`p&dUd*UKM_NyDgx-`74t)z#B49X~4QFw`9c7`w_kdjP4 zW@8h$MPBjUIhmQCu8g%&8^8YZ9=d({(fadjuHd1v z5+&E)9-9+THxdbv0{xvu@&c?OzQ+2<>2}h`S!^})A4o;n=Z5>k?5ACFl|cae*!c!y zE+4UrpbsedK!_5g-LmE-FL=>q>FWLw;WZHhEvGgri1NKXxNXOLn;Lw85+{zP#PWEFRtO7u_lvQpLfTkjJ z*t4!bTG`qPT(%pB3)E%q6;OtEc_fe{m!QzW!`@;0h-55Lx3$%5^}LmXIhTv#qCFqP z94Y7bw)X%vEM@$*O+mFp^%a{PI6vUT7^jR2`Sy>w?DDhw)LgOV;X^ULk#VH7?{ zr^&SA5hOzx7*Kq@N%#!>T3Ey&5ZHE7#DE%!*0VF5c~rN-jNLBmTz(F!VFp9U+*T~r zaAAlH+wh1T50>|O^o4|Y9?-4={*pZ2<)dIX*nG@11>$7LGJ6KZ4)EFtqP&Nm7)6XE^90ZZaqA=C} zegtt}g}VNg3v=Otm@Gbkc3Ud?*Ud|VLvSQv&rETX?u`#Ttc4p?dJ9Ex0T zPcBPNeT=ShXvc__%PvK1Rq&>)Hw8#E$yV!axQQN8WiwhVVp(>!mQU6i<}m3>T{Cy+5>`4mWd~fqqW-bj9MfTbkB58`-Gp?i)9>)}ja<-gaAzFDjyo+W0Dl zg_+~l$?Zm(8n{i3Q?~0$A2k<0;j64Cc?^{~O=s-ZA!M0dvosxgsfc?1JLny)L)cl> z`XZ)x@YmF2Ut7UBYl3{4L_hy^!K6UhsuS1Mv=09WJzGgxgj}+Q-Xcv%3y=IJBQH(} z-9_o&k*geW0`X*eqhCSXdaYz1x;k4bGH$Qa-BIBm+8dbcG@C5c8FR|rEPbM6ydImj zfrBb9>6SN$dxH+CyE@5qE9H0#Ul5%&lYi?FWnQX#iDu45)k{#4e)5;nDrj_9xM&%@)JokFGn} z5TT%0PY>(Hj)A=c88nVRMQEb7MEfax-B1v93_(7+%OS7H+@yNWVnb1kKzr|E;FE+} zt6X_k6-XRy*63ai1Nld$5zRCMr{=3FQ}xA{DB0y$a&`hHDzdH)bl2u&=ZLKi=Vo+| zgrKkjwfXzsJ11a5JaTYt3HCLWh#ozByBR=RYP|R5hEWnTh2SI^d7VXv*$s%Cy95`* zhehl=-M|1KctK~5w@vKufYrf+>+tCkds8jz?_F0yTlJNdH*Pj1&yU0Y+6cabkk6%A zm)4IuYX2HyTV*`8fHCP|oE(#LmEcEf6Xln!#0V?tLkJ7QDBIz`7}m1tQaYa6ysbC` z+7Gh`L@CFQ=AMHWfh)J3UE-M7YW;AO+fruS&o!mD8E`9+wRK?a*JQ5OZNAIZ_~qug z&h>a)N$r}b-S?hvdkE-$6aQ>JvLZ>j1q;D8i~p2xpHcte&|+v;lf&$>IK5bO*kXA2 zQA5W&f4Zjp`pUziLWk}hy?Ll~1qm}83aKA5X^4M7Gu1grv`=X{CZ!)K0`~wIB@)ION># zm>t{)%?vv*71ul(n;qk}-F3GYCv~46gG5^!2y?(9TZw;*8dq! zqV&K4g4?*K-kz;j=H(H-cAIt@rqXWN$_4gZATi^`C)9u)2q2&#K%Nrb#S~2TAM+88 z(?I+=KV_olJ<&KP-J~;})ypk)%l(3DZtUy% zz#g?3@Fu5S6DdWvCUTe6+H;$hfkzp~eH1y!7_M};TBBuViM~0ry?xwT%?X}Kz|Yq2 zRAG6aIxkCr;?(U`;qv@abQg>qw57Z zgOf+;+aZX}t3?6Ej1-gZTXF7N-+nRmHE#NPKP|=U?Vf!KG?|`}{2JTPGgTwO^nn?X zKpZ1Lnet7@%#1onfnF7c`kkGf-Pm|{Shsq#yZeG5X60?p4tn_m4*?jtzI=u0nHd34 z0EU!<`r%X@(J|$3>Tey)GNoF^0P`o~E{XdE*80u0PkQBDVuTRO=~`uqb5%<4NUz;fdM!#- z|C*p|gNBZ^ShoBoBFk?L7sq7Z)UD5odx*a8WmuP@2w7Pvu_){)f8Ol3~&!e~6!8?&GQC?!E8c$lE{1$8@qB znNGJV_m+De<%8bckR+zasOs<8^ zfKsc^k}zMPQ#!-}3!W%cliydwbj#wE7bgEtb65Tk)&BpFCB~A*wZ_O;vJU7*mn)G4aVO0-Tf=R^UKWR{g`tebKd97 z`@GKUxeeMnIccq9nxs2a5;t`!MhD&%^pm9=PH~b@fc;dbxo3Pe$mz9pj+WW5@Zjl`K(_Vu@@+Hd{UUmE{8DzsC6&{qkp>pBSQFZs z!fdE&n4vdg;KC+jS7D>nk(Y{EIp=`NP3W|#Si@dA28(9mpNKc_IIA#>$b!nhJ6T8{ z)k`x_y+}BYUNU8QL#p^|lXn+y_LpW(dM^w^AKjaB*_Sh))HP-KsWyLM#F;Dpu8OVz1QZ{UtR(9B3H`tz;G?DW(>Y)z{0L=e|C{r zRigPQUnVzB=~DrBGi0#Q#qzJu+OF-aw^U2fw12oYy(N82yYGgHsLYvYS~wo(zc+eV zpn0)y|H~43fJJuaZSp>O=KApp>&1}lC+S#rRkxC!igjOMzdBaPKe#<7N)kPfzh+sZ zUpG;EvOYJuAwAak4oj<>I}(^|o(ZQ;65J@x&dbHSrj{EtVJ&U+#Lsx|`aV>+C=29G zaX8EqfZDm%z-{G{5X%Fv!oYj)K*y0Leae3(y14T}Llq70*;3)YQQngZu7gaDGq?CM z-RsKk+QBnk-RcfbAWW|MQzap!_~7&}G3+}NC00~F+BK#hGv|)sxMI%)Ew{z-i_-MI=hZl-zGabH{l2+6WyHqZK>C{?H??= zG-zi*(M#0reg#LucfsK)4K6%S-KS2`ZE<2pXdG8Xwm?K{p+cCyvr4YAOMQZsOe5ZI zCCv~*#=;&VVWX$gybh_SdQo;%Ht1__Z%3p`8_F6y?UF(7Z0sIzC+A}V_bPGI+rF-c zP1CaaX@weBkH>c3<@{>g*t?}Q(ic*_Kb+Ip&m0@e%?e#qXlul+FDE}<$1bfo+|t&5 z6i=ibBv!UZWvoLGz7q9UV(FvMVn#0pC3&48++|OA+HItT7^{46yltYn^V5H1CLho1 zZqJ9GG$TcAAuH8F4qej~qLyY0vXJtY1f$E02|s95eB*~H2|J44G|<@U`trG2bD$*| zt!SZ1FW{AK_`gDifICAEdkR7bhr{~8b>f&ik-Uo7J@ls4)dh#z#U2GU-AM15Q-^R& zNllNOGTo!)r~j1e98`pnxpeZE8R!F8mE_??kkvf?lqx|RJ;koKID|JTe&K-n)c^62 zIU)a1K@`>5yBSra|G^{er-Abt*)!Liv z(g|1jbcFT(=`!j*jbpdevwrD%(+zziY-VX~;|}GR;;T!Qk*{~k3m?xz7$7Y!SJvc> z)!ay>P4Q`S33N-V6R@HUwen1iM#|=TJsA&pR3wtK7|pDBQ>49jTC#P87<^t|#(FzU zFCf}zn4odo@vD;L(D3xL6?^SoZ`DR&><^A>r`+ZH9PMsLVjVVKk9;2$%=#R1!#D89 zux;vik>-xM=`S7CRqvwX>bI_qv#3CH5BC|n2z1ff zT3UZQK2E3C7eQI41M;XP;kB7%R2V=e4-OnO#9w6mYB48=#E&05z|PYV+QcK4nMM!Z zKlkMWgyHUK{prAQZle0@)d}qNXiqP>L_tHH*M*IYdL%eYsXX5RY`k z#D#aA<8^QZF8@9=J`Dqf!(qQpZD<_~59;IH)w{@i!#ir;2OL{fmo1g|16uC3R49+X z_p8evx>%Y{Vp*aJ@Yj+fZf3aj+XqE4>c9Wzm+DM zY7S6;GJw%10!JeV+M%Y!$=&*UFZK^I9B(lXNz#s(H^$iw^4;RBR=5c|gQS3kbIi2mDa?+1au^?9MflVMYb+Tu9(WXcwY;LmK=$Rq%^B$-E zv0mBxhOv-rXFox!+8mg*kp!0g>D$eVs~W&^Y8JMp#W_VaL`Y@YdW`fb`^i=9m{4lC zM9iMh%}jNyMP<&bBp@KU(vPr+UVjeuHLQ9$r%jH(3;ISR!6D>T$FA_1*bX#+gBM88 zKJMwzgFOa<8eWX>B#qP0i8?vw_EMxn%d_f_YQL zOF(sATdNLQu~mY^fYQ=+a+QgG=*^+z>9@|c^ad*ym=69oL(A0R(NTB2wIln&lrgOl zmtUVNX@65NB%*r1b=CGB&Ur)bFTL_@{@0)HXb3Kn|1o)veRfXrASvpzWRIMMYm-u# z%v2Kne9k%|z-VetW_3|D<0U-G2cgDRx!1T_BH38#&AhG)VIc$h^H|_-n zx`!?D03^ImmzG2|zNNV5$Ox5R^L2G~MZz@#my(dM7xlTu?!Go|Zf>@=)Dou=)cII1 zEqMJ8nH07jc_sgP->eHiqTxoSfK>pDRHnhff*w5Gzo1m_)!t}85B^L71OulUKgY4d z)G1lDM`G@c_f?4jKp-*Hmmju}YLce?hFHZu(ZwPHCgQgRf(BxJV|I|&mTKP8#bTXb7oD6}V02+eo z9rNeCKtuqb1az+PD>!s4@yN)^vWWNt-wa?VxEs4Q8;=@PvA5sV!~@vH@&;$WC+GUF z;&maAeDF=uLc$jT%}@ z5s~A+w2qa|&HHS%sC_S@hI*q{ekh~rfK5mamMwNU@r9n=GrY$ zlWe~?dx3E&Kam4cDOp+S(TR|dkgl%oeS{J}dr18xrdAulk<)ieZC>Cn@YNpzDhicP zdVg!}Z#$WT@D4Dd_D*m}?DwZv>d8xha0ZJUxc%W1yFqh>zFoA0sP(5ghT#fj)lLr) z{;>v!iF#FuDz^N8_eH_Wl`!gF0_7c*%bwI3-1)~{(tf=^3&c3=INId2aX<=>nkX- z(3*I=5`>|}7#P3@h}>XSVYyG^Y)WsB6({C1FpB^KRH+2fu6tvfzqb(C`CyvXPK{W> z_d5bV4X~&JcTMxQ-*XAeElX7D2ypS~;O`bK;W?i?pJY6bK6m!_`Oc9bt%*PYwlA^- zVd4|E|0TI7rA=HEgABmM?(gq!O#E-mG8?SO(0AU~-GX#?HypZ=4yC)hyQE9Hq`T{G{Jr{B`>hL%-n@yjkQ5PA za?v?Thu6Z~ed(WSy;*U8ZgQ@5R4#U`F|(}guA6#kqZt98fFMH5kWUZ|Mi8y% zr)c?Hw=gFzm(!t|l~q|ZDS{sYyPTz1VmyWi#w<-U-X8DE{8V73I$31O9G`duwFbo2zr2Y485jv<&IobrV zT=XGZFz(>^czJQL`M_2;`$0~v9#}y~M+PkPdb`bD}EBAF5kBiJa2DrU0q#%{`Q(0R=%izFTl9NY>TdRl4{+iUT3jTXSo!F zO0rUKz1r0!^uOP*vx(W?-{-R52`A#gxnN^sYkzru@PkEG!?FEN&9PuNOdo4koFv=D zY+l>wTh97AheVGYS`-`{&XakPhJE38n^F8?;dtwto7E0`3Vh=eH0R6Ct3QAK%7q?pLX09kePPmn7^osd1M@#i5QjD#a z$IU0#`!mJvH^+=Er%(#>NMkbS&C5DkTAy7`^}M}bHv6MUxE=ofoyeu6q_kkmk)FWc zzuBE5n)uP`!5wW~#uW3q*e0Q4)Di22s-M6U=z5&>)~|X!3{qvnz{4xT5B~K17YjB7CywZcR=^8ex19CK z@;^~vA*CnitI^{;mX?*tNJt|Fc}7k_FL*MSMbn zbjD{cW@d%rnRChG|KhPBBB@D2T6*;MY;)E9q;-2Z=|VE!S0nwiD>EzWbbo)ocoZ>0 z@%+&Exb;9Z*_WTOx_gIf6)$(YnN!0_gGSxKsH-*KG20(k^Kx%m6ZpSR9TOWH%jbCyObzbL%#6q6_pCm**0!P|q!lKMd8R-ibTqV6 zAO9j&aa1mfa;wp8;j&l@^5L?p+sKQbX9;Y>2$woqHd zP=>C`Sc&zU3Tst6)ewFZjs~jvNIz03)zF2R&kw3mD>4L5gHy!V_~)0OUE3U0B`S28ZZc>H0Yd9P-)-QA-84zu94~u6 z9B}|opZD|U)yb+iuwJ+npf&z2kW(`+2$Tba-N51 z-@ol;@1nfn(sl4bX8(|yL30)FljnLp|5IWOBTsIc6jx^G>#Co?lYJ0G8_S+MSSMso zd6$$#j~sg22WDV!{FW|j4UZHrK@oEESaq}BdSmK#bIfbACg62PucWLTLCkxfpsM3r zs}&vMbK!uVb{<16?)3t!f#=Qg>3VlMFD8)84@ij~A1}to&M2c7&NlmHQ<#nC%Cr$K zHv1yF`(dRyEEiehPrFh1-w}UKMycjakE4?Hdb*lBrH#LPIBC!S^$R3VfuY|{;(0m2 zbJ8+ZZ>?)os?++T^aQ54BXVavv)y)6ELq*u)Ko@h?0kE;KawalJv{2mW)E5AkFY7PUBSY*_5 zg>Zi8MQo2_1f5g*-^r`Z6YnQ`o%6^&I(BKz#3}}<=IdzF#j1#j>LjPX)5d>KY;~^1iOc zGqg#=%Cy*i%sBdFx7R_n6}|QX;Ej)P{%>O^vW0_z6nP=){WTg4hcNek7)8a!mHOp6trZ99JkDK8 z&(9CmJIf=Yzun~M@-{pC{rtew`yH;0A!WAvlkqYnj;U1?TNNc!R;`S2O&fHLpiz9MNEjxigSHWU6Hsxi(r@ZUe*zl**bdvtC z{hNWI_D3fKjC}fqQ`>Pq``N>QbWUf7$k%ib@`4k>2#N`5t;ZDeD^@W{e$$X=5!2-p zvet!{O?2>2yfm$1DTlHTHv211JgLY13820%I^qLD;AaO7f^m0cOU?rLD@ zT?gRc7(hZm@X^SoIhEhM07qXq#C#v-aNM7~%8laxaJhU##N&LG$#i5Yh%&hj0^)AE z@^*BDj$kPhFYcLd3(f7foA6O|)NLxkB;)p6ZU()CiWGD6gdGd4Cckxl2W^?rF~ zY`XVShLHAM3`>)i0jJ&p%eRq^&tpA6eq43kO&{lbu(&;42j)p2N2Bz4 zzqp+5@l+Tg*suYCBOWHEO}p7i?Jdeou_|N9A$2(P5nS-!rF!d!>my(&^Eursd)Ul; z05(~6_`K!JnVy~o;G|yr*92gbL=)iS4>2}3An-&{$!3U90^d3U(yd_ie4&W4_sf%W z2yULq72K$u0xW_mw=uzeckSPhV*`1mnn6P98Z zE+Udyvqcw1{6~B|4B~5k&D{D+q+V+_0|f12sb>Aw))ug*JN@Ck0aOJ5-Q}5{=cflU z7*p{y_67ul&+WFDz{z_co6NMnV3H{XRtMVd?jLBz>WcM?UK@tlNT4&q!!YghErQ>k#?(I%* zNSqEI7mLeBb*iUm=ysD|53pP7w_E~hzTBiBVcaa(vPwMN!~AB1wxyWAhmG(S!gcs< zkDsEjoF2p|Fh1c5-i0WZAj7ze*<$jL8z`I!JtbME8ed_ihX0nWS4bIHh0)h~}1sMjv{=3Hpg>qtN; zBFLkc?)7xvce+HyqF4&BphLh4$clMG-*kRlfbQ27r;5ht(IgdXz=) zvyEORDhbqK%g(z71n6A?kl!yLxJmfzg@fMtssgYYL*^RT5gG1zr(6xBxS{E(@!B)g ztn7WGnhUKanT><)ij!C*-jh6>d}Q@aX9dINzh#`!v6#v9MU$+SJ##-Y&exdi6j@5u zli;0R-LyY$S8HlGwcP58Rm1{?%2_6KC0yd0dVxz{%!bHpr9!0;<1xKa0YbqLTWqWV zuGwARf_=A#pyg40Fcfgc=E0L;gEyMEI?5IXu;*f`OG9p&5Po>|grJA~2&syRi9x7u zlm_C9@Ux4}p9b4#j9cH#OpnU%_6?FED!G!&E?(tG=r7FQr!k~IrTPtrS#|~v=-&zmTL98{0Z@IikRLFXdi6JbxE+KU8&8%Y0A&LpYkX&&P}l2@l3;sC z0S_n(Iy*Z#3FG}me=6JoaF73PD-InU-2!%ct9DLDv(b)H)8Z|DzHspSu~h^Z8+1a| z-Ldp2BAy^w)cDBd^)5*fdjQRetE;QuwseV->f9!82*_1(thg91)mfGVAa6Ws=NTrI zogvTB97QZuBg1)dIQ&NCw;l&;xl2p~NTK5Ug)xrRnwglZ;SZ_yf&5HVyC#Hp-vVT9 zPTHW^iB&_*8)dK>YbW^KhQycM=vSOB^Nw|!#QuX|r-6rrlK|Q!!zmGlnt(6!q3$Mj z=`@qW3_zXrT@OHn-#|d#C{cwD><~pekJ)a45;qzj8*}O-#|mVtB-?<60!ejJvK}D& zR*^n)2Mg7Kb@oA~^Z{a8g%9`lIk4lLzc3Q`JZ?|N`ClFZ!0>W^P;M&7x7pHZ3)HW* z=5xnO*6mL~(TkSwI&TZrCM=R7U?`UTH;%7x_5SMMW=_|;G9)rlz1@qKqR@J^ZQcgR zw7Q;G*aXs0bV7MRHB4O(4PRgcltXe*vxh6KJQUC-KgP|WOz=q%l%UPnOn+wq@a+k> zyLIbTq9UW-w*t7LFgrPu#J?20yie)QD}tJ5!;z?HS|~p|MNjwkR@?dCqhS99&eiw! zQ@^Bd}^@llOychI$IV2hGqvG(N+_xbkP3Agjn^Ho%P z*}NmDI!Ax|ctrO8()^|~Sl8o1`$cf|`tOwU&QK{89l;tXmF1joZ;Ib#GVPC<=@;RR z`)O1j2c)p{6df}z4L#9Ho214AXUD(uu10dxZ)?~8kgE;;gUo2AXkTpJzB`3|Phb;d z=;0_Vj)tyBaXVR7RAfd5de>tfAYbBxfo5BQ*tUy)f^Lq4jEt@<4^;(ho*`!)rCjQS zFM-9LTBB74=wIaCYkr`NkB?8Yb;gb2XhNWfM5+1u^{YeO#Dc)l)6)~WAi7&Rku+`( z5cW{-R__<-=;+K(R$2$7rKNj6S4-4j>}WrH*NdUX zp{!uD{dE^UB|vV-s0MH48-*~`2_IsdZ9}-%=J_Buwnyt9B_$>nWIm`y0!c|pG5zY{ zboPCz+60vc%>zkYIfZo7aQ9N{5bGeT?v}JF{$k5RYfCN0QC#M1lIT0)fz#-hMLxRk zn&+QfHDVY_8@!^vCe?7z>1)$Ynw0P8IM;pBc5Ingiqv5=;#vihRR z_{V`sS?Pz4fnjf##PwitV*amkF6z(8CJrmBT$>^Q@fC36&uHmUytzc6_e=D)UX7mq z=8rZOf>;R*46}t_dx<-A4AJT-J>+M#4h~$-n|FOFe$o}Vb<9pf2I87)j$l8h(6BH! zAms`R3v1V|5oR5|=HHuDZ|}iaN)HU%?_4Cfwk?c3iG`b1C3-_e4v)mrzS|X>H>S+A zw+`UqqBG7L85S$L5}%SyN|Zl2ec_jJ+}C~8JF!vNvnJeL%R9Q>v{A41>INaTmRPCI zmzFV68=BQJ?PgzS_zXU`OTxVT{C0o{^@m4&p7X-WVc=xMJ@fll;%->{b>QAhSxIw3 zJO$%+f;TocUa|Y$RQ`qJZt#RDApnJfNxTO7yfBjRUaR_$7x3ZF^}|moQmZsjEyJQi zLqmMP@dHpnmqN`Pat}2%H5{uRQ+IOjY-#?ng|{bNeOYPlZ@#2%XoD317OK&H7eKNx zx@~Bz_@ltsoB(;^mC_LKA2VsSsSWmPZMmG30#2RvBu1E8jn|a$9*@aK_am4L-}7mu zrAZjSI!X57d}R9{cc~NP+!(T8!DqV>@L03j!%tFSsiK18t_)`z`e_OO-8c8zIoX1| znPXqgY=G(P;R0Ut9~rvwLhyek_ZfTPh+YEF2(U!|p3~1%^wO0jzii*DeBXZG7kzj;NRWj#X(5n|la1j5Ix*EukULix(e;-cq zE(uZoe`a_^2>cPIe*3grZ0xp1?%jS)cAYe3JwHGPUQs99;@U6IBtz0`hlst@b?5GDrkrMa%J}vBl80O~lNJ?@a`IF& zlQwx-JIL%R#x*`tC`}dKBt)*^q{?ennPf2GAxW0h^)kP_l*wfo93Z$O2F91`b zq%>XgeTv=c55U#lTD}tG*h%RSbQ z`~JvQ_lM0RV@_}Criih*%Kf`V_~zV-F> z-IRshlMqp{u{n*WQIu0om+80u`byS*XpA|thxPmE*F4XvYcmr=Mh@)ex=7Z*Wd(v8 z>eR36^$Q{gcc05Uzx_ppEu7=sNG7h?TjH2E@>ucyP;QT|WIT~0nw_2fRZx#$*GEzk z*l-)YkV-P$*VtH>j)v6WY=JC~K?S~FKWf%ld^osUbKLxl0Q^BjRByEVsZzW>3<6%f z1?;KtQQkg@1hJU*^&hgb5=M57 zWA+#$HcFTaf+vH(ex6bku>h-)*(|=LD-Fx-C!|D+t!q^rt8UuHtF}l<29Ujmv)d}j zLAxIHMbWxW5N)I>Uj3?vE~DmzkMf0gccEbikG)dNV>6C5ADi#*ID4xxw`2o{`E(UX zX{t%(mCRi2i|#Yz)Qh@$RCv5e;iCPcr_Wz{>28X_E*BS6MkWi2G3O?RSh8?ZswNyH zo8jaM9Ji2MC)F*inZ1KC{0sT<%sCuhqK}^JDrXKggd2`I6?c$xpT+6#GAk@G%<(TC zB^x#?G%q+6M^VMdnUQODnGuQbC-if3i?^R~J?aw?#deP4FCyOP`qpOI-qTNCYGh69 z-+5cX*xmtipaFzWHY95cn@&Z5ZEPJhA|xa%ys+`1lUr}}2fHg0UH$x{K)_+#UD99l z4UJ;n_DKzWZea-?@BMuOq|2*hCjVqrCGGMF&4|S6zRg;$8E3dJK_%c38utFU9(tFS{oA8ki96_w=zQayT|10^^hOIry{2>bel+Z+#}awgLrrV8uY zZ5uOOGxRq%SG}s?m`4ha!)0?jD$c2??Uw<>loZ6pZcIYg?UG?72FJ}9qvsAK8|mMR zN;mMggcONGV|k=u{Q~=3DHQ6shkdlZ1_rq;rQFN(olxTfV_BUy&U-fPZp5DwcjB$5 zDk{^aC;Y_h*@pkW10qME5D464%e0t|j*ipQ)A)F-O11D_dum8~`^$8pqU~po3EYU@ zSviw!?iCiK(GXb%tsaF{AEt2-Z{}75jn9GhEQt?&e8+k8K$sbNe#1=3pC1F*K$2Lb@(WCBwDU%W4&nuU16{%V zCW$E5AMoT`M@ zxoP>J?YB$AYO};Y_fphEe@8M~>FB!|SJ|yG|Jy2|vHaL%;>K#p^vu&Q4NV17LMtQ$ zVL%2FAOm(|zZH#R{6w;%!Ly5wSCs4BIg(Ui4EPCWTXLG8u~I9x$q_;OkgzQ|Rn!xbbiUU=k4RbHapwf8WJB?i5c$6(38!60aU zdAZ=x6Qu7>=!c+ZpW{J^Pk-_FCBKC#NvN{I%pwsknz=gehrP*s0u-Ek23bW0D@6Icil~1QG zSpLb>$|4-tB`=xwqh0Zfjl<(Nut$5*DYy5T4&|JRC$9O)yO<36jaBr}p_}CKh!%Mj z4URDL=&PCYF8qrRZmAVJYYBm}q60R`ru90=H5~9?(!dIOYfUA3?5H9GD;Z+IqK|2{ zyrLKpkXN>410Jp*DNE`o4g~gUD{e6e0_e1;2{jt6XT^ONU<2lqM6k9Sd$&)>*ECM~ zQWaHYWo#TAvsw*`jBZgsKR*x%1Tdh(Nyp$22>eX#4eXbD`rkW=$#c6Z{OAnr-;}H} z1JfW%GYe=ZCnzz`6-8)`4PbARp!-CDK^SotnFIpZ+(6a4FmWqdNydVsY5{xy^1m?> z3%J8b73U@0O~w789(8v93R3144bR8T5_B}x62tTp?zC2TR6m?T+^v_yL9cFp>v@I40kyzlX7@v9{1Vid`gvy zac{{wrnwa?f!YfUx<@tHUS`*6lC;}7OGTFbi$2lq%;ro}I>fBCO^&pxUBEe}M96rFY{|B3Izz+<>TxvE$FFNkW`h-0G7~IubVSFScW0T- zF5KocgV{7OZ2Us3WH0D8f%tT^`O_u|npV+3V}>_-64hik`|F|cKG`yZq3CZm`k+Jl zb~1s-(J-jEUOp?SJ>|9>Bl!#4J1e^8N%0y|?ec<(cUmeo5#=t|F<)#87mRA7=H=dT zEtNA%4l}F@a`uJ(p0=PXE`3X<_ro!7zl~`j%Q#RpG9&gGQag7adc#xH|CgQPmE98|tt??QWY*RMt zAf(J>PGP+p0EddQdNea*a_nP){l^}Cnu(3=3XsN50EQ3HT|7KJmo6>WjvEnZQ=+4p z^g4WiDg`S6sA@0kNaW92AOJx-@`LTb!p--xqJrr!!mK=P!f*7%0Xy0JS}ltFo=3Hs z$JV`~qF)n{gI)M|a8Ud^Q9E-wyHv+~9PPipANFRqEW&qhlThxEV;rgA!R7{Jj_lgk z4~K_9Zi0vFxIwm7h1)A~AG*kLI5%({dbqOe^8dI<`P}ZZrFmP#OlxgYiM{E5RFNFT z&JDErLE9f9p(a`%@Tl1@HM=|8fx)MlC)(@h6t7Om!LWZ6;kz_kMnoPUIY3MQlA7ni zr9(r@Mqc71J>smiIRf@GMZpbSntOy>8a3FwdW-R5X`Jv;GoQ;9$kn&d+&Jc=bwRpw zILm+Of?S9O%eRl!OK60cz7gOvIL*oDaP{su%Q&JV!0dO^T9jFzE^9bNkT|nQ5|c{634n_4zd zBh1HjLPiCv8fA7A`ell;Mh>O>qai;#@*DZ6dF|(S(+nEV5_yE*R8+dlacc9SC@*ye zXvj@i1}W#Fu-7-=rhcd`yi6pOym9?e|Enk?h146QFl&;nqSJXb+mTpCNUr4}G>#;g zdZ}50{g}RFFoL2Kt`*R5Xge;7mdI|s^5?a7&~E0t`C|{L*}bAPnR9RryCC=L!@Y%S zDxoMXu&ktH=OaJ~tINrCnAEcaQL>fm`EU(@QW3le2;^Y$C$f;)Qbe;2^msGEXXl}K znq544sEgCHv(U&$l|rSY5m7WIG&gj|+wDFv{m|_dCK>|9D(N9djerxgw##75wR-|V zhvsP)0n4Vv;5mfoU!|=qBKHd*6v#%E-7wG8Oo(g$kBq2ZB!rF-qbQMqa(v21eYTs! z@M4Gs&RkXpzv3;F{K&L0ch6$ro?F0-&IKDazxuRCW5wsGHy?g9=;jyIWVAy@92y4l zo<_k{$_6c;1U7bUVy;;(h{NL>S5`y$3%YewzJ1ssDffFvnU{XWv*CcNKfpN$mtQC)^lV=lW@3oF!8|5P zN_Z0>Ik%%^*u9p%T@NSudn|C~N|%ALg-c+gr5aie!EC!lyc_T|J@c<+Ksr8)0TQIk z>Du?HU!IR={eXTxb>P})jr_+39YzKw9ngM+K%XhrqsR0$WGQoZ1f3KYz4v02duaY^o5Oy-zsi6VGbv!08AaDY15A zqG{6_jSqaL>$xpjIvL&H>exno14`B1-^ez5 z+AxAQw7L@m(xc`0!wl@?(JZ)voZ@n}L>RuNPe)-wTA1WDOt`k!5GLFY6*UW@E1B6| zpdS#0=B+0_+NjjtfgRA}qWDwZ9t#xU^(AxZr znzz=xAR~ViM&G!;FjOT8jcvY$^cKBV*HuTCkyN zHUhOt+~(-FGH?~Cc9crQvf`N4R90tZSWG*QFaz(5XvcY6P^v!#uuJGIn-n)Gq!p1F z2x?k7OuwHlt2p_$&tGBN%GqTaA&;O+7INYk}Rs9ntLM#>!% z18kC!p>9gHcbjIq6YWhBPL(MHS=<_Um8s77T2H#4m~S5PknLk+am~sJ`%~bDX<4Ve z>*OH3$MFQ{2IH%ua^pZ1u#)jhDA|Mty?NOBU3^}MSy=G_&)A@UTBn^_Voukhty)>1&^i53?HfCH!P3%eaiG{&**6+|ZOR}>| z#>4}NzWy069FKj+8@tdWu->hO^!4lJeZVXmc1UfTEN#=6Y?_W72dGhmN#!qLzTdS# zsZBDgPQb1AfN0aeM6P)2lxQM@CLHcUt2;;gpZNkMTKIQ(Om3Hd!@_nTGb%kOxPm<* z2iXR%3-C)imD_Q@#%zYxB>sjo!xe)RNSz^R85fN=WgrXEvQ-Rf#6|faEtnHo-0#-!qD8n% z41!0f@u)<4?Bb_gILoi=&SJeFT%m6f+(T}nM22j7Jp?TMY&=^1+(8cILzi75ft%XJ zf3m16@By4M`3$|G}muYAl@AS|w$u z*3;}H;X+6$v?I66rkQ(=BWP=e8k0A->^Qa}pcE;M4x}-Y?H&2Z@}{DU<5$6N1Wig0 zy*_XmA!Pus-gaRytu<0S!t+>ql1iWtQC;z4QM*0Wak-u-S>n;6W{P?NakuS`$J)>+iQ* z>vDG(^k<((xM4R!c?;CDJ-odSl1ilizS`DW3?WqkT!Be|=}<&%J5B?eLkmW~5>VNJ zBx1Q#H+eSVWH8FA$F9uDfhg`qT_a;sK78E$U38wGIu%C#@aS+Gcz$vZpvoQ}IUtji4yR#r_qfOvgoBS|j4Wx~6zM59jwF)oX z(E5i>hZ$f6=mRW6qCdMC4lbJ(BZlSYZZXOzG_8E{1$!{DphmorGNhUL_Hc3#c6_n9 zi1Wh_Iv6zK{AXKG{;j6e2}%M8`R6hwb&7+4iJcNO{8fL`#sgt+DB}62T{Uc_Q0&{$ zp)Pp8h99fM^nuZp&HQ>Ic8Jq3N1?8SdL5BfOa7Emq65T;3C~S+x21zck@n|d=KI|W z!z7XM_B;{tpYdp)s6V|(crhH%t4EgwD}2WP*ezp?8cRPqO|bvti*pOb(Uj?^dZ;JS()4RlGI~~^=a7#y+@^nn6{6R;|gN*?c4dVj?b<(4BopSz|NA^E&9fYa`tVz z$Hz75io{+B?xx;t4&!?fx7smUy7~f#KL_(tX8YQ!kihf;2b`^;VFnG)*6KKtx3b0c zRp^Lsx_pa`c9;I3=X^2WhZHsXzE`VZW94*~|F)&`gg7kNWKQO&VzqL$0+UlEW-S`f zx0-Rm22{=}Mz$xD0$f8#$e0K|+PMN>Lm~=@hQy^S7{F8LEt+4|QY`&`RM=&~mJq6# zSVVTK#@oAhau<*d8&A)2=wTWS4$&82^Kipyz)1&dH(U9cQ4@)-|CY1x&0bNrEa}_t zC|YmAo?XA$D1a_zfev0PNj;#Op9q={tVSbL@=CzYe}@?l1s~Y7a2R>ddW6NGetdrI zY2k-a!AJLaiJH_l)`w4$2@h~;y@R#(C(9-TRn>!V4W|q5*X&I{O#5DKp!FCJ0$Wo& zl5lUO^&w9(4(*Hj(Dl(0|LvMTgJxZg3Z9uS0k}&nc`D;;8&UG`q%z*TyhSLsiD?!dzlW=yS}0{|V~cP<`#bds$t!F} zM`);t5+L$5(uZe6(I|saN%#PNYH1<~IvxqhD&TakJFv6q7M1%@qx1FaI|3Pq-V0DV zqkdq{%gbvlU*2>HguKCOvs&hE7-)3dB7}j34GanbREz~4U7IDbEoF87j8yLjm%;n$ zN8+J9JO(GNKlVh>*rS->gW~-k?oh9{j)6D;#@9%Py-DNg0{N94klx#2{dcTl|X?yW|oB z(PO;r82!OUM@{|L&rN*(9`KFgAO(7;zgSl+5IB6aikE~;5CFo;O1EfJNUuR*L4i+5 z&EC%zcQ90miaFpm1Lq?nA)zVWP1kku;=UEjt^9qKYNd14q)er=1$x7yK$`$KM*}s} z+^OmOOL6eDoV z#^8SnPUAFSDyjvn+-3_QC>21GTG?a;>?UfV~`bg8H;4EzKt)NJTd*C>PA zAC?caj4pJ4tsR(CeeU?EI1s_UuE95MUh#piw7j8E$GP3GssEREedot*Ks5VL47P+& zTixfRTI;x8_^0w+&0RGG@6%=4e;uEH zr%hm?b4lx5|6jk#Vxn7aVO?HcSzfqway@=ge!^0#yR)60 z-51Q{)dt(wO%)avMvrsykoDT>lMl*ZwLc?rrdU3sNKIU^ojc?2Ti99kTF6Vi1yn^9-Ugi;7td{}$UWH9Z1^X39Rh<|jXVVHxO9 zd3kvV4nyphpK2+q;jc^2XV+9=)L<;Dmw>;0RYB=9O zx9{9^DC9owzdH|?>_4Hr8F#y`z5&8Yk*?5icTNFpS77J z+r9D|!Jd}YCP6Tv;x7`#FS)3a``GxrcebZ5=4t^6^qeR}iG^ zOu&|JWKx#KZOF%{klz7BIp|(FN+eX=U$8z868}A{;dA}EqJEX<7tCR9aynW3H4j-)JIjGz@Lk6BFd_Wf zd86e;<+bb`9T{m^E+D7}h0g@VoN2o5@6$mc!_fc50m{EP&~Ca6PX|dLzI(TY`$GV! z2D%1M-OqJ?Bn+F*hRI{1G`L{;{6GEGG=P31uCZ<1LjL-5=PW`^GE?`C{I4VWWwD|! z00mXkrYU6$8})tTIgCII5xPF<6XF1v-8m)hMj(2t>BMux)9*S%d zJ*Oe3sDuriD^MXXiK2?Igsh3#A#~~J6reLw4TbWJ2Z}&b+GK<0v69P4N!?sH#Y4Hc zWXu+Cpp<>-lfL%flnDcIGLs7eP9!AT9RL@f$g1+=GprV~8rZ7;TF*e+DVb+!{_dyj~WE+_Xn{HY&T^a_raZ>g3p3i&u0!Km~+LJ$yTgOP9rurM7 z+74jZeR>Ds8wt2?-Tm8L#^k+DDiVPLl6Tkqy!h58vK9AlBb2R}m?drFP_Q$)3o5%- zVxdWK>1bh_VT(gYEL83Sp!5{#mHc+4gRjL1$M|S`wm)T(4Y&Jb^PIx}XsVg!dH6nf zoGLwRX7=>?E1S~C_At$CfVTBVuS&ys#+J2@R9?ZOUinzcHOxg8G7R%y;FfB^xG%JO z^T)l@q5hEu>~#acW-KcDYEckpv1Xs`;wUIPPdjk{9qoa|dF ztH)Gcv>IndH5=Y>@j!v-{wnvLc{$dtgT2pyBnOmEXnI15!znO_%0GxB{q=v@BD4?sU}kV$%wrHDEL z>TWxSFar$>?%cF@liY(txIuoJJ;Ym7UVo2?>ZDUby~xnho_AL)Iy~8vK^tb>X)I=l z%5aOb3EuCg^;hL11w3_|UKPQm;bY{)9D|$tFkz?jR(hKl^T!@rce>xEQLtQAKVYOx z2q)EvQf-^@7y!|cM7oM8-9Dx;vUhbBS9h0DY_o#CgwMuxeK~tl*tK@vuD=uo!y47c`{Ihb$!*d4j zpc;u;$~Uad5JH6H${E1Jos43!bNSpLpZcZz96K9D9Y>}g5*Lrp`@)EP1klWsFgF&o z!e~kGxSJpV-OdXFE1UX!-!IyPV4$w7JhNvFEuM~Uus{YhaB6Q2b1gdoo-{2DjiG%X zSH2nZ(-ugUd~94?HhS5Yw--J}S%VddobXbJ2nZn&5z2*16_^O(HPEI=O98$!dQ1Ru zu`T6{tCdS$^Jjzn{=2k%;Gh%0NC7fG9U!$TGusVI*JT$&tWdBvWAPi+MR$lV*yirT zpzD&zoRhjJ@W@+MbTQhR3FrQ=BSu_C?ljZf)@N@ZqZ&!_iSv5 zKHXzlInJZwIBKe2vpLrL(KbRa&2+vAG-8c2r*%Z$W)*JpN5#q+$mV5ul#gbvg4&+Y zWdr=$1?ca_U0J_m*pwhO4zs+gzYDEo+{&OX@vr?%l8=^{j0`Z7ql3+KB2DU(pA#<# z31_GI@M*jOKZKIoP(HhzY+x~@gZLN8tTqqrT)%uhHWkWEz!!i*!c5S}A_B6uH35~M z7%82TZf|MZ#@|+Kn(+^j?25>Ga!mt zrRTJz{;D`DBw+tlQe<&Y=a6YvXxPW5vcGWNgE|Q`#RbRPF56G~RS`L6SRwYd{_VF& zW!?S+YxjGgQDO8d2g?iR)wKjzK#hs|zF!3y{VkHVYKcMa1kd7AX^dlMF63EujZKMc z4)E3kT?-C;63Ui!&Y7uELx(DOmCesmH5{-KYp!LygiKxa`Nb<~MMLKMb-uVco-#OR zGis@Z4IE0>J4&@pu~t)PNi0^)2w+a}2>h8s#e6^pxY?UB=?+4%yvebw*M_l0`ou>@ zmTf*)2K4T2DH4(Pl&Mu3{LT_=b-NOJ^1k1rYSbFrZ47h=`{DQX^jsb-;f~J#luBx7 z;7mU*iF)q>Gu|9BXrxhP6q-vC;0(BT1UQ40Xans5hkuqGz=TD=1G=kSFLpk>gL}L> zJ3G6&5)CWv^qIAb3D0Tb5zYfBB(xVbq_Rfzc{i?m(f5VY4O-70m9wszZ++2l`$IY# zCYN)WHoBU06^{Ww2|oWBCIHBkwO~dWD%b2DHyiH|W(NAW=S7W6O9$jK{zI*kmp@Uj4atKwgRl`TL zU4$6t)So#dLlICisf)@^ek4a_wJG19fc=PIE$N!A@|d1|#@HJCaKKQAE_Qw!y`f)B zJhoNv=)MfGQ$UK!@yU@E2Jb#>0{*Fb7|BR8Gg}8BVYG3pyXNh!z$m#z2Ri_~eP{?l>tx>izR^+uihikvU0tv}1ZIDvuEjse|fWgl}v*bDJW}tp$UB zwU8`;h&lVBFfPjRX)O3zWJLj=$t+Ow1C0gbV&S(yn{5;!m!GwlmS5Z5PHJIcp@)G4Bbi{9!}V#%CkD>6kypS za(?)mO|i9YtV>6A5Kc|6V1s%cS&${F?2y5cnQ5fER&=a3sLmD`%I!?@p>j8J4ew(1 zg7bt*cJ@K3y=;J>7{6m;_Kmnu1QsWqNx;BubnXuktu#8vs<_&Z!R6`X2HjwU-5|)C zT9?AG)e~L6w`PiBU0RJzOfS`?>V3%b7n;rlUOzg}*=_nZlMjG_tD{tM@NFOHSlz@E zSMCp*K%J%&DuuRy#+^{kX`sqQ2cyT&U(V1*DTjnBi9Yig4eal}jg?9#UALBQd~+Ly zo2ROOcE?HiZpX;>LKSapVx}zz+H9)AvG*omD6;v|$wI|;&eU69;lYup2E9au7GZlM)O9D?VJ4`APiCEZgFk` z^0gmDD~~YBhmASXkYV&2EhB*W0s8%x^z#ATfxJl18F^q|4Cjo(wn$&Es&tEcr z6)NuA7^gYsli&`c@3V)RTOr1JG@p-vnL&*Uq8O3NNPVG+MyFsq>tu&q2!!4r5{})t z4r1rwVBfB#DdO=I#k^KZ1B0>xA*9g&;BI3Sxz|eD*u%4OqyOUN9pd0=#kLE|4Y&y& zRO9|7PHr^bPjg-PRg}V#&PlBQ3MBV8rQx#+6;O{@#1`@fod%cv~3sQp(Fkd}Tx zKuSeE1 zYz9GZ%v#=8Gill?&3%2N|nDCTLai7+OJJ z1VyVQMdT2R&GjK6>E}jxdo&MCtu=}Ac~=+wYtWFa%1cqHDb;qE1`eZ{O&4iia2}iH za=emOAVAiBDH+l*cR*;{x@*^Dy4Xt_GaCNjE&Hfu&FxUDUjZr_0R^6I)OoAh*pxR| z_Gj~(J2Gn&*eKRlgb)RfHAc3vy{(v=4tCX&+N~Mo7@VsFKTp& zn{kP4r-wS^`e8(0;{are+L4~q$C#Klwkk$|_Beu50JsO$XOKF>CglW>OI3P$dTA-H z+930m0kp;q3=Q?~acUfyL$AwR|G~WuxP}I5MVhOd1fg&lg@wOmWg(BYB?=1*o9b3* z_7SH{SH^~9nVFZI5O{L3QAWmOQ)QuF_V4tyhpZ$NALE@Qm*__nyv;nTfCUI|8&6AV zwY|VINmt2<2O*j}{V*Rd6hDA_HeWsYQwQrekshJMFEyPem=$Pei*?-^guMk{ol;Xy z<^9gz)~YHx-CUN)GL8k;pb$Y%LspEO00E2Eio6#KkE=znw9X)Tj{=juXG{6Z3&+cI z7adeFZg*){zW=N=P!^?^)rfxG2HQ(pN*vg?S zCJe>vvvjLNm+i*B`7tlh0ULXUN)=Z8!`J_OnZfUfPl@Nv?o7?mQ1*)yg}G&yIf)6KPk6Fvda&)ieS3o$*aC#Ur1$O#1JkKGNHS9) zPZ{o!qKwQ;NNKi%&(t4v>$@=u8jnaZtKudz8vh;1PGnlU+JR*(?Sgf?J&f4P+Ss1i z&zzp@Ond#f8(dPMD{g}AXx=<&U=^r+HAC^Mn>;o zRFGZSJ%kR9xbtEtPYzLwp zP`JJcxSLb4nRSy47Hk{u_|Ov}X5mkbaLfmHzm+U^c|Z}{H}kLZ?26U>2M(;E`zLw% zuuhQK6)4c3-Wz>5Y1`qMP<>IGbl#T6G9>mSvMpt@OpFA}DNvlGJdq4F+HZD)8Mf_j z7WFFwEBN9m6rYJ4y{N)$_}cIn{j^LIs8+O6m6-oVf*xC=GNRq);#`> zkdKyHn7t8`s8%sJTJYbmz-=YP%uDhc6YH(ZJS^Z>ej!x9yiZ2ez&y6JJ^95^KpR4h z5T>cy`xfHj%(1KuH`P1`@m<464z3aj-EM zB(p6EAx1&n<%UycSV*&mj*x%k7USy;9dGK&*Ik8X5gBobnWAW`B(vPzd2+$8fJ z`s%1na75YR`u<}hkB0yLz?;zoduQj`3~>$o|b0&D@rW0!}{8I<=18Y*Kb?q0UIy1FO+ zd2hoYD3C1toPWNh?7sMwL!rS)4*o?RJ>rYnZ9yYJF~JtE-&nrYg|;mcHYsP|7mOg` z$SD7~cUvO5dHkBa;dZ$4Ja(w|YjMbeqAL`kkg{yYdLdc}q1dZ<4nrHCKE;{u;Mp8_9d~YIr(#eHANKOn{eV;-N3VCzU zC|lN^?ryNThcJH*(xb2(4c>bzMV`+wed0J%@PeAs@nlAD1;~GjqCI_EM>;Ua0j(9kZTxAiP^MHW>kFzw;T)FYhj6Xv-Ur-1jAhJ9!xUVo`94UtZ#&Hy)5ubr zO_rB;XZA;C^~FcR=4bPakvy>aRS8Vsb@yfnrfzdL1)SRvJhR>Hbp0Da#p*soR(F?x z;0TV^f>MDCf>%IsxCbaT)t>o7Yi&)yeq3FXG$2v#P)kU{V>tnA8h4Hp=N5@rW{n|m z0QdF+=8D5N%YMC|%c+9yp@@)>5Es{1iE%VEOiau>ch(VFa~*eyh)|Sli2&e*%WgJw zzr=jLGN7hY=+o!NQufx0MD0~Md8yWJH~f+^R;wj-C%70vEy{3&JK{TVL-3x0Le)Wx zw+6*waOae!S`v$?HsWTG61a&Se=VW;H$wx1R<>rU%YP{#1Tu$!rdZOXIJg%=9J1O$ z=?&MLZzjBG0sC5U&m0VrQx7S|dmH_Q4oM9UI{kiqUuP|B>Z9tVEyi2VU-{nOBB$jV zxUE&b{O8-BuU!@M{_tLi!1rvU&kxv^Yjyp{C-ETB-_4ZldQY~5X|}q-Rt6zM9k2qy z^0N=61T|fYSO#p7NjT z%d$5|u}BbiI5|0Kg%D*Mk|1W$^pl2dHd@!|*>}*|y}+?62cRGD-(ClOS-pY+$XJnZ zTPFn<{vL0<>wb10U%16$p9XPL>=V0yz+F~5QGw>MG(l(Ug2xRP^GH_@i+HRFd-9ff zuTzU?&>m7RQjK~y?Cn(SSn~`an*J19&RY`oeUZBNDG2BWXiK@MbxO-tE^#4xQlzA$ zp#O=6E9738-!Bxr&&+HIRbPKu_qEEW2Kv2SSM@VQ4OjIJjZV084O(V;x*p^!LI1SD z%S9zaEFI(bvMb$$mJtUB$JTg>vnMIewW6-_pQ7F`@pja_ud7P~$S2Cs{BE8^LAv_x zp{`DX|3D@&`s2rpQS<4a&L82e2dVn}tE^|SHh=dD2@aNz0w)GEp=8p8J^PdS3sj4y z$_%C4+}yxdz}QzJeJvU@{iAmT-PZE+Nt~oezkB0R78ShpE9!rx_=tZlu#i7Nucs>`V zp_Ui-3=5w>=@{S4%9i2V+?nNGdXu_&$p`MA(UwbVEZ4E$A9`$-rCnr}(j8f*rR%&r z>c8u+IOn!#Ak?%LnUGKe#0h{|bhNhz1O|4rw%&&iI=bwf9O?V`&)(1OdWx7ofmf^k zKt?K}My1YJ9U^mtqDDc=*}UcT*?H@k(gX_#^yOWIUP&@vQwNUjS_WL65LJzD-Lrjp zXXOIycyrwSWU%2)OiXNVTau&dl3)Kw zivQw)TYv$)0P+NgM%F=SEx>I9cQ{B59`B1}v_0Q_o%yKi_&#+$k7wGyZB6W!H^xkh zX<1J42d`H~l=$C5qarN^ftY1PQHOB;;{*SlUdVH#0}xaYAKC&6M~lPrp> z?bE*5&d4vE8A5})<=Q$?mY-q{pLqN-8_^`QlkV-{s)*S*#c_HKx_x4*s*0^_9Co5w=i_liQ>Eo!r4?I@v8k#k1 zdw#3%q4{ZocB@g@fXsDV_tGYJyN$06r< z*WXRLMg%@9TMSV+yp?a?wY#~!`RmIFTe}VD@nDqj9c%{QGxwiA7*T!R?vo&Gu4k;W zwKGtn#aZExKdJv6hQ7q<|9|WY;P(QZ%F5OmHTCA=_jx$d2`Gt)iRH+p2|Mr3w6;F& z)r&OdZ=(P5y02N`K%(m25NFQ?Ub)hnL6#dJ!!@R-f5YDcv z4eFcwP@E^R8|kqt?E7gWTr$kR?xX5P;qQ;A$_NN8JDvBh#1?Nh!-B}%@DN*VV*@RtMVK5uq~n4 zS;a(V0qM`aU(4aD0;#$drkm4mL$o$%Q=M}0gKdVHR`j2pZzOw+F#+nM1A;ZKg3&jxFXPJbevMs z_%vEi(XFEH+M0rrkL6f72qqLm|2pzO^qhP7grUSm-AmXxpjd;QerD*=mYC1C%UnZe zQh!I2p-+;@f7Ixi>gd-DWtg3kqfXVoYN__e#YS6I3#pgWPuobwfx!eKx7T1>AlAYX zEuF0xl8xPVL33?4VT_SJUyZZn9{Q24S^!2Jg)697kTr#uX>6t?05@W1Z$B6+_6hgM zBYzy)+8jxJWW3gXl6=~Jeazamgq1#8DYAiWAg+--S5&-ayit=64i1{iyF7PssV-UGd*%?j1e#MOUbzk?AHvLZVVCfwh_dT2AD&%W@W*-l z`)7}8vU)o!)bnRtl+srw)mM{-l?OUH-|XYv(af2p$#XT#-)vKFYZ3h@YkxSAt{hUN ze}I0WO+AEICVaSliMxS#@%5z^xLBYecTxF`dDO%qR^^8JU!jH|_Gq!={=ax?DVP)EgCk;UZOfoL)<8j;7+qCH)ImEqy7EqzzOQh%d#5c+{0&E8RZzYXde{ zZBt;p`DoXJOg>0L{i}J1)+x@=*|K1NR*SgR-?)ORvHQ;@)=B0ktqW=a`v^4+Ii+C8 zcWE!u`WBV9RejD&ceooEcf;d`PEtnmdXtJA`qE*G6#`->!1S^QGY8mf$3d?J>u4?N z-?26;L{o*WlM_$I5HwDJPpKnZQFhQ7Nee~t?&O#Cw>NJAV6g@0i7)7*v{&jLKwrI8 z8ra<+s$`HV5VZaPg78yM;b}~;3dFz60lRt2gJkKOX|V44n?EGPAfaPK;NvfCU+G!= z`Te^$p5qp!v~Gnya!4H!J#y)*_7|@yiV6#=>`(C|(W!~Ovu$bwSKA>l z>HTa8H9K}}LeiSKiB51$w7m3Bw}Mz@wT7a7c1e5<+V;l8mwLFwG0X(a$|D_1k-wG~1joVgAz}=&a_$UH?wERWk+^9R7)|ej`o>~&B zC2f)ESw={9$q{mSpL$l6FN{$!R6;{kmzCu$4fC^t=3PBhcC4=?V`ni;TJ>BlHwwhZ zY-Nfh2SlFvM_v9>9$g*`-ZrrAqf|p^bI2l-+EJVoUfiSI8feRs0`?p*Q?!xKO8Gqh90MxR6`YaGRijV`!^#wZ zO*RIlWrXmbpQCEJZKIrNgA;s!Q`S;m4!(N?x8d$!=52?pEI&+SYbaG0GA`cT5r#-x z{CuhYtr?uf^4i3@r9*tsbxp&e1yl0}`Q3?4GM_C{_l5&rV4w{f6<7kaYwV1HJ`ToM zttu-P#Pi`X?RB=@9rioz95S<`-)P3z%H@ooe)wyxawN`*Ho+#N_)So}sN~C@!rc-Q z7VwPR>=B4pbN77vyY0Dj>m%m1Saq9*IXdcr6P@SQ@6Vp;?1Z+&RG~_Y6zVmLfVN6hY&=MP{6+^%a zxwM%aJF>wuZQbXVs0znp;hQ`Bltj#0F8G;jm68TiI!1gdTerS*O@(o zfTrKZR)ZCnOUnLux093%0;Yw?=v#JE6Vug`b=sm0_Vb(Te6yeVlxYc-l})kWFkx1W^?!wDHJsh&=L$lm95QfrXY+f8jj>7XKI z$h#PaxwDpgoY^7&rVw;0Z3_(zh31fK>f@R)FS1b~1X$Frpmh`?Utv0!Q8njgG5^ie zqutCeAi!yBj0FThT_;Qsk}5}FY5<(`IGK>Hp=VH;r@L7WlELBx=@-yw_t3W~q;Csu^t;EnzcrNs%faoVmw|`ofe+%)F1xiq=y2bb=8{}#EFyf*Y_U*| z)bx-V$Le3fzkRT8d8O*44K~k5n0@>4TjzB9H%3S|hH*BmDIWw+t3?(Uy$h)aCrNqr z8Phhzf#J~eV~zceIv#;=0Nb`vGFn|rjrjC8L2Wu#3n#phv-TStV`;Wo_=>)3MRt$5 z2v07!(rt>GaUtYvoc3$I_I1yoU8B|N%D1~15Yn5(TLPv4gR*$Y z=!8Z@>`jzqihWv$Yq&8`*SXI<)3#$4di0rdSllmz9(sgRL=e9~hIyhp>m;kUHf5H z!i&56ME*NVP7Z(*U{OEZ>3&q#8AM-mQ!AeGf#%1iy3Pju&()p5FK^wyk?#PPxcH5F zs+kKH$nG2_joVc@PEZh_jw>zEPTen7P*s<2P+N}qfG=E9cCgMZfg9qg zDS(l35&_tzvmkjo;mk6;c31JYd|yhf_q&@d+R@U275E}{W8QazJd&R@7r?ukzT5t! ztC}Ty)Wmx-vB}b#;od8vQc*Ev+ZyPr0=n}2787n>k!7#+f6AE3qwR*iFQ(hf^no3Qp!=YmY zF&p_{VpZGPkQ?{Ko?@Zi$`5qS+PC2KA*}9%7Vht%Srlq%cG;kxoou{3!O|?wfzR9p zw2bP$O0r9me4MgmwDBE?BZMb#wupUKEhR3*h$sQC6va?N_|@+N8g&BO3lB(@=ds#J zl{$zIH=w@~Uk+{2DnY;0`49r(fmoxT3WPk93?f@hT$se2z*j#?&@j@`i`NI*wHoe(Le7S9L^E~~9!R6mahc=xh zGOFK%WOm%*j1~@kw{Erai3-1ZK`p??<{@dgyhp|-$e#mFmW8hZdmJhKVB`UNV0f*i zyTG736P&LXtA88&R=luMn_Wr@_TT&be;dLt7Q$ z`mPHeN_F72)?JIWWMsf`#Sj!VPX1S_WhTa)Lb+>ejnH2!GwQ-mk-hCq%4?k*5fPD= zru*c{jYgkag#@Ieu0MZJe{*n#j>;Sf)h?glz?sMP`Lc?yh&?E=AynU=;0Pzjs97)B zJ9maU2ky&FW_5=F{^D{}!iM^rg4Vn0{$$iLk3ae;P)C26&E!uC@u+;pM8fcN#`q1D z#Mztng49rjEX2tB9#*~jXR>8yCtdmDpYuzJ(j4eDtDm{)&w^?;AhR$MoE=~2^nO|9 z=tt&s`-@9;-Ci9ARGX85d;2~iPuw6Z+jOR`dVZ6l)i{5-_{Vh`{TI;#<0B^({c^{& zsH-Q{SS&p2rbJv!ZgMC}l&{6?hpTZI)sdvXV_2HZ9MG>UM$-v0hmq+Cs&ZYh>+Zlp ziA1TO7<=>R0%7rnjIB+>P-9}h&t>(9fauV!Coy>w$^rV_@v@NHBgm=9%Y?Cs@0?@B zrS)XP!}t!tsva0?(d*>#I5nBdnc@=?v{m|9KR|PT>!6!AC!dhW;axy=FI>y}_|LB{ zFTk9+D$r`T)|+rWfTGR2B`uQ2F0#Cw6Pdo%3z@U`C~p@YODgGKKL=YzC9Y@g{3+D< zg4&cKcgO`f^=-Od4rLC89SC8F}~(vu1`UAs}uk2HX`I zMoVrol50zxvkHpKqK-R`msXk#wF<53LmwlLy|i`zrOIcpE)3 z(*vu-%qr8RmkRYX^5KDk!6k>(RcrLS+E?xGCF$ZynN5{it!3+DUvC1=K~MZN$+KT3;7I z6d2ulHomGV!Y^w3*M;HkZH-%T2rUljhrb^<%iug9m(T7;cXbZzdQDOMlrBrpg)C!>6a1$Jtd?6q1=sYAZy%!F;7UVCh(eB?$Yfes1URpBv`OJ(!D&k&SVz1#o z0;$^NU@64oZIVxj-qUb3dPd#UTvL%pcg%g|1)2}ESZ{G2NQW*Ncd!Tbqn{-u&J~6K z`2CBEsCaggrg#kxrNeTOw{`Rgj1&zB(}|<(+oL(-88hVCJ;ZcsxYXn~nAMNq z1U0+XjNk8Z50;~eWs8GuwWXS3LTfwnsq^K}^+YCKwU=SfgGVQ|-a40`XDzCbql`IY zC8@9ee53arOXq#GeYTA9_geMS7N>-=mhF1oaiS(Yop6`}5<6JvSwK4fSDLr+d=kV+$%0jm1pu_neu28`uYL3F~GU zlR2e*?s6i%QO8+Odr|l}%g~t*cRYzxZ)Qxqi1i9G~yM{{C*S9=t9w=|#EgA^xHxi6it5Y+xO94-!|8XsgFVz$( z*g8)(N6|81B9~zZu%5POYU~vi@qq^fT5_T476d5&{My+P`1NZERyslq2{_^dUFf|_ zL>o*8gXtW19fvpi_p`D-gKmFQMMcGgylINYpQZAxvFKB<0V*mfO&`-W%>@igC_Y`^ zqN$5%zw>&vf$*~ngHD$m0Z~aS(*R#*G_abNpi~6_@;q>Dz}I9sQMw3otggq1Ee29f z?LHrY==AU3zY#hv`Y;v2Qh}NH^ylC*OfUm=VgTI5Llls31{R*q%Yg>aOJNxvhNlCX zFPWskwEqTt^$^OgAGM&{F3dc;{}HO#PYKCxwwK8K_sTTBnkv}Z9^DwYx&uvUXyDH- zu<0bZcgqlfKD2k8R7OET`5mwaj~p!Yp4S+)%4Uh$XVAr4XnOaElXJpARdp;^A(Kk+ zoz{1sLY;;`2CVV3_IMvYeAtJA8=HjvdLqO=^>xI97;!UK)XB*SuxlZLY*)dV_C_8C z1~iOaaVJ*+OPhZh6{TzG*91E>@j=fdv##sRUimNf?7|Nr>F?H6Ep(99CLCCpr)2o_>gezFWKHY@|<+irTcHisxh|o~KJjj^a z19=~DmJ|qb;L}&)|KvWk6cM(HT3Q~*KL;T(0LGraG!aUta-B zWu$X?7l}(Yi!=8>nye6LvP%wrN!Dd54P$y16^LGU+<$&#hLr+~X2Rj+-|4x%{v4UT zssZ#gQ(pIR!SW)hoDr7ao%Qu>Nt?tD6$P&@e-?L?k$GDFvF2$p3D1jYSc^jyylN@9 zGW-83?)*Qq1>aZIp*dNxlSoTT1BHI`Z6jy_@D$NU{hthZ=-E_;kh}CRawDaK)CSb| z^-b36KwGYp)$bA18zPrE(8B+kL;aV7TgmFHeeGHLC!u_PehvtEdAV<`V>#`XaQHDM*2(aGY%KXIf8-$} z_fe0vf`)})da+P$aa-u1fk=MdY$g|x+EwFEp`r1~JL{wOhDVmZpWR1Dn{S@xzXUo+NeZblPKZPF za!#2j-?>M9u;jVF07A)j)kbG$xD3P8Z~vv|3;BlWju%kp=9W!l{)%oyl&suw4fq2o z$0pNAy~3Y1sT)s4XK5o3e|GG3fVFc=OK9o^O(L-k$I%M<}_YHFYCY9!GFVb59^ z;~8QtL`XFDm)0mvixF{vb~Jnf@aeYgf`vHkC;RQKYu7?ez`9>n>LD@J3(s2~DAeb{ zgUx1vF7NosPy+tkJK};cE8cb)K=?f6J{Uc7rH%)3@MA}PLw#$3pY|rTO=4_Cxkciex~9Ct6h%Ri z;_@u@&>JUi>BswC8cmCNmb32x5LlwP*su)XK$-(fgOG)tF28>-D=kFg+ zWG)s;OUrU_#QVB4W%(^d{{wa~Dud z=d37a_DyzU*(N0H;7}5M2^(nMaQ6((R}!0>v{qYGF798cY<{o~X*yn1=}w8Do_Ihc zC%mleYl0nN`Z#PFu|WgVf6K7E&x{c;ad05k@e{b!z#IcIhvcKB62!OY9w77aBt>24 zY-J0+W33nhXhXGt=%gSw_X&*_vY)@d)nqx!t54F5F&GvCRR-Ucuer)Q(;XO%B+Qio zKPZgV!ic|#XkSRzV~ls-@t1aISi&NlfcCT2V_Q!e=ZGXFa z*l~_2QJ;%fG7zmu)TCvxNeETlMOrsz#W8p;F7omp(5yh57xznKjGEcSL+Y#WCkNBR z%Al$$bkaVwO4L+s8eNI6Bz`X^`=P}P+7~;o^WWe^gIYzq75Y*{%QgFs?jb+gvtVf)3=g_CO za!-5a6ARshVYJPCy2=Kpuk3m+^770cTgn1l?s>3DMs;kX+gElM6VgXSY-Y$&2m zusnG>FgJIxqrUx|*qoE!00IT?FxXBXn+;`k zcYAL*Ig){AQj{>R4=|hVt1)W08)wS5(NX}FE4t#g=#PMs=4>PcIGuy$6_8}>`0jIS zFcc7wzhRuPo{Q5Px7&??O9e`aR`rij#sva!LV~Rl{B+;~$tB-HT&KAsA`tJN0!F(FU8%Nb{_Zl18hRCEt!e5W%=#?xAn@Nws8v3**rj0GX?RkQ|1|^I^ut1lmNLG^evP&L5sLSk7oVV< zrgeb2Lt32ou=*gly-C{{TnvLTh{)Z5ja#?336nB7 z8U{CXU?h8fJq!nch&r__`70kPRuNG2YqYL8yVs86Z2_;#^Ru9z3=9nainV|$(t9ym z>$o*qFb?;V*ZzX&wG@CDg6ThI`Wi_>dc#ceeMZLj}jt5*^gp$6)8}(A}j-eiIR+fJ8V$_`5gvM%_22IV^HUr{v zl!jf5oB&SP-1vzAXc~qjrnh#-d!$=VhhtnPTT03^Eg90wK;)i(aFC)WA4qnK4p0s6 zrE7xdn9Cj$6#Qgo8gTrvij#mhejzH@ZHkkQW))wCQXUbw_RZR$OpTVNzAk*7;mCRZ$sy=Jzr1N>w zb;l%s4?Fr;wztRPZo1pUlFE5}tG{NOYKBC)qdKIg@#sBMpE+j4h~^86psZ+ z7=iDEMB~HTq+5}6){8Woj27dQn`DxhRf0Gs3bmI3H@e;$qfF(v(>$LXb@qEUpHM8> zt-S4AXu6W4xNiT2J;1_)j~4d2hbYn3KMsAD?h50vHajx6J-lx`Q)BpDs^k$j=X9K=6UgFepUF+YE-YHT~9l7^C4;91=_Nv{Wc zB~u4Ro~~bYC|vn#$9V3>_IiI;7mS6IqkkFywi*OF#HrQ_I7z%O&mMd=1F`0MpqoXB zhqX1U*d=UU2xj$tm>LHzlRzMnL0V@*@jA6@M~rzT6rg#sJxQRS!s2!dTG8*C*p0gh zbM6)+qoPVmNL1M1eRq?Znv(d%C%Sk$?QC9Ln?@%ggf?x|`@PeRIJ$RMRG6SW zMXZcFB?1ol>0NNBh9$k9Q@ZKd6h0xa5FbF+c(|sl;`7Ptyx)#1eapwN5747!1;wm~ zCerB2W}oX_7am0~4L)=YoOCsPE}U0(kQ9T${<+ZLXyBh9cVKqx@{fs|!W5a+bkCYm zR|L8kcp8Od9NYM8%S+qmeoWADTurL`Z$09^28zoJxq!9sTB*I!%n_(U) zzugK)PdJhELt)Qo=MSW zMibkk4VSc!_^=WkpB5fDPe7IG7(JW_Tg0^Z{rSSjUqbj+QGu-Pii6N_9ik$k1^pZ1 z14v6aKasuH%WG?VQ@p-?y|MESBR#-ZUqgJHShN{8qDIX)l*qFx0~b%oT<#3`EG8MN zV5+p>RSL^HO0K_We^m9ne?MAj#*5+@hkHFvJ7`MVwxYzviYLxr8~n45e_b{(7dgif zb}uJh*%q-qEv>;D;&L3QtL_Z*!RKN~TmQ*zwn&5erD1yJyd!hvK}cdFWkQI<<57v~ zPdPW2q9oR!U92sndMsW4k%A(p7~NH#YdnUO;B-rmY`%!O@C(mze2J^^Ap;xpSqjuk zGtd;Z;TD16!ho5p#rc}dWu^!kooq5+6NG9(%>!cKaeBy8DJf^@@{UTV7OEe>&~0)^ zRr;j;EBp}Fd7K>%7cCiRtt`o%3CBDK3i2^J%s-mp*BKgKq!BdY1{d!4otfWvPz_c- zV^#qC6K8$&9|iS^H5F+!?j38+RM7f)|AgGuO%FLvEdeOHkv1!3Kv5;?Q{iI!CDRy1 zX9ZTy)lyk@X_r5BgMeETQ3`%T!GrZ z7Ls~zW;U82OAVTQ`UT`PX2c!6pXOHkBGzd6%Q=z;nyZdpOLt!9wSE3paEsOV5$8sF z@m&Aa@D#%%VG;)M1Q_CxPGJl-(c;_RsI$rfbLXIsshWzv27@VzqqIY zhJTpXe-t`GvXStzPhUBrOSbt}B!x-FJWUdpT@qPO1u~Q;iaDFo_(cl8u_HEMILdE9 z#Q2ycd2VUzxn(pthVKFkGk02J$cXy3*_6P#iwg3F*LC6Bb7yrF20bl4?>Et~eR?Or zCL%XTTT+3&I!Ve{H?jl8J~Xq_E|G?JIG1nXmB$$nVn})43SIo0Me~)V5M}+L zhO%ctqf2Wo4PnsC$3(Z{LCF=5El#HxvU3huKf4KdlMc(Sj_EUe&1xp&Jho}5Asle`Sv2! zji0V+kpS>I?#$VJxn+>KI1`w;xQ;_rBcq~}l$3^>CFtc+3&*!0yC&z12Z0HY0*DE1 zEtH*}Z9=Uz}X}Ce+yA#c=CgmqMrZGHd~lP0-Jvv1c@?7|P&HKV22JUKBOtLZpnoC6$A74rr=FhM3l?!%o|ul%|_Dhd~Lyg8ch zs|w~6dEQqHXZo9LAj>(IQv6N$NivQ3W#A6R{k6Wld~5qdd9=-=YtqmqjPugM()pls z@+^9L0K1JD)8~BBh7{|))lZCZx<@o7%{rG>W_-bcNOWneKWxZe+ki-wG$0@XxROh| zNaFXjV+i1cv?#1_q3pqN-@75}hDKuvOD)^WKW9To)r3P2C>AhGBF;*YY8bQ!cHj5% ztGZ6BFGet7M*bd7%z%c9+GR__FRp2hN0y{Jx1{sE!Yi8c9# zH)_OBmiL>U{CP{K>9V8Nb7osHoz<@PfC+Sesa-~?-MU930N`5GT0UBM_>qcL98N7B zEmzmJ7BJU7e~$h_^uCxpOdMxhLIMT_s~X~cP|!~pR6--v7#gxZS^x*+hcVJ;z~X1p zYBl1dyMO-)r^_ds@4J*b459 zwR9_5#?1{Z=)m}A&|`%sPU|uS-0q6 z&{WHtpaotx`;8x?63oXmicWH!9jtCFKSC$9{w#0OJeA4%j2Jo5E;RNhA0ML*9f@H-Pk!B_m&pb$cD4v9W8uVQXX((=M5*<-UYEC{oiOOqv-PE&e zTfxcVx}wLa!J<8wn#adal3=D?@Pu}FjBV^>WxmqaZ`*rE#35e|>_-}#Xtw62h zwRF?Wl9*2rD7DM>3x&U~Zrc#yAg+bkDI!~ISZ5lDO@$qfDffq8I>I@z_)aT`e_v^U zu>?0ctGvkH?Jpp6e$L9mq7*)d5Gi=+zPw5TMHJ*?A^0XNo=b7s@jzUPk`sn`va()h zGyv@Q-W|hK=dkhd!-rDa<@Rf372?@;b7zP6^)MFRJw}?_c~=W8nY<3jG)QpY`_L}F zIKT3#9h%Zto#XzN!5!{H0m6n(5b&FU-UN!_;k$RhfFVTi-dTL(2re?7H*=5eRyt>9 zw7e!!(7JWKFGd+#0DO%Ho&_$@aAB}5o_9gMrZB~ZExaa)Vx9ve)o>Rvhwut1@$t*S zhQMVzV9LMtTZtqLe9nIH;jIt zHsvCKWSni}e*x1@i6_wNv$Hz{(hP`0F!JhPd{W7`G2SF+X?^`R=JS^?XJ8oCWUmO$ zKY>x0cng5cYtb`6F>j_+UtCPA8G?0y^-a;iCnhE)Ah@M;9ad%B@IP(17BSWSZ4bZL zp$UaizuVi};C{@`%DT4lc!MyV6d8F_i6cSQm4)a!u$S`h+e)>CNx^_z!1+fZ5`!Vi z5O2Ko|NKN;Rc{2#M=y0jnx_vR4ab9j{3yuowQ*T)3$&2NmO26gp%G}^9Hh!-6v ztG*CKBp(i|%#S0pG=Q)p)_>7a(=jV)3U Date: Wed, 29 Mar 2017 17:42:29 -0700 Subject: [PATCH 34/46] seo updates --- ...ed-features-windows-defender-advanced-threat-protection.md | 2 +- ...nsor-status-windows-defender-advanced-threat-protection.md | 4 ++-- ...integration-windows-defender-advanced-threat-protection.md | 2 +- ...t-custom-ti-windows-defender-advanced-threat-protection.md | 2 +- ...hty-sensors-windows-defender-advanced-threat-protection.md | 2 +- ...al-settings-windows-defender-advanced-threat-protection.md | 2 +- ...tigate-user-windows-defender-advanced-threat-protection.md | 4 ++-- ...ew-overview-windows-defender-advanced-threat-protection.md | 2 +- ...ences-setup-windows-defender-advanced-threat-protection.md | 2 +- ...ew-settings-windows-defender-advanced-threat-protection.md | 2 +- ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++-- ...hine-alerts-windows-defender-advanced-threat-protection.md | 2 +- ...nse-actions-windows-defender-advanced-threat-protection.md | 2 +- ...e-custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 14 files changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md index d7678c4832..1bcbb15c46 100644 --- a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Turn on advanced features in Windows Defender Advanced Threat Protection +title: Turn on advanced features in Windows Defender ATP description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. keywords: advanced features, preferences setup, block file search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md index f00f86053f..22861fbaa2 100644 --- a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Check sensor health state in Windows Defender ATP -description: Check sensor health on machines to see if they are misconfigured or inactive. +title: Check the health state of the sensor in Windows Defender ATP +description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md index a645f8ccad..07d789ce14 100644 --- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Enable SIEM integration in Windows Defender Advanced Threat Protection +title: Enable SIEM integration in Windows Defender ATP description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 670b72a6d5..188403ee49 100644 --- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Experiment with custom threat intelligence alerts +title: Experiment with custom threat intelligence alerts description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 0e7e6fa111..a301137ca4 100644 --- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Fix unhealthy sensors in Windows Defender ATP -description: Fix machine sensors that are reporting as misconfigured or inactive. +description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md index d53c76fc27..aca26a9b12 100644 --- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Update general Windows Defender Advanced Threat Protection settings -description: Update your general Windows Defender Advanced Threat Protection settings after onboarding. +description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding. keywords: general settings, settings, update settings search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md index 276cb49632..e0b1346b9e 100644 --- a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Investigate user account in Windows Defender Advanced Threat Protection -description: Investigate a user account in Windows Defender Advanced Threat Protection for potential compromised credentials or pivot on the associated user account during an investigation. +title: Investigate a user account in Windows Defender ATP +description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. keywords: investigate, account, user, user entity, alert, windows defender atp search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md index 73f0e86007..4537784b7b 100644 --- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: View and organize the Windows Defender ATP machines list -description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations. +description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md index 1523930b5c..dab6725222 100644 --- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender Advanced Threat Protection preferences settings +title: Configure Windows Defender ATP preferences settings description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence. keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md index f1e4b41964..8ae02a81bb 100644 --- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Turn on the preview experience in Windows Defender Advanced Threat Protection +title: Turn on the preview experience in Windows Defender ATP description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. keywords: advanced features, preferences setup, block file search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index b7812a0ba4..e9d223c9d6 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Take response actions on a file in Windows Defender Advanced Threat Protection +title: Take response actions on a file in Windows Defender ATP description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh @@ -85,7 +85,7 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` - + > [!NOTE] > Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 0e2b10168f..d0c899983f 100644 --- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Take response actions on a machine in Windows Defender Advanced Threat Protection +title: Take response actions on a machine in Windows Defender ATP description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details. keywords: respond, isolate, isolate machine, collect investigation package, action center search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md index 22b507a210..a22e882c62 100644 --- a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Take response actions on files and machines in Windows Defender Advanced Threat Protection +title: Take response actions on files and machines in Windows Defender ATP description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package. keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center search.product: eADQiWindows 10XVcnh diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md index c155873b90..ba2be9225a 100644 --- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Use the custom threat intelligence API to create custom alerts for your organization +title: Use the custom threat intelligence API to create custom alerts description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts keywords: threat intelligence, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh From 122b40ba2c5dc4f204cb5776d46c722f4941f436 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Wed, 29 Mar 2017 18:15:14 -0700 Subject: [PATCH 35/46] fix related topics --- ...ing-windows-defender-advanced-threat-protection.md | 4 ++-- ...ght-windows-defender-advanced-threat-protection.md | 3 +-- ...unk-windows-defender-advanced-threat-protection.md | 2 +- ...api-windows-defender-advanced-threat-protection.md | 9 +++++---- ...-ti-windows-defender-advanced-threat-protection.md | 7 ++++--- ...ion-windows-defender-advanced-threat-protection.md | 4 ++-- ...-ti-windows-defender-advanced-threat-protection.md | 10 +++++++++- ...nts-windows-defender-advanced-threat-protection.md | 5 +---- ...ode-windows-defender-advanced-threat-protection.md | 7 ++++--- ...api-windows-defender-advanced-threat-protection.md | 4 ++-- ...ode-windows-defender-advanced-threat-protection.md | 9 +++++---- ...pts-windows-defender-advanced-threat-protection.md | 9 +++++---- ...-ti-windows-defender-advanced-threat-protection.md | 11 ++++++----- 13 files changed, 47 insertions(+), 37 deletions(-) diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md index d551629b2e..48a38a9acc 100644 --- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -75,6 +75,6 @@ Portal label | SIEM field name | Description ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 21b8b172ec..636c697802 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -180,6 +180,5 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index f40c7d579d..708ddc8854 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -135,6 +135,6 @@ Use the solution explorer to view alerts in Splunk. ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md index 18a8804998..3f71267756 100644 --- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Create threat intelligence using REST API in Windows Defender ATP +title: Create custom alerts using the threat intelligence API description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh @@ -389,7 +389,8 @@ The following articles provide detailed code examples that demonstrate how to us ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md index dd97cca65e..da53066333 100644 --- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -41,7 +41,8 @@ You’ll need to use the access token in the Authorization header when doing RES ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md index 07d789ce14..9c83ea0f99 100644 --- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. ## Related topics -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 188403ee49..b7f9bce85f 100644 --- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Experiment with custom threat intelligence alerts +title: Experiment with custom threat intelligence alerts description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh @@ -82,3 +82,11 @@ This step will guide you in exploring the custom alert in the portal. > [!NOTE] > It can take up to 15 minutes for the alert to appear in the portal. + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index b8c5694f12..5498802fbb 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -53,10 +53,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t #### Internet connectivity Internet connectivity on endpoints is required. -SENSE can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. - -> [!NOTE] -> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. +The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md index 1e062c51a0..b41b8bdaae 100644 --- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -71,7 +71,8 @@ You can use the complete code to create calls to the API. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 670143cd10..5e04c5302d 100644 --- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -190,6 +190,6 @@ HTTP error code | Description ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index fb4e54687b..a67b250923 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -73,8 +73,9 @@ You can use the complete code to create calls to the API. [!code[CustomTIAPI](./code/example.py#L1-L53)] ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 96e53b49bd..d1968d5761 100644 --- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -46,8 +46,9 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topics -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index d1a50e1df1..40fc971abf 100644 --- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -46,8 +46,9 @@ If your client secret expires or if you've misplaced the copy provided when you ## Related topics -- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) From 1cc3d260a12f8a9ae184209a4159d765653e2d50 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 30 Mar 2017 10:48:57 -0700 Subject: [PATCH 36/46] added info about ProcessMitigations module --- ...iew-of-threat-mitigations-in-windows-10.md | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md index 2e7af88cf4..718ca488fb 100644 --- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -365,17 +365,33 @@ to Windows 10 features ### Converting an EMET XML settings file into Windows 10 mitigation policies -One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file, thus enabling a straightforward deployment workflow. To aid with security configuration and deployment of Windows 10 devices, you can download a set of EMET Policy Converter cmdlets. With these cmdlets, you can use an EMET XML settings file to generate mitigation policies for Windows 10. +One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: -The Converter feature is currently available as a Windows PowerShell cmdlet, **Set-ProcessMitigations -c** (instead of **-c**, you can also type **-Convert**). This cmdlet, and the Process Mitigation Management Tool collection of cmdlets, provides the following capabilities: +```powershell +Install-Module -Name ProcessMitigations +``` -- **Converting EMET settings to Windows 10 settings**: You can run **Set-ProcessMitigations -Convert** and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. +The ConvertTo-ProcessMitigationPolicy cmdlet can: -- **Auditing and modifying the converted settings (the output file)**: After you create the output file, you can apply and manually audit the mitigation settings by running cmdlets, through which you can Apply, Enumerate, Enable, Disable, and Save settings (see the Process Mitigation Management Tool documentation). +- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml + ``` -- **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. +- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad: -- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). + ```powershell + Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL + ``` + +- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. + +- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml + ``` #### EMET-related products From 7db0606499a8d90758ebf969ee8cdb78279de95d Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 30 Mar 2017 10:59:17 -0700 Subject: [PATCH 37/46] fix heading2 --- ...ortal-mapping-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md index 48a38a9acc..580f3684c9 100644 --- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ localizationpriority: high Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. -# Alert API fields and portal mapping +## Alert API fields and portal mapping Field numbers match the numbers in the images below. Portal label | SIEM field name | Description From 1f331db181fb63d70afc988460707314f0377ec5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 30 Mar 2017 11:15:06 -0700 Subject: [PATCH 38/46] Squashed commit of the following: commit e7f5087d8dd9448e1214456cec3f4f3c5ca10b40 Author: jdeckerMS Date: Thu Mar 30 11:02:52 2017 -0700 Michael Niehaus feedbak commit dc4a2f61d474098ef74a5ebf74c1d7a792176f2b Merge: e3cd98e2 7db06064 Author: jdeckerMS Date: Thu Mar 30 11:02:33 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit e3cd98e2a3f6fb596891ac952fc40f8fa41678b6 Merge: 28663d90 600440b3 Author: jdeckerMS Date: Thu Mar 30 10:11:12 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 28663d90febeb5c8eecbd45f43442422cf1fa0d0 Merge: 3af7ccf9 4a716999 Author: jdeckerMS Date: Thu Mar 30 07:25:11 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 3af7ccf9c2c7ce216a4a1974fed71dc2436ad25f Merge: 2b6a9d39 ba79b4bf Author: jdeckerMS Date: Tue Mar 28 09:48:45 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 2b6a9d39d54331662b9cca5d236dde7486834d9f Author: jdeckerMS Date: Tue Mar 28 09:40:40 2017 -0700 tweak lnk commit bac2d1bbae5127c1f2db3f803de3b11b69ff299f Author: jdeckerMS Date: Tue Mar 28 09:14:28 2017 -0700 two mor elinks commit cc20dca6163209b3ac1c3ed2129e48d9742b008c Author: jdeckerMS Date: Tue Mar 28 09:06:32 2017 -0700 update links in table commit fb0b999debce51fa600909dbfe38aaed8622a5d4 Author: jdeckerMS Date: Tue Mar 28 08:43:01 2017 -0700 start screen size commit 837f33b4bdf74507b00bc4fc3fada9daa67efc7d Merge: 9d11aca3 e0cd4034 Author: jdeckerMS Date: Tue Mar 28 08:23:48 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 9d11aca3d8b9e922c57b0303825d3b0d6febb31b Merge: 8713854e fbd1e32c Author: jdeckerMS Date: Mon Mar 27 14:56:24 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 8713854e6dce2df5d976fa2585d0a775a784d682 Author: jdeckerMS Date: Mon Mar 27 14:53:02 2017 -0700 Andy Fu: apps feedback commit 047779a8f2a66f647a74219c2a22c9015f909df7 Merge: 4a1bb976 ebaa19a0 Author: jdeckerMS Date: Mon Mar 27 14:09:11 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 --- windows/whats-new/images/wcd-cleanpc.PNG | Bin 0 -> 5841 bytes .../whats-new-windows-10-version-1703.md | 22 ++++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 windows/whats-new/images/wcd-cleanpc.PNG diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG new file mode 100644 index 0000000000000000000000000000000000000000..434eb55cb08c92edf57413f1fc7b2da0538c44cd GIT binary patch literal 5841 zcmc&&XHZjJw7n=uQ&1747g36$d;~!$p$Q@=grZUcgepY>BE2OP3o1=1p(Y>*0zwES zNR5g#DWL=@p(sctXF2HhNrlMxc~q- zWpqd10svU@nC~!-6U?*XIiD2s!QyXWs0UQ^i7qh#tGlj=E&$+?xam%8Ow9S@j*UM6 z@U;HBSvq__x&nZ}BO`s?`ymdL+-YAigY=I5;~~GI4aN74hv;zeT1%Zx?~gk7%<O=wFOZ_71vGJzH7NV@l^H-!zTm>+sV%+ax8F z;+-L+cqOJ?UmaSE2*8w9tde)zgF4n2chU+Q%gRi1Egwu*G(`IPEK#Yl7yn&_A53kd zm_(yKupVOtfV{JkI!tt#<-dab93VG4PepOHnEyh#t+o!O_Nb^#mD>ZYOk?+WKm#HJ z`q0*1-Vq}KutbR)t$L~Eoq<_G!UeEkQUKDfk@_0U3s_&feo-gMTf?;Wt7oZLPTr0Q z*z4EG;u6{yF4M2zf?WQPjz^5+B##BW-3j99S5$@c3xyY5>o$+N1{oYGrKcxghE~7I zA0(My(m@di=Yx68S6+UA@&F%`U$Ay&-&$dWT+4`hD(m=ZsuD9Omc7V-gkjC4|0pMl%i1@H;c6H||-#^b@6k8Q9>KGp; zka-6;!PVD~D4}61<;O|yE9wGH4yMmekA-I-`%%YTwn$+Pe(PY&pd}eHxGu3bKJ7_t zv>S0Jfs2(N&!2elz(ys^=~sB9CerN%p0O@jK0_n(^v@!5@>=V;Z@4dbW-a4_O7WWW zlP;Uy8n?r}>&2ua4%K@RO1eaXk2iejram!vWV%RmXtH=?cR;oA*wYSZhw0FX71RSP z?+{wK4^@gLCJic!^r}!&v|;yT9pB#TX(=uM7i^KrR0$hjvBBt~%uq{PnU=R9Fq)S- z&R|5AYGo&8wKE#@82U2NjTY~UNIYnKvFO+MydBy=g^WFZt`vM|ME)2#0v67(R9ez7 zSRqYcHBQbcK`sfAM$oJKjbQ&wd~^N=LBj}XZg~E7`%T86M!xp=EAs<04dG4@z-9!0u zL@f$U$$D=~@ej*sTM35s``H&YJcbd3Nh-F@bKD2k!wg(jjrje!nva~bF%3R4saaVZ zgI)E(FH7s-8Cp)}SsHh-AHzb*idMe!XNf9pH_)oBHDHIS=m;XIKHMFH_O`{FrVOZM zFSH%6S^eVHP(&;#y{&D9A6{JNg$xd4-VHD#+aj|;*L2uF1{Q40>CRF66^mQ)V5J8V z6Y9FHLsp9(R6%gPC3u_IJNV_-nFCoorS{BtiMPbwI|J*sN8OUm4>TYt)jujG{|+&> zva@Q-&_Ky-ZRsI5VI)7-NWQ!&vvc1pv_qqQt65L zm042`Qhojzu=S0l0bh3PX;gg+F~DXCAee&5pXrEkr2?J>;?RoN@*agxPoZLHpjk6? zdr%`~x!+W>>lp~UY#uwE7Mib`x53kYtybsBJ%%h~Ew)Bh{f4^6aA8`H`1Fu0bl+&Q zyvAGHH+uy-z8&PTq5z*P>>Ddy(VRJ!TJh_wd7x@iMlr)Zd?;;(9#J`{FdoBQ2jOO0 zR6i9N5cM!1e!y&oSEQI{`^nqUdD@;AH5so2i3$t;NP~&Kuh7rNmZ^Ru{P>>334dg# z%@2Ljj>2mXSk;uw0$`d0^0KiZZyDmskL}9!yAeX0aPScTY+H%BT3W&QKe9OgN z!*5Na9_5wko;P}w{f);#N$vBi0DDZfhrL=5DA5EI-%L!Ufdhj}pHduopZDJjz@?h* zX`RvFZ@Ke*W7Hq#D*LHlpe}M2l?#5<^_*hSQw+#PLAK-Kmh|@ zXmi_$bKqanYCrO^RFzopzn!|(8h85jV_2jS`7kmAZGo_b*Rd-f`_tBpMglpfV4He0+tIrYTCJcJM4)zuj>@AA-Ax^dt0dahYd zq4qrqc2)bV+=3$$wDl#NQG0ooF-QN;l05OW!-Xt|1bbQ;a%%6AhyS09t{mEL?3N8Y z9znYddB+^h%})fd9IJ-|cy7~`2-TNJa>(l%dk$&T2ANRaqKMc zWVz6w4-Mfbson_>`PEw{YceHZ0jW9~R555Z?8~Nd!?n@c|MC}}u$)}yEtI%FSLllx zBYNz$x~Ul{?UV!=giF9b<~|6@{a_2vLC}h;Rd2=B4mB%$Rg{Vd>Et8t=@-h_t3>;? zJjibM*j)@27Jsn2DpXi!2!A0eERc5wvGj}e6yzvDCh1;3_upODcQtyWKOxyXS=5e< z@W(YlyVti9Ob3d3!Q*}35A|3q@@uciZN7{48ac!Na@E{x+P8vOaudH1*!=XDVC3zj z+RefoMIE}+(FvNx_cg6eCqfq#G>_9-`o1#fG_G}17jrLTXui7rIBERt!F}wD0Hl#N zcL1+B{i)&fqRn_q8Ub@DQY0z--vOPOhyp(FLCS=an;6Q-Ifdp980#P1vOcWsv>}m7 z8=n?_7h6{WC`}Li9{1Qt2u9TIXI4~S7x@I5_#=g(i;bA(7Vh+}4v!1hwy5if++Hpx znGW`g(~Q*!4;u}C3Sr{*wtvqy7c8x`!r48x=arVrH(e(x0TZ#!jbriU!9#7L>Gm4zXm6o&`Eh!aj*iToqD|>`M>VB5XgPg?>U4EPqOe~)*0drZ4&{6<_D&LQ;!OgTqZgGgK8=Gee0ly6za;UR zK}gdCN5}7(gu4Q(5x=2cEXR7ygEUo!l8m{M8QPCxbUXM}2creB1q&=Jr8$^5pbNpx za+#ZTu~=tpopew8@+F=9<9(Q42`ujM)=LlGtwcQh@@_aKGg&V-5Nsqq=4TIHdKfqD z*A|*K2>KAo7WQ)n>`d z^qKwoKKoYaBNFcQPy_zP@(Qx&yqvx>eJ z@iO>RgvJGzqJBIFZEqCcb>;4a%Xs+#CNaOUPM>Zt7Jp4v&Zg95Q)WllL`JZCIt&%cGV-=6PYH*dnSb%M&1&K|M*sVvMgE~7_^p8*Ck z#?jmtU1EgPW#O)i0o0qFkK=mgN-y|KR>^S*kOF#Q~mKY2ITh1`!9oLL37P) zUszHh@UjMaNbK!=kR$sa__vEkde2Hy9_`&+&yHG2-{+didPgnrhH-Or*TC;Et}mmY z{n*zV>c(7V(O;kpv771fzrTVjkx0-^&adnOo zpJ_QqApIFtiT!BOi5AGIhKmHX#9I6GOix(5=`{MB5M-DqkQX~Mhr1>nr@L4k&uhR? zIx;3Jw+O70R9z#kRBkWkvX33!!T4>vMtoSQ43%C_+joP4=Hk?=12g>dCEj=Lxc_~7 zcsl3`2oX?e?;upA_?-d$Q(#TLhznU57x28*l0a%u@2myl=c`IxF#+`C7 zyfKo}rOauJqi{MI4&<7ryT8L-IvMuWuW0k1s`8m>r;Y@Y#A8Do@fKN6dn^^F)V5NY z$#RMO{?1kq;z zIt|ByXy0cj7#FBp{XU~q4qNaH;1`0+Tz9wo8TF}kZhLD~vE!|(=2P&J^=}m$_oj)H zPKI5q_GfuYV_YWH^olpPw{liSJ)!*0{iK4?g?#vity#g42(}nod2--qQ$tRY z^LH{#d*0JNKS_{a@5Dgo3X52}RhQfV2kk!J?F1>$abieqJHrljlW#?LKWK3{pFU8S zy#+l1P2R@(YQT0QC}ZNA!hT;xxxlRgshiT~UXW-Tm+8V=CKmsLE+GmYP0chVS{!rrdB`;{NNWY*LUUAIiBrYN23^l>-VP@65r&=#s#J3@Sx<27jLc<++*(-yJuoI z_3#wR9C_C5btD?@FPIV*vh!2Kj7LaAF;O>^3r+y{m3P1K1Qt>lwY^ zh4L;^$~$&5_Gk#G0)sp)_U0+#*VFNPckczN%z<6z33UAlK!Z=zs-qEPs1FF5F~t zD(cUPE}cf&mg{PcBK3;k$q2%TxnLjF`|ZxNIg$nsJ)N_qSsV?CaI!)idx!nYoXAkd?c9X}XZQ~)EE;kQwi$_l z1xHH5i?3<8_zH4cy|m4()ENUc2Wc3$V+Qaq50m#>yYl*Ol1BU^C3a-Tu00T6NNAJs zmY8iD-R5>LRNXFOKoLYE)}296Vh%bDJlyp{6m69VO=`YY^^r@}AkH zP5k?-(u>lW`{s83s&3?5gP$Ftb0HhplKO`S3X4|HL$99VFpC6<2`Q+rsR8Ld&j?RC zjY6b;8yzfYBBXS>MfXI3ZfDM92NPG!ly8pX@U}ARv6`M}B1@%0D!>MXt`qHiPKwvr z?KpobP3PmjtizNGIyV17D4g1iT5Y6i*%A=Ut6A{SaG4clxGi?&SHtH% z8kK-qZK3(72mQ@xX1aEcY6Ho@`fHcj_Jja3yl!B=H=8oHy!iJo313rJH$CdL*zX_q ze0xGFJm*Oqx^YfzTb5~sJui}CabB-qsc78diu--_v!O&}>gwlNp4`1@1+KeYJv}EU z{fS`PXIU@UJm!pTGtY={oCW{|fe&nP1~08d=({(jBX03(uIbDx3!}sldrrCTC5~sF z;#JtVlWh-kR_scSOgY&WMFT6&!R^ON`k00CcwuquI~hvPOdTA1HqnL(Ws zmN_HYR&R>qmu2nLpnee$1AyyyJ?SFYjE5GoJHMGupp!A@Y2xB*ogB$}+&p!yobiz?QVkYN9osK= ziu*LO?<`-owXGM6v&i{-QRi$OoA^!F1Vq2H13*?$D$_%{iNNW+zGrT`Ol8F-n83d> z>u>#($>(S%E1WYL=0AU9#yLis@92KtDTcZ(UuA+x^E2jObnKG9q(g7TD9G^~zLP)V zf!+(biPO0{civpgTbdBZjQBNQoC>TPzhE;&U|$lO_vf=~f+)6%>-8TT_W$t~AzK?v zGNXiU^lf{#2OWPe3u=kuBWj0{ZmEA$*={sTHkJiPz_ literal 0 HcmV?d00001 diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 48bd0d1e22..1467a5bff1 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -27,7 +27,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. -![wizards for desktop, mobile, kiosk, HoloLens, Surface Hub](images/wcd-options.png) +![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png) + +Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp). + +![remove pre-installed software option](images/wcd-cleanpc.png) [Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md) @@ -54,10 +58,16 @@ The following new Group Policy and mobile device management (MDM) settings are a Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. -Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). - Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). +[Additional MDM policy settings are available for Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + + + ### Cortana at work @@ -177,7 +187,7 @@ When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by ### New MDM capabilities -Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are: +Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Some of the new CSPs are: - The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. @@ -187,6 +197,10 @@ Windows 10, version 1703 adds several new [configuration service providers (CSPs - The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + [Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) ### Mobile application management support for Windows 10 From 2b0d3f5bbe895c7871ea737d631835d600ccd9eb Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Thu, 30 Mar 2017 12:09:17 -0700 Subject: [PATCH 39/46] Add MBAM support for SQL Server 2016 --- .../mbam-25-supported-configurations.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 888cd863a1..99a8d735a8 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -283,7 +283,12 @@ MBAM supports the following versions of Configuration Manager. -

Microsoft System Center Configuration Manager (Current Branch), version 1606

+

Microsoft System Center Configuration Manager (Current Branch), version 1610

+

+

64-bit

+ + +

Microsoft System Center Configuration Manager (LTSB - version 1606)

64-bit

@@ -294,7 +299,7 @@ MBAM supports the following versions of Configuration Manager.

Microsoft System Center Configuration Manager 2007 R2 or later

-

SP1 or later

+

64-bit

>**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software. @@ -330,22 +335,21 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll -

Microsoft SQL Server 2014

-

Standard, Enterprise, or Datacenter

-

SP2

-

64-bit

- - -

Microsoft SQL Server 2014

+

Microsoft SQL Server 2016

Standard, Enterprise, or Datacenter

SP1

64-bit

- + +

Microsoft SQL Server 2014

+

Standard, Enterprise, or Datacenter

+

SP1, SP2

+

64-bit

+

Microsoft SQL Server 2012

Standard, Enterprise, or Datacenter

SP3

64-bit

- +

Microsoft SQL Server 2008 R2

Standard or Enterprise

SP3

From 92a7674f2624eaad793441a62c5c06609a71508d Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Thu, 30 Mar 2017 12:19:00 -0700 Subject: [PATCH 40/46] Added a configurable timeout value for UE-V Logoff --- ...ence-virtualization--ue-v--21-sp1-release-notes.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md index b4759fe68c..061e95a56a 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md @@ -130,6 +130,17 @@ If a UE-V 2 settings location template is distributed to a computer installed wi WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.x catalog to support the UE-V 2.x Agent and templates. +### UE-V logoff delay + +Occassionally on logoff, UE-V takes a long time to sync settings. Typically, this is due to a high latency network or incorrect use of Distrubuted File System (DFS). +For DFS support, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://support.microsoft.com/en-us/kb/2533009) for further details. + +WORKAROUND: Starting with HF03, a new registry key has been introduced +The following registry key provides a mechanism by which the maximum logoff delay can be specified +\\Software\\Microsoft\\UEV\\Agent\\Configuration\\LogOffWaitInterval + +See [UE-V registry settings](https://support.microsoft.com/en-us/kb/2770042) for further details + ## Hotfixes and Knowledge Base articles for UE-V 2.1 SP1 From 6ffa56b5f105c13a69782a885b7fa2f94790bf14 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 12:28:26 -0700 Subject: [PATCH 41/46] sec center --- .../windows-defender-security-center-antivirus.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md index 335bce95e7..f4f2ceb8e7 100644 --- a/windows/keep-secure/windows-defender-security-center-antivirus.md +++ b/windows/keep-secure/windows-defender-security-center-antivirus.md @@ -109,12 +109,11 @@ This section describes how to perform some of the most common tasks when reviewi 3. Click **Virus & threat protection settings**. -4. Toggle the switches to **On** for the following settings: - 1. **Real-time protection** - 2. **Cloud-based protection** - 3. **Automatic sample submission** - +4. Toggle the **Real-time protection** switch to **On**. +>[!NOTE] +>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. +>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning. From 0d0225ae408015a8ab6b382a91ab345ed81fdcd1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 30 Mar 2017 12:54:05 -0700 Subject: [PATCH 42/46] Squashed commit of the following: commit 7ed211f57c2b9150eade4671bba70163b1ff2260 Merge: e46251bc 10e43562 Author: jdeckerMS Date: Thu Mar 30 12:53:09 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit e46251bca2a9c4a389f1cef8e75345424b22099f Author: jdeckerMS Date: Thu Mar 30 12:40:48 2017 -0700 add note commit 271173005c78cabccf0ee86a9b54f28499dd913e Author: jdeckerMS Date: Thu Mar 30 12:34:00 2017 -0700 revise commit f602de6420baf4b64c1d3f18edead0a3bb72daa6 Author: jdeckerMS Date: Thu Mar 30 12:27:00 2017 -0700 sync commit 8a384f4b6fbafa76531ccc03e81726ee956647be Author: jdeckerMS Date: Thu Mar 30 12:16:40 2017 -0700 fix format commit a7184175dfbc5c3720e816c532196e0a263e03b7 Author: jdeckerMS Date: Thu Mar 30 12:09:47 2017 -0700 SH improvements commit e7f5087d8dd9448e1214456cec3f4f3c5ca10b40 Author: jdeckerMS Date: Thu Mar 30 11:02:52 2017 -0700 Michael Niehaus feedbak commit dc4a2f61d474098ef74a5ebf74c1d7a792176f2b Merge: e3cd98e2 7db06064 Author: jdeckerMS Date: Thu Mar 30 11:02:33 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit e3cd98e2a3f6fb596891ac952fc40f8fa41678b6 Merge: 28663d90 600440b3 Author: jdeckerMS Date: Thu Mar 30 10:11:12 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 28663d90febeb5c8eecbd45f43442422cf1fa0d0 Merge: 3af7ccf9 4a716999 Author: jdeckerMS Date: Thu Mar 30 07:25:11 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 3af7ccf9c2c7ce216a4a1974fed71dc2436ad25f Merge: 2b6a9d39 ba79b4bf Author: jdeckerMS Date: Tue Mar 28 09:48:45 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 2b6a9d39d54331662b9cca5d236dde7486834d9f Author: jdeckerMS Date: Tue Mar 28 09:40:40 2017 -0700 tweak lnk commit bac2d1bbae5127c1f2db3f803de3b11b69ff299f Author: jdeckerMS Date: Tue Mar 28 09:14:28 2017 -0700 two mor elinks commit cc20dca6163209b3ac1c3ed2129e48d9742b008c Author: jdeckerMS Date: Tue Mar 28 09:06:32 2017 -0700 update links in table commit fb0b999debce51fa600909dbfe38aaed8622a5d4 Author: jdeckerMS Date: Tue Mar 28 08:43:01 2017 -0700 start screen size commit 837f33b4bdf74507b00bc4fc3fada9daa67efc7d Merge: 9d11aca3 e0cd4034 Author: jdeckerMS Date: Tue Mar 28 08:23:48 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 9d11aca3d8b9e922c57b0303825d3b0d6febb31b Merge: 8713854e fbd1e32c Author: jdeckerMS Date: Mon Mar 27 14:56:24 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 commit 8713854e6dce2df5d976fa2585d0a775a784d682 Author: jdeckerMS Date: Mon Mar 27 14:53:02 2017 -0700 Andy Fu: apps feedback commit 047779a8f2a66f647a74219c2a22c9015f909df7 Merge: 4a1bb976 ebaa19a0 Author: jdeckerMS Date: Mon Mar 27 14:09:11 2017 -0700 Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2 --- devices/surface-hub/images/end-session.png | Bin 0 -> 78949 bytes devices/surface-hub/images/wcd-wizard.PNG | Bin 0 -> 12354 bytes .../surface-hub/surfacehub-whats-new-1703.md | 38 +++++++++++++++--- windows/manage/new-policies-for-windows-10.md | 2 + 4 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 devices/surface-hub/images/end-session.png create mode 100644 devices/surface-hub/images/wcd-wizard.PNG diff --git a/devices/surface-hub/images/end-session.png b/devices/surface-hub/images/end-session.png new file mode 100644 index 0000000000000000000000000000000000000000..4b28583af4e05b6d8f20e9bbf6d219f54e41d73a GIT binary patch literal 78949 zcmW)nc|26__rPbtSjG$?+nBLbMr0dhFc=1-$dW#l(jbJ0u_PnLFxKo#N!gcZQ%R!i z`xZkAEsTB1GKTES&-eGoeck6i_c?btujkz7ocB35*2;p&&nv+T008*Un;KmL0Dwnr zAeNi!sHc!p>wUE2a5cDS006vC4BoX)J35wjGQD&W0EmVI0P#oL{*h1^9smfT008rG z003?p01)r-!$sZ)0C-j02?VS21cJ1culH?tPZt2dv_1Rr{mYk!jz{;^-Ve(EstURk zHTtCiFz_IaWbF7v+yM=SVKm;$6o3Scjh@PyTD8#ntxjAqdM_Y+`5oj0H(E{1__C6> z$&a|Q*EO4L_U`0s@1+l$)w_$eeb+?+sU<2I8C+(-49x;^m|J8!9~?IK1R(hAgO<3GplA&C zq*=0ZW#7Xm5*bRj#ZKO?LmLQo$7(sI@ayd=l@~r4d4a2pY1JzEU^8-SS!A`+T!z>Z z^EQSLQ=O$GICkv4$wSpgiW8a>!0MnGm-sksK zC8jf9ONQ@xv%YaZp<|r>QjeAY4E}s-usP*iOy&SJ15PPscDjDMIdJJ)W(@*xd}Ys8 zed6bUv2mrw$I1!~4UGE!ORK|sYu*=r|1u5|->P;Mcyk!H^mcDR0^raSd*{Pi+?g_7 zTJIS^$DiF>->?8$QK`4oQ2l54MVv}3$l!Crd!H*;9t&nPs~;0xhwocP*XO^jb3LKA zoWy3_)LJ!nd`MF+lTx ztbK;J${nYjv6=gH3*LNC)LMN!c3?};$|;^Uc<(fxx&%S<3QG6yw%$A}^sd`dm8Me0 zPp8HC9j<8ZyEYb2oTNWvY4x5&NAwbMItOSI4S`B#w;KvLpjN7GRr|B>AgG$AB zklH-i(Pel#H~yTWH+4$=VUM)8wU{uc zF;Tq0(>kZrN|^5>*GJ@k;V(_3Oz!0cS!-H5mD&yxHN@Y<{2>0yt7QnzarhtqEO0Z- z%kWd7N`ZHwJmamJ7?i&-;eAu!Em^hmPd+|5)}v=GIfJ+@fJw}3zV)7cE#$S-4^(#x z@4Lw1(~H)Nwu=G*pj|Fv%L`@?dASOWfM+DVYLIHoZsZ?7<--@KP;+XOYbD8b(vMZV zWfH7;piKqUUE)+E?0 zRc1cL&b0r8j5}mrU>-5AJbyCN{D-VgYGDV64fDlpgSG{?6F7{UOqFT1+Z3^7R*%OA2*5_;_js%4+L;riWV0^LQxJ`W_%*xfp z#W|xhs`GaDkB*$jQpGYFXP%0liM(<_$3pUX?Tvzp7Iz-k&W)3A%%UFmbf0tbWGB$e6{Zp8%! zE`_rHaHYdw9 z7>e_?>$d+H|7ZDM{+-$d+Cuo#%Il@q>#jfhNw^oTP0%IP+SL+6t`LlyE#)i=jVE(X zk<#)rORKMbu=FFD-B7gicy*=ZM|x#eWkx_*K->mcsyvb2E0N8WedDv(%_y((WxYR= zLGN-RNd=^Y(R(4+#xCW)s<#Yf0PZ^6ZNRvxim9Ct*A~AmQ7M)v-X9;Fz)sLk$dU9A zBZ{x6FJlheZaJpj8gTO+yWBSTOJl6!*ZO^oF6Oaq!pIrF^6D?!Tx-f}qTTBmK985| z1KPuHjk~`8UeG>4FMf1#to*z0&kN0`f4uy0C&IvmL-m4K#+&{hy+0&hTiVutd|x3r zjQF(u^#|kJ$VSZ4pzqRj)^tL5`_kazlYoB#g&Y36*LJ}hg|L?}^JuQ<_QZum&-PR8 z=jCsfoG2-@=*zyCwcWeayQX|j`LA7XwQL!(%(x8frS6sQ_1!D!_xImIzi<3@)m6g% z2+CSBdax6?%towUV&9^ieegBt2IcMA@;{kvj@`?S;rQKkPm zl`r~471sy7&SejlKY3Vt*m^u*UtT*mo$$u*`qg^mb=0RiSNcv=IKPmj?m6VB(Qtar zd`WQHUiseDXU&@TMbRRjN@8OZ?~9AA3X<)y<=+E5{+t^;w_F*vH1q3KWvJ3E(VJ(^ zDU_k9_D!d&cM|3`AB_e76s&j38!Y!fwCJ%I?H#`f`vS{2pE3P7VP)gjA8QL0mD8ag zrdgvl@?*Y$)$OlBl5XCPqHC_f>seNnly6)zr-M1^Ru6?NuprRg(F{thPZ|+^V z*LrUSMuz`>v01v}#<)|8jnR5SVV!rn<}~&x-uu}z;inIu=^-YhByO z0`E=v_XL~@NDMFz;Llmt8~Jwk*PnyJ{-kJ&7dbDr&OG?M4jngd%(Qg%>+8)n)7SLV z8{Z4GH1FHz6BPCO$F%{oTdxk>PTei$3$X}sRrz&O?_TRnSLdtvSJ^{KZ||+&SpRhB zylS&co5r`_d-eCG=4)?%xH1ZdnNsyXc>edR*{2$>n_p@tHkjl&R(8rxoMq<4?56>_b*ui<-(p?o`;On{4SjU*aih9-4Mp|adlP!@R=@=3VQa~l8L6ut zw|-~jRZcann)uenUZqF0HYL<=>&)ccu`jIqX?(UT?^hJ{=cscBb8D-OC4-i^2b|z1 zYkS_OejmA&03NcbtsejYYx&;>e544IJnB^SH@@a?<9*xzzN4=Tz`)u2mW#BNo43EW zpPM&X+St?Ou8WtypR}5WvZ^%ts=Jr7_kBMF>7Ez5N3szA^B0XF<6vQaPPiweK{Uv|Ii0#H{~)6`bQXsfGAtEp+9#cFG4oW8XB4FFj0J8xugIgqqi z%aeC<$a?JN=IHX5+IyqVLNtCV*_yJwoIIslp0sjs?;igkmX?gCDdC~PEzA?ioJ~km zZnKyrPjv?{@Rw4XB#E2(=dqG)`H%j^waPCWwfp;_-#?93mFvv}2g7f@|2)I8cCeRoGin8lNc(SSC~Ej7vMifYZWvpP$o*-!W4hvzNe~s!4YGP&;lMc<$dlKF=g{8|54V+#%x_jG!(RYwt ze4sR1_Lc7+!1{?HsU-k~FJ3oG)6(CNa}J{o??tZ@B~1$M>I`4F+5!F?P_T`QxpCF> zQ3|d7QdYKEvPzLn*0$n*gJa!kjnnL=?bNA7XGcV2W0Eyz=sOW)FCQ&)b;?&-R7Iz{ zYiSFpe9_hDDoHWWdgHyP>z7NTKb8fU^njs{zpl5Yp760vn#P`nz@<7B&wm|>bW8r8 zz8zj<63xyd|9LHJ&AQUiNKh~TIb~0EnBx3z0Dcpx z9ju{`D(;9Y9YllYDY7Uop%cJ}iNIo6@<^g!aYg~)VdD22?f+VVLA|bsqz|3nivd07 zrCzxZ{|lE2T=h8IwURFB{-*M2@idNNB zI*wAd!5m%lzRDe3;n;tC8n;c*PL69XW=#xf<4%9}BpJr*(puv^7fK1GC;6CpqaUqSui-dlUaStdzUF?BO-S z{}fISPZf83@zX6z+r-s{=N9}9uv(Tvf_}M%4jTM6FGIqhnT%-F;|}ueR{($HaKuqb7m zpq0$jp0bSjsa<26Qw zAX3#=a+VKnCc4 z{=$QNA7A{fXy{>S{3I(y(O0>YzRH_m=_JZsDHnS|uC{9Q_2M}0q61r+^@#m~ebG}i zI(&NKZcD(UNAsXwr`t8#tfz<@K3dh(7-r?GCP%gdpMFMrH%Gwh$$n0w%14#izpA7? zc6> z>iZM3{Zp+8_IO>p&OP0ojUcnNpvXc7=fNpNYoxWMBd<-MdiXAIf0ZIA3*pxV;gF4I z%uUYPJZTbs&Qc{4!{jsD1papv5dKv>@kQbP`riq8YClvkKaw5hd7gNS_vo~-;{y7* zYNUdl@Hr_?p{M^Z{!YqV?*E60MqVVUh5S{EJd%-jkU9PryFcSA^Ei|Ql^rXdsTWIM zwd3t2z8WQhm5sWm+4o)uR3R1jYy#PYM=OJx^#XBkdzC>-t5fKJHia^9B`IUARg0N| zR&?nKtQx%onAR>BZKpeW7S}=zHdES4u<`O1t zBGpL_9=iDI9AaUw0#0k(CO~){|10vn3sY~PLlQP&V{P7LQX8h@)+kU##huoxXcbiF z-T@BKqlrQwZ+u6IQuCY5q;vc>ffG$~0mA6ZBLX8opH)~@DJh<7n5JrMX9E(0YM0${ zV;17~FZG(jU6hCV?hQhWwB4tJ!<_zZ-y-J+PrLpa|D*iIT)!NMm4i=-QRvIr4vNd{ z%tECxx9A4T{jA9xSI?IcE(O0WW)&8d(RaU79E+jDFVXo-A6*3OX5;xu{I=Bv+U}d7 zsRRwO_t^!&!1*{_dQt@%oQ&L74etP_uVwVP3@_JZCHZZ~?9kLn(q)r9f;eJOdTUr} z)LsKm3&!E^St1ji`^k_&)B!LpzYVVWuJ7)DJy)<#Q@8Y~{aAK%>#D^VkgpF$}pwQamd=g9a?+f))v$3(2Xs~Ne&SYNA}_%p>}B&&&Yr7e8go3 zD+0Yi@0eBegZ-l>y!@SU@>vrAj6lL5=Wwcff01pMgD()th! zM-RRK2j%dhVIa8lc_xynHwTf;_G26$nwm!Rs!xeDziVwZF3EfVeG+V7lg`h~q5E35 zU(u_~k-N?Vc^`U6eVgXt9R0hY`5vQA$Zl>#IH$(y*)#jV|5k-u*1cx=edUK=CZomN z(IfNUO5S{%AHFwq)0LQr@NvNfZ@rULi`q>u!L^E{;J)7eCZZYt=Jl4#?=1RrY(}n+ zfZkZ>;r<4b4iBpJ4&D9rhr3j>3o@!YTq-2rP#rJH%<*8io^@URqzAta0@Hb&>So-Pl_9Gnv z|Jh$i+!uF|wFkK48GRvxx{>lIM)|Y5c0a3k_r9Mrlpe>s1BHcK2|U(y_v_ZOHy(eg zX(erb9vb;;e;A~Hu$6Q;e6V?VFt#z0yFaoltqOxmr|SUr`svZuMnToffHKL1sINUe z!<}jJOM@?L$`-M*LGCnP<~X8_Sgo#?bM&%(nH8#a9o@i)FwnHGUHkqOWC6?>&rw-d z=cN)n&bMTFFlD)TQiT%xjnpRT0vzb_2W54y1E*qZu!U^hs#r92K7-nMFrjkLbTE6k zm%CAaFm&iUyR%z=xI3y>agx$_^|^SA_VagNnB`K&fQLem3o-B2v+$i_L3`_#hZP}> zqQPPN+4XDp7d`4`JQiD3sP99*Uk!OwyZzOBgFOY0rd z>}36*_EK<`3+JpYGv6*Vv4J4YPD!-R_{&w5R5PXc?Wxgi9CUOTeoxP%XpOJV(!7W&^w_k zEBm^;sVdvYcE5yfuKbkO-#)+lW^Cuo{mMp3fpv4o%_hp-DkJV<9+y8a)5R2Ko!S#e z+VwWnzWn=fV`&m~ST#0A-CY`Oc07^p$ZaSb?q@LK1f%2BfDmPbz$RLy&GIHzE?B&(#&ZHp&f$+X@x(AG9{WvI3Do7T!c8<|-cFQd~qkeCC zr&9CMiX&)tt@cMG4TqND zIyU6UK%cm+bHZtf+9-{NtadFOT~7=g4rqm`pCww(h-do7|nteUMx+#d(GS((Se~AUJo! zJ$GiFC7KAKHY7|IP`fx*n77Lyl$(_4M|z@0T2tIfjGFr^Bpv^`WFq*%#^S1s^qv8{ z{LAL(15GJ0Nbf_}bh>w-v6uc9UEeK~1qpSKx5y$NFlDl2aK_Kf$2)l{l!E5&+T|2t z$A~RN#|$nsjJul%;EggImww`4)M!l-mMorWkmkOx&kBQA$<+OO`b)?gwQ3KcP) zZD5A(4~70Y*y}s|eK1|Wm$4CgxN`XMe$AxRMn#G4SN<3<{dUKC-DYhc^uTMAl&0VLqDg#U8xWOV;#vKs z8wXjA5U ztu^#uY;#O0m{hm?x32da8HCkygz8UpT1^hih}g_{kcE36qQIYK91FLi;fnpVRCNh)UWAmxQ1@H>eUne zFn0fp?f*IWDH`1U@Uo z{Vn%veE2St#N#q?rX^(a z&#W~kWD{W|wmuA82|e8XGpx@}NviVcUpp8&+_A5XZhh}y8Zmg(JoM01j%QZ>@>&}Q z3vyyM*URxn+Kg~N$JbK5ykPvi{d$4uNa(Kj;n#%Zxo|CEXat7hU9)Pkd;f5GYy`g7 z0LOYkMdc2d5dArmU9H?Ttz|4(2`k>T^S`NekH`~hBy1!w2-h7H^`@%!*6+NkXOABC z>a48q-0B6(uQq_;RcqTvQ$}1fC`%+Q9;%5A)LHF2+}6Ke(lABF8V7P|3Z)OW3P2(F zn`8fOj!h>#8vqX<<0H3Cl79gT{_(Kd3($=<>^Oh^!t|M``w;Z~?O#aSk{^Jvw=akD{A zB8aJE=!o?*T8Rzwyw`x8V{5u&lU1s>;}em{lBVPsoS1w3$_r7j(_9$zV5xrp6A1-_(7X_Q z_fk<*EvFV1a7@P1jV=!r)yuSLShYHrB^0QI(P-}IOrqy2l}~6*cM>F0c=z4``1Cr> z>d4HgFyvMd%q_ENIbz`Gt2v92eaMWz1oSZx6ql%3y6e3b`|*D5-MI?Sf^5y2asI?-Y(}F2Dd_L4?g~Y3g+`zF z3KO)#Vpx~%8;N&B?a1!Xj_3GEB?^!NVF?{E{;(_}3y{+Qw~DF(xFST~zHbzr25Xkb zQ{-96x&F%~|8r#O{{gH{KIf%##J?^2aR+~QQQ#6J?ECtYS-vr8N z2?AY5aqkLJ97X;TmB*WkA2 z*3I%bGG3>gMsnu-$}|ixXSYcroWs)a=VUO>hT=JNx_|F@GN8*E-i#=KMx9{hBj&^8 zX}fH-$Ul%`)ro;4*X)8=Tc64tcgK7j}2Y|xx;^&@NNj6=yp+hS$f!CoY zqDxFnS6Pr3o4fmacIP)Jup!#fhYLk{kv5t!8}VCA#bT-%b?|QUCDY|t+BQdg)}vJD z{e~o;Tk+|QZsNZPa(jXY&EUZN$*a`qtGI%|Rz=ddw_~0lN$k1|__&UmePbBmR!kV8 z86Qg}BVIqt!>u71NuC|;&I&Hq?hEn_mp;=Dgc;q4uxtDZ3>h@2OV(G!P%fJJb6QT# zLKDkBJZV~v>dq;|Q>-+EVUeJ!5@J(n73?G--x{|(U;PBtz)e$)w=!WfovpmeD7~0v zVAPqKds|Cm2X|MjGi~yy!bn^XJUK&M%*f7(ITbr9zC*so==Ov1e->Y(!|5kbDP5Yu z&6-<#oEmHKn5g(L3=wF_IB&ZJ4X(-OA#!>xOdt`CRaiyZgDgv&lUJCQEnVIZ-erW zB38hrqtZGfcaxGkTl>#7xV&B2*Av(q}^*Egq-p}cQ7AtU=!=4LtNZ_{Sx|fz@ zd=;yMfZ}tQsGmNiQ!)k2X6-1Go_v83*5~yjx8-oc+nKtuN$s0A9&MEKVrgzD z*h0jC_im;4+ST{WQ@;6B_K~CI$cvw5r4&-WK8hnB4xD;vr6HYu%&CPDBRvPCxKs(L zdNR}QbQKiEANp{iPX|_WS-x&Kk(~qIL!WDoGle_+Cs(z_gibobfP{u8J{JT}GMt)G ze>En~@HV7+MoF008H#SByRY+{LUuOTGq<1Tl@Vz;6VC$}1)CT5) z&-|-pE5_VDQ26wKDy*&FE{)5gmw7S)EGM6Bm4l|`3u>665HNWn-h0f%8)*d4ceIDJGZkBo-Y`&4+Vr#5X(YCCvb7q?GW$lxD-=>6p{ZE1kk ztV+uzKVmBM#33->;KQ; zrs#ZH57*xR75*P$TLjn;|A*4X3smn3{|~e&^Ck^jx3q`~3{6+i-t<*=e-N_cwr{Z5 z6z#gNhPW|q=+gb}+Xuc!WAh`CUFqY7TeKyXol;+bi!!9ZeA`a1@_ESVcOql0d0C-f z{2C&2yub1#U+KM3S7%psE%Qwu>bz72pSi6$bFZbf70?uD(^Ld$xTkf7dscg(%QYus z%@Y!q1f0hC^!=@U^Uo;AE~7hrtt|v^w^kD@MbRP#9fj2H_`$1niL*XO?B#XV z|AJ*&hv=TkbuAUEI+gAyKg4ga&sX4b9(}!3vllS$!n9?gCtbpEtjD>n)@>98fpxNH z>s2ap$OS!{#CE~qw<&WMe`mavQ^8+n#{7Ll0aqpY;*~IfiT{GPDd|UGi82UG@5cSK z+CeYk-iy-NuPSKl5L?q5;z<~6m9nI&6&2|+c@f%&ozNq>x05s>Ssq;?g&v1rfl?Cd{Vj({`B|PKqmGm|py#6hQX~3V>6*JxBviwH%P? zYoUVJaIdmSyYOmnE^uC54+7nOxupqY4 zffb3IEI&|)5ODw1Xwla-ANB>hn&k>?gb<7Tq+Gz3h!jyIsB60#7NgNSeJ-}*&2(2^ zmoGbuP98!LAc9H?c>G%%mbq*PwP)glt^we zhhY=jSI{Ls{Cd*8_^DVw2I;xxR?J^@so!aDdpwv)i7=*Juh2GHk~qa5qtWG)tdBTd zRfy{|oz(7HRa%ItDAn(Ztoig~*R6^0k#!6>5zYf>s%}?cWdjWHfTN-k+6vzU1%1MN z^$cN(^J@He?8MXAskrj-Ktt0MNbulSO~IlJ8Hvw!w>@;3GYA|oeUe^Y1uLX;Eu7HD zYX^=$V&mX@b~c(rOhEXU+i+=yKTBGrOo5MlF$5R)IXq)2C%UFXXb3NUpV4d}LFwW` zY5=peI=VAI7kK`*iDD0;_DpP@+de56sBCviZg)|%Iz%CxQ;K86+D7meR@PhmYSGc8 zYP9|#m(vPdD)Qqe<$$e^+pS7LDHFdWSw49We%mPLr05Tz+ktvH5Yj>cKjGljlqsN|)fw5AbyMi5fvOp32!bJ6)o6SZFcds!OpQ;$Ikx!pVc4A1 z0Z>DGNbpFPphco~UL0nAiqnv*h%*V#gil9!^~%WSr0LWCmRoaJ^oG5H;`pi!?5nd4 zHyS0Y8qKu(w9t~i(1Q-}XtHhax`~8bana^3-JgIt~{hF%Dx}vhmxm zL&YvGaTo!O{y1PdCrX1JhuMB1DPv>F;G@!1)WG^x05gL?#m&~^2N1>cllPm4z#FE6Oe)6^r%tMrYh?R8}Q`RpddGInn9 z>uM%2Pk47A_E;vFc_Pv(6?n|nd3pOq2`(#?{R?)cPH+m$vOh}1pk!NyiUFZzLJeEF0y)ms0a4^=5|J!pME zk%s30S=-48#OGf07%7V6w>2f6-@eHc@OB1yTM)2|WXYX%+$!>MKycGhpT<8a4u1-( zRTyDK)t(x;f(*OWvZ`pOVTV@Rvc3`_#!Dz+Hr-_Tg(S}I+p;IY^iNSg zmBEPw9ORz~pb+aDB5NpZXI-{NAXF#LY&>aB;a^0s0)%u<7E}rk%6k?(*e*^@1}+)b zj=xJ0uga6Dya=UYZMf_h9I&o|bBkBFbQ#^c({7M1X%sEwBDrPpZ}?&ZPc2hMe=~{G zF2G1I0fIrOhLsy?@HTl}K?5lQ(!bi?V}zlFzqwP!m`06FVjV;$8C8jB``?D+fo)#j z9UB&J7=UFpB;vSQ3gu2L3p#i%ad`>Hm3yj#v$-`E!UNcjTe!j_8;KoXjrRp4s%&wh zu!go;Xh?lN6a7HUMhtO*XNCD3%72j>bg7FA&XDpo&JRRBG@^9L66YG`@*?+`(s0OT zM@FSXi5hj61CefQkRqhcO&UHM_ovG3#yLKdI#%KYK?lE$W%Ae>LMWXRPkIL9gh4r}cM)v@)9V^dwmPTyjflTUBv3uxSE zT6NN7GG})V>JL{A{eX}&MIVGjzTAG_eK!2WEyrCfRZ20)G(BQzZTRBDKUu@6FoU$* zTsdb~bh@0dSjl?QLBBqGX-*XjmE7rwyX9a7_+q)b7P?mn(RlYklY}ZZ_DL3DhjA^O zR4?ey&nD&O8by%UjBl$1Lk4JNu_iLykhoZCtQXK{D5G{MkZ4<)p>3_SV3?8udu5{Hz(5Kpw(CfS2c%Fpty3(>LD*m}d4n1JN2M%pIX( zfZ89g?Dy}$A6PpeI=bx-e6RXPNr`b*0fWRixTH(xcuMKG#oz?l0dQKz8y5MJ5s1-H z=~q-(vG}%gHo1n{l6 zP>H0d>1b-~^EqIONZ^QN+SpcJyTNhvvHH|D47DpM_kiFtVv(FHgbz!Wy74=|1wc^% zU&KmmY)nN*CX1F6EyPZ6an|q6pmkwwoECuuN3~;aCXc61!iOqke(@MeMnS#zR53WC z3W6SNA)NG6*feD3Ct>-vB1l;( z+8uo!1$?aYuA;uP=C*S@6y4hmZD)x|q~ghkb`i7etPKAcnMYbryUBi9VRqwI%7m`5 ztv1aWUP3Jl6Mf2m0xfM9jdtbt*V{oaJA4(TjSKZ8AUC&uo=)9z=p z>|WB?ud#!Gz7o^MwZ?8m`|U0}l72@1tomoW+B?ehzV9BhW9&0ysjpURz0MY7^fOK$ zem#01JDBs4)gEr=_Koe$XwE|5$e!=bGwK%gFx(WS`^IQ${l>?)_x5N(Z|yG3Z;!6! zY+@7h>`lh8c@V1;GygziEdH@%Gp+1^$PHzou1+;9l2yA|yYjCxg+Lx1H@NWEzqH+d zr~2_^r;A%PqIxLW94KDioyBI!P5Rl=C4<##>{2Y1qsQ;=Ki917T&-QpUhx+<>%Te5 zF#n9m{+375&iLj-I-il|Uo*(5!Yuh(_-6X|o;c|1rJ?YUyk~H@8Qixy^)UF{ujra0MOohw zX*tgb4RT{)!4tb)wTurxiv+D88Hx`_(t(im7ed|N-%mZn-dr9|ii#yg;W{{_j7&PB zCVf2v|N0oU_seOcw6pBT1IvEnko`o*{%0+jBq5b9T}N~+MqgX0Aml+v5G+Wj<_t22 z^n{e4nwBhDHzK0bgbqTm2FzN+hB)RrSD&vx%_=O(kItjkD3cy@(;koowNsqfz0xYG?MrVJZar?{qy3_i*R@!3twgS7HAQ4 z!%cdys9i>>xJ1tAWV#ELM$Y69m)nc*DiCVA6gZoM3Fd6j><8l4n}$(8QxqvFm~y7M zc7qW{S8tvLy9@9&-~!YLSxd_eBx^P+1$jC{LRdik3PIoErB1V(6+(R=O-d|M%hXAk zuD+Ly5tLrCME6-r$~rBCA<5woTLM^{OF76b$Z_FTw6Cm8RNP?FV!oibw4W?blmU)V zcN7lUzoBn1bbpHFDbe;y(_&IQ*lK-*FS2H2^-c?o9!C1OsvuX5!POpJ7GWsgqX_e< z0e(?Xt-#F4-zcC$-yLetaB}YOiz;F@MRjz5ZS(Y*hUcc_^n=0@agSLsdc1@VZW@M{ zPslM(m5$%O2sJz}Ar{4*FYeKdrUA&Z8X8zPC61(Ht*=$LfaGLI-Z+4q8g(o=X)nFl zKoIHVF<@;)m8IoJ)I8@CcFC8inn7IP$LlxeT6xX2ajOX|5Gc2Ngk!5{htF_Y*65K=-Gwg`KYy+m?UT*DAR4d5b z04@-JkpUb6&|@{ZG9&GOf^d#S42ZH@qm^1j1JGh&22ZIjQG(EL4d=zl(wH*$P`9Rj z_JeZhx4^X~m6sTf2I&`Z^qmy7rH4+lIpxr#0@y;yK5#0WYDlO+ZC6KMU8n6;=u{*} zZx|d!A2})R*jr_dJbe`&(CioB95OcpZaJsv$AeYVh8xT0Sm@4i>b(6HraEOzq+nXD zgsasKBcbnky3`_`BY%P^c+4gX^p;`s<7STj6)U%P7Z8Y7#sI-_RM0sW=v||%D`fbb zcng%obD~DeWiB#vu1FL3B;KiqNMNART=xKI&;@=g$fkzUy;P(Hohx=!vT!=yYIQ3g z%{&5g?gC}j@npQ+WMeG1swz1R(vEjZNgCU6IQBSZ?(q#TpXMpZ!>tj6^f;3UQDGzn z5BXQ{P68D8C;q?KiiVJOsry?k%DvznABmnf(u!T+!ANjhKS1mv1K}GUK#p!6m)MzC zaDQbLumzLOW;;6fh_Y;W5DdT5^v6iPUk4yd@=D~|QbJthMY~n&+GX=GH0Y};o zFIJO2PB>X~@-+wdJ!_7Lm%iSP_r_hC6`2ZVCbE*-N_^bV@w~tR z8lvW79#kk$Otw!;Km*iT=wUbeFDy-4l>{)3!Q`LmhxNvjvXO8X=2!j;poGCVFjT%d zLROdaUn3+fo*7PZ3nz8?v>C9VktOfdB2ascD1SNQ%&OTpg0(Oc+JI{Q`J4IZ^@oC- z5h;^^Diggyo&*-;D;CvsBOL=xv=Vb@iud@*`&3N!lD>%%yn{>|MNShb`CvpxlANp% zEYDoB{8RxU(VRoQA|KNJwh14`-rtl%FvSDx=WeqB)-;AIQAR*Nln^VYb+Uri{x5fg!lUKc##QAdyU`^*v?2 z-o&|W`~6p;)4^&zMM!^Te<^%DIgi0*$@r@KdFOwb`{+B4wAK_XHjwVY`(p3j$K8V%_! zTFc@xR&&$Hg8wtLG=k#@DNL0>y6Aw~?I2+&+=birR$$E`q?AuwfZ7E1=hR1ZgpG?& zW62;q7Mg`ei`1+lewWZPJtiptjBZNv%tEo6i!}Svar^W9k!UWuDl6hWpu^V|_1G2J4y>mR< zgoE*SFNAa>G+E8y=|Gzf-6g_40Be}!CiF9E$IX?tmn2NqOp` z$XiyY+_*%i8!zg)Jy*`LJ_=32q$8~&kfxIo#tp+(rf$WEJ_3(viDuo*Q;$U=b&7bD zC05BI=>NO)*nrY-(a+P9#0K}k0xX{Rj4%2lGsufRh~oZeMbR63e(k5T2 z$)*3^a%bzL2Lq7ywtn zB#r>1*K~%-tc1iQa;HOR4-`>ugn{;PTdSRuW^;P=qPe0P&sH1}<*?+d3{LXbFm=wm z9jB&v^m3d!94qkEdp|sm${*9=NCiI9z8A5hYxg ztz`|*G+pCJ^o=ObXQ4T_-8s_J)z>ctKFCQqo&x+Ak@|@9vlK^mziNK6i?k*Bq`v`5 z!%?{Z8;y>0L{G(nPx5AR^x?BQEw$IvMC*9eoMg{-wP>;M9t`9rBT_KcgtVLw{Fy95 z0Tn2@GdZx3oMf48kiIKy>$%e2EhRDCzD~1R+$4b5LF*8zsgT)ruTOS8N(qY+%)7vj zfd<|T;~Rb#wac3w6f6(&&d$vu%6~2Q7*J_{X@R{Tl5H|!2z|mix7gmhNAPeGn&VrW z^~q2xq{PGFs5Ti){+w2bJ~RH@n$OYhv=OP-z^z&a5OHiMrM~BKmO^v^IcXxl1I^>E z5gfsE0Y*<`JPL0E2KHhWAVk2tb=_|(ME{ecGmutLl9kR(T{yee~1B27NrK7$O~#TXjbLr?o9zLkMtUZ&1nGg z<7NS(6l{aYbhp6Pgm&O$kM6qH#aVp7V5@ite^By`bcLa-%H2m9oEtLi$7`IPU+Zsf z6G0BKLEUCmD!Vt5vT44T1wi9^12h3&?lTpwvHKsefG51w|d69EerU?6^6T zXSB&6&0-`^4k}K>Up7F_;Ym0-6+!fh9?z79%rGiw?2fqOUUD8?s*6L)>20uRC(DhM_yaJxTiE}(UDT}Dig!Y~bTS}( z(_Gf0(10p@$a1q;4R5W)9r2^+-xNSOWbUVnb|yfO! zN+IfW=f@bGXpk~tl$XR;d^9P@?w5fhKlELq5ir3VUmfK$8Pp zc5?pFIJIv==GsDgj^yf{x^khw{gxa07v#~Zt?X-9nINl?{ zaF*u~@Odq^12AqMxL{xYCWeVSWkiTvHp~{#1vW}m#ofnT>E{lh%5eFkLZcoJgS6C< zxHRukfk9a%UpLQ%(8<@qMM}bq{uwOn%xe`fU3oDKm{5~=x-AeyqR)_QZr>-0b3!z5 z1+zbuSuQ$ic-jw|4ta_W|!6xy$DB^v)PPxAOZ5BcEF%dJ6Q188i1<1pzHKaYAiA9)R?8* z65?v2OBd8{ZI$-UCWBK@*Q=l*$u52)!BHEyU9^_?W|}MwxRk7f2?yBQl7{x*SR!;X zFUv^_vJa!ClmXdkX6!!qbFb$^62rt1!h$HnL_`|F{*EN;7^Q$mb-5IyDGZZJ?`Z@v z2lVM>#Y81c7%OZt8bmd`wiY@3nXL{jjH!;_thw;33NxT|#$q`YtH5fX z9VK9+hfp@lou;`J_*fvE1vvt-!BD|PMAl6Lmu(RTyrJ?A82yd`o41YxLUI$G9{27B zc8bR_(#8^3B@IAP)fctX&h2L(k-50C29AF)4@o7M$a|RoPW@U4s?bJ@^;g$^AmqhW zX>e*UrfWcGgKB;R1;0I7dGa0^rG?LEn`IOAaD;>uq6IL99AQr`%oAB*Bz7-DA{YrH zXB>%(^%^M!P6zp7Lg~wO((V3lepi@}T_zLNP@1&V@+k&vOn1HFX5AHn(4nKiI-2)~ z4oL=Z1~>#k5+2(s)^5IyD;Rel^4)7oH4Hy9ef0P4cS~I~D#g(b$wZ;#?w#)7Pp62dQuV{rcCh^f@3%6PFui2lhM`%yvp8 zS*rv8(8k6LrgaEh7ZKpDjW4eL7AZz8sDlA>0|0x9kND-HBFGk*0Tn35wvm@=PD~Bd zHjA;>|DNzO%WHccp`+^KFVjU9k^|l&CN|(KlFvFgE_W>aPD#tOCpaM*#R+3t8 zmPbH0Kw-vr38t}s>7ah;mZgc~2K<-y+gEf{xZebRkDROp|2S|G|d zNNXj?dx>PG2NTqubaBe~J8(&N#HjDZlJH~0%7OR4u3T`W3$!`ep&fvOy^El;0mw>6 z>(@fve4$FFx9l!QO<2uEu{85b-odk6EwDU3Z1fDIC=I@T&yn&%k;xx4ppg=OrDnz( zp|Q2dqs!7Vi#^BG)52A~k&91fZnRmG$7mhA>`Di>=RH-WGtPttrVP?~`t4Fck2<#b|!PDOQs=I^I`z}|{yu^aa z4c0P%A3IkE+d-Rjnamp12zTM#hy^L*;dl*v&zN^7w{7M*Czt%tUEw!0jyL23N$0r- zB$nA!PX=x7BP<^IU69*r?D`qC3QPrKuE5JjmHtdC-O}}1$1~j0J z!VW=SLQpY!%4owRBy=$@BfF;laig51!JSIA-YGDVLkGnx%2&xq`Z1eWQ!jPhB}pG& zNE-P1+WmI-J5ia>C`k}ZwC$Z@K3m5s8eQ^6rK|i8;;YWeR`^w^-vj!rVSw%!#(zIN zSt>7Q+%sT5D$h6k6B{d(wtGnU3vxiLgcvV7ojzEnL&z(SpWWTx+C7`t9siiMI&=p2 zz(N;hz;NV-x(6ME?>7LRtYw6=eS9+o^1IOg3i#{XoxhpRy@NqTgm58z!m1MR!$-q@ zXW*fH_V~w*lgYo^lQDYR9{>gp;1vS~&&Egh&fk8$^U|ZQYF9?wbYFKt0UM^8tL&U^~1UHCq@3uW&5B#}2hzbBMQHEsfEeuRI#nzo-zo{djNiFPQQ6$scJP*s!7H;W4o^)7!>NbO0|yi;%r)i~{wUG zuayCnGDrMw8Bm}>DI-xPF}INC`{b%bJO%P>L$2r#ucTa6h3~r3CJ2|7e}W;uOnZM> zrQ{y$#fcad8UBgdPd~q53BZ`9{ux$U?6yiWOfNOD~~)ok*z#aMoF8(kRzf1nvFrDR*km9ITw z8*V?CHbI&Aa&94pz!nGN#0Q@DNe_0lk0nd;D)Pn7ra3}!w#P||iyXbPC~1OTAOB7Y z=K$M>S##IHJCZ;@E-}FSXO?MRlIDx|x#6xxAbaC+US(<$$WKNpeDUFH?`l3Fo(f*4 z&?j0?=w>?^zKB-R*Yry_?O+lkC&IxSGB^Bf(s%6}N+e`%p`te>+<;Pp~7ENKun_vPO9L18M!6IEmDZ# zP}Z7S9s+Ydu8sS8a-rn~<6FZ=f=(o?a^oZ9lGIHokIyuD_FX%k?;Wb3k>gAd#$u_< zZYzwfQeHCj0aUz8IS;a8@Qjib^+a0$l0iyANDe&bkZ=)hA+(> zN-l2LNWX|P&DtV|@j8C(^|j(gb%3{U|;O%U&Bu9mglC zY3IumG_ZS;;ph<+@k{A3R4^M@ z8!CgSM3;l-AK4Kyw;e!Nsg>&|t2c8xuJ zY*qQwWTK@Py54hd2#CW;yp>zl<{aLzUVZ^WOu_c9=cX>}QiWNDY6B7Sy(E4?>9FcA zg5fit3-iv1Fjw+1UP@AbEE!Zvx$xaCy(nMEH})HQ18)xlOmAn9dchtcHcdfiED@7) zQOb%-*Zr?+zrlsjq$sNV!!B%gs}pT!h8ql)&P>>aCN*&;>ezD=$mlg z;3)Yl-<0;j$aN7WD)DtteriD?;oI)R7PtQ}zL%20x<}WRf0{9)(>ES)^Jf|k zO>w6LY71|^B`GuZ>T@NLd6d;vs74Y&$^q;0LmJV<$+zO_zUhMCNo6qh4s9k1pj{;c zgV-e96Tx^3GIUgLBe;h6Vsg`O+gVVPREB^j8BOS8=QpPxDT&7*$$Z=!QMN zFq@N*r}qUx5DWWlKkSqdL|fU7CgD!yx<;&M$h8yuyRd@INmT|fa@40ZJwzsdQ<}4 znT(C1EkSl}(DHn48H!Gqy<*CHwI3>O*%`X&>|L_DRj)X9ZEP(?)g`SagiO=zN?7VB z1ktfU%(u9UjSb9 zShqoBfy`+aGxk>dK^TppZ`Lx8BOX&IR#qSu-ED4$OxEOt>NXVa(K3<-fx}n6khpUh zb?o83(p(D^ynNbB-M!Fp5=j3TPwxmsS6$2(h^`X3hgV}5EH#7}KC)Bd;k7p>R>TZk ziKTcDj69F)?~OWZ>iezLj zg^)Mrz?21YRanB830cEAn2xKN;)Y}KT~Felqr8iNb^zLx9V=HL_u&*?Ju=FDtUye- z;gKpUyoX?`Q!y1KcwXBMjZXHQPWGHAO8&MXk4P@0YmwE*Dk^Ntc2DwoK=YxHTL`Ua z1n>=!F^>GM+YZuU#}Zd{Mw(1yWX_>+R+2_abqOPCV*{}?6Wz1>pm<9ZrND<~;kk!@ zNJ3o`)KpE21drMAmkoaUN>@%Tu6dy7!sd|1nS((`7$m1dh&#Fwh>~R-wCDbipIap^ zmYo)97)XXh+Z!0VRyaa}XpDNZK=2p=61G+riRT0hiYIx00DadMAHxD4r+!15(*}G! zfNMt?x{bgS<4bMEPe`0C1p+X#sVCVach>YIYPhtw;NJ@@9jd;#65~X%LG;$gK^&FcpeQ<%g!|5^W(CfAd`hxdZp|O9IIN zfhbE3QOgl{4KJauJGm)&J!Ji(PNU? z2}!6Tl!eGUQQk{t)nOz}zLnV*Cl>Vjd?Et{_9R8gaL-lYvsqK&Jq7~g4+*Y{ji*EQ zN}vuvIcmPzgUXE8*o^BK&@&>hoYb^lmczzTA!aCVR`$ecZUCnwB0KfY!+HjbnhRDI z3&i(4UC}u2ngVVlXv`e`yymAJoXJ`j6m6_SV7^vcvoQ;?!HjU@VyAzesdIM8^KuXK zst&p!fc+SLz$C+uXfPOKCWN8Kn*dcEONEttq$~FTJWxI9jwFs=Dpv)nzsR&vTd-d| z1hZeRx?BiYN?#n3?Rd=3s)$eMB4xY1Pyv>LT!QyS@>BVPF#P1#Xu!V zqNY*F7k}G(EZM)^CyI=dlo4Xq;W>spZmjp!vr}H&$nFFP^B`HF_!m6<^n4J_{t0b! z_T7NSvE7ADBdmRbkk|o3?UZ-Q^YWU|DrR3cVR`e%K5<3soSqxTuEddh2+hMGC9729 zB%mAOa*UudMV$qTy@`$+OBU%TCkIEFosd0od$ES#I3)1!IA zXhy>7iFskvEKNeX;BPe^&=qo;^EB#v0q+_bvQc*-PQsb~C@ywztz#I8xG*w@PJx&k zJ}=CNM5oII?qLHeP*TT9VikpAJ@~xSe2zfceVcm>G;94u7FTg4j3W!{(3;NPh)|Un z$@WrV-l+~jtcL|dfAn^6cWya%8+Be zJP1MO@r4d&q9_j;3CRuxHu@WeiFA$;xeDv*!f9?KEn|?#G?rS{ZLEPDo{ z9Vl>&DZyU`Bt~erdrB?|M_l3#OR=HTvgN||oQF(aMQqEB0{X@QWF|YeibMz!X5>4| zb&CY-BWDKsG)WYOozPbgDc~OY6FHG?+c@#3<%vxd=$JPp|?ra7oToa z@*C5ep9NOn73d*|k}Z()$=OEIcKkWivDXxb=)~^epyZaB*r4^27w603jA4#MQde!N zGL|@0%KbnsC$YMQ2IxZM?d8L{a$3=bjxuY&O}!nC>Y}b0fjPAv_Wk z^b-c4!@Qvb=ECznc2%FKH9rVBJRq*}A^Sbf#UaVd>PA;l##rPel+0Qnask)y}7@N*DHD$gHzn ztIoOZI|$x!4db_kQkWQI3e4B&2SduaDlIO;rMP|;>Ia4~9>%ZPNlb9s3{9Q!Sm@Gq zb#?A&gvhW}^z#~6#BjUCYL@A6f0K;3sEqe5fRBErP5g$efuSA`n-BFMpJeN~XC$DG z6_Fxyg3(|pX|59!b!?%ZV&WcoFcAwZC-F|PPr4%C=6)elhg3a%hMgaJ3`v0w3o4U? zF%ss30hpo5{}Fmx()?O46q7ahIJI1Y2N(IjiI7XeI^=znwwTdco5`{OI385$jik_` zY;<=_bU`SI#ne5Yd_Y^hnz%s_$-Gac9MB*To#sJFj%g@~rP<4UCqqPmTG|D4F&P+- z;J`qxjGJQ9Vv^(ex!Q`E@o?(9QV0cYK)t+>FTW#vAbzQ0^(M)211q}+EQwiWQ#?9* zk(5!>g)|gr70(7pq%pRlSqDsO@`rnwSj=>?3xb)(OG4vhb0lXBS)np)?~IHZlF#V- zxfI4JmpGl#L76=Vfn#N)Fe?(lHHlBf0mY1EAAigeBo>jB?O*Sr!0@1=2^uqNqabZ;kPGHWRdw>hs5SU>ZGFi&(KYRC{we z!6+S%2gT=W1wtR3=1aBFC-Ho(k-{O(Uncq_Af@8|2^jDCRo6aj7pxYUPnbkP~^^ zdZv7EOObg(zEH0?3LESvZ1zDzl~F+581g+XCre*~19QLfV~xj1Il}?ZEeYTlfX1qb z?UbR$su~96evK>QUe98P)<%0{Syn~WJ`TH=o@iF?sxxoRozDi6`zEo87#-YoOdEYh&OPP*Bu;d7+c*8Zcq(GBsacKD{lsL8j{YlVJ(0%EoWIG#OGU<78;>MF)ZTaZUp+Ckhw%I$imbc;Zc zZTxQ0Ix*?q`Fw#`OzYtN)GNr+y?QYPXD6hQA3M??+tWxu}33jWx6q8V?=|HG3jB|DNweTx>b6)dO~l`6Nh>R2X!$Ut_qH z8&9#zS2=rOz;Y-huqlzmM3@YRDTQbcwpL|*d`&i<%-2)UO~ibQOUmP1K6?2o8ct>A znzj5r#U>eC?Wk+MnAk>&Y1BN_;?g&la1)h&g#Xan+pF)z>O@Vw(=M=};F4sJ&Z_mkPo2el*weN*}k z55`qShr`i$xwl=P92uhx_igFj3%C9b%h+(6*28v^Z{pR&7rAv(!|Uqbp(zYceyl9-IL{OypxOQL>` z(x_fhP$kOPt*jdwo9lKPQ_ntx#J77r(>mIv)fvXOc)qP{&tszfFI@U&C~$=(bv_rx zvKg&I9lbZn@H~Mc5I^wCf?U=o1eN{faQ#hS3qa^U#dS(7D^ca7pRv3y+cPbj5Q<2m z>2ZEq#r81+ra-a+NWQ9^mNqrPs@c&(F9*qLN=psrtX+o?Z}O z!h&fpUS;4s``@I(3ilO!Bl~=9L0qDJHio&k+7;=Nulm-l51x=(1$J5wU2?4u2oqKe zUbHR9c>gGlXoTXbPt?tqKdqT~_v<)+|L}AnIJwV^Y(M3sn6~EMT5$PAtnQ9L4U3Jd*Q4>$Z82Sg1m(gzSea=LHd6m%>W3-7Me|tEc25kO;Y${90q&wSrSa@q#0~p#r?e7 z_(UDnjjv@DSa^Cx4muhBsN#Nz(y>)xMdG!JPl@T*DqRZ9A*M=$f)(8WG!q1%7*!`% z3#Ks~463vM3`GvYTNQX?161D-lsUSY{vbgHU1VTfc4D*{#76f3BZl412cD6(erCsH z;5H;q-0oA@3V?l@VTLwwIIbO%p?;J+@DRljMJb8tHs|l)*~7!8_``goP=Ane)#Ufq ziy1HU2x>7-n^I#wKLEOvJc{(40gxBO5$7X(Rt-{t82SOOA$`GY_YBSRC3xv23wo3s zjF=v|@b)*}W49s+0UoJnd?}l|AAaKfdY3jKt-=AKu9h&Q(N&el%Ghsw7adFmUK!63 zPoOho_$|(@>yTXZx*Q8SMOo1kz=W?Pl6koF3{8^5atMQD9iY1EcUC@%gnChm6^|~K z5hLoOA@ZJknCFKY&fj``nN^!#f6`Rt6A?%;*Hf3}V)Ya*&|xk*hb%93H_Q3Fua zfmS=K=kkzi*dk!J7!tz$mirVsa0e+4s5^J70-U-Ym>(1WZ?P zmF27LpoB1ArR9@(t86ep?c39oyehbMzE)h?fa(QrRyM^bpY+Rmv?}<@)@p^098GE{ zpAWQS=;_BeSx(8*1jl{-#ZN~I{yg3?)0;jJcpoo=JaY1wC0)Z-KZ>Tz$ebVGV zYw4+ElHq^3)A+Znm1a&2JM05ZNVw?guzh~o24lH(acTicTpf(dV)T|CPXr(|ew$YN zW$Tr`PVWR5DX|-V(dK?WVA;ZW?I2Q{3z~tzq0=%{_f+CdT_1Ka(X-$buILnRh9Xws z(hGhDKv{LmQ16^BgzX*_bzK_{|%wHpY_Yfs&$I z?V=y@ndzK_ky;5sZO>4omr0Mv&`-A(WF06n@xu(F-g!KdmW!p9CNYuU*rG1c1E&@y z1=`Zso~pzcwDUI%!IEjv0~8U4Z}HilVu49WiKCMvbxpn@jkld^GiQPV5jSGwIGLN=n5zeV#Mww%@*@Su42X#)6i?O1{bvnTWujNR04CUa@O(NFcRAG;3s^56N%>5&W*1o+ zVJNloX>o|O34CBteKR4^(>vQbU{6-M{M=(koAZ)-nhcEjYG;z5#dGys_j>!P>Dx@C z$u&|IN`{d|>5zU}biBKv6J{3J$k79+FcL9j%GgKM4eCC-6S}$kyB5ra#S?U=zt#OK_JyP6iU!jO@wbsm63JJ6(W4CktiJsM>#P! z7%k2?xS_Mp`8QvTKCENZ6y5j2Cm`J}9mF!s& zj`NH%Z;1k5E2>$xFps2nHi6ynC2<{Wx-1uq)(iu?<&+MLfQLTEMX6eTx!XZnXhVa1 zv91QlhzOGL^TNz38^-@!XvMHMWZfU^*G&`nGBqMX%p;EI|>!BHGm*^FjxB#s<1dtA9CUC4tV3t7MuB*wnPulpS>26K~S=b2u$Im zD4@Tx)~t?)`z7*XJ;jS)i_y3$^LT9BEQd`LT^aRAOQKJ8#>ZrQ4uQ=MtYfCLnH4F) z)lcDy1H|o@hr#Fq4xJTRj*~FR z?nWRIgb+C_7}hwc?u(u%z2leEM81SU&9Cy|ZJ8=o@)+HoW%IKyf3a6yBG^-PxL6%i z89i7HvjN<~(cL4K+~3r;-oqIY&?H&0Xk)T_=%s=rLiV&>^AQnlKl(Mz0BV zpNUK&y7wzqCO;v|Qyrg#1iN*6<{~CFq5(hNYhw}4&kK?C@<}X0P2}|fZ{YHvRKHSuIzN><) zV&9uLBnTpUZt9HODLYJS>z}WAH6SOkVf~jczH+R%EHBo2&GUKU-aVbkx!%up%x~NG z4pS%GtI8)d?E2q8Vg8>KC+9l${zTHt0wTv=9SVOc6Z`aIVGhY~X)Q}C5|B0!Ct^6RsrLRoDY?`W2C|Dp{I46N;vwFM6_qynMb-n!PGETZnE__j z%Qz%YmQGiV8g5Nq*Dj{t0()Md}uai~x-!o3w4VTLC$ z;rIQ*4F1IO|HkC&Pzjj}+r;{WpBTn>Ytk=@JpB$h z{=GUGpXBujeI4C-NFS__)vne=LY7MEh?Muu4`j9!ytt^y;1~EAW*J0rz{P-IXZK*&843eCi*@?`xIg=%h1u&peuC_-bZn@9oY4 znnGI1$`KwXkF>8km|HzN!Z=1D85JLEId<^QheCh-{qJ_d@8q<1!8i4x-ztJ3(BX{C z`twTW_+CC8u4iPx@lo2J|9GA6mz{5T`dnqg$K_S+;#IiB^iV-Q_?({amE444&MWQ^ zMEM{uU+)TiAZ#0lSwwR0Pk%Tcv`;h09rE}5A~}RPP#kvthu9w~(pkp)nMpMzsyh+9Pi>Br6Ds7H9HY4P_}6X)sv-C#?%ua_v&fs1dxa zjPyq5tBFy-rv53_lAwX5!H1#~Fo6@^Jn^U0caWf^s>IZPoccpKnUbt`9ZtRY&VkEI zF4c${mA=w@LNmcO)?!{vu7cp{tiI>jh4?Qevhm_N#tNn_Pqg#Hz+_m)lBpfCyH7zC4r--e|| zCuNbeI9k3P?T6ASc#y-jC39`-aBhut++cf46S9cT|GYeOF<9fZruN;rqgN$2eQzyK z+_`$|JE7_E&eE;@EAM21l0s7ssdGuUqv4M+oXmBmWj`{IFm3Z$_0$oLW6*WDF)5Py zKk$3|*(Lkd_EzEOO$1yHvuuxPjQ5N;2H9g_%(trtE9y2+coSk16LXuN!1X5Q9=Q8c zxv!c>Y}H3Ry5*lKJFE%&_2)sL!nM{1j$4u6mMmYN^oZ;{>R+on>J>l^J&)b&40v26 z>h*o$h1>Nv`=8$gzWEt$5Y+xhc*@T^}fn`TpWf4n3*mdQi*D(Lja8rQ_A+Z{JrB zd#dnK?7t3@^`jeWOA~8b-fB4tH?QR4uV49{ZTrvtX!YNw)6vrUvJ2Aj;yW)Pq`;@2 zCeHC&5&wqbH%sD|^)bJj=Wd9-uyVGsa@qV?b!Oy@%FFx+HEN9wuQJlkAl1?5yyXA> zSU%#Mm(yU(JWTd+&tDF3@{0WynAg$!CEYg`!&3a8^u_n-nm0;2?^kfWepWoof5EZ) ziDXi2p6Dw&Ho*UTTIsh#aATBat$K*+siuQo@SL5={l!7umaEJfAGJyrM{joV5Q8|Eft$&aER~PE`;AzJYpYJ^Y*L2-Gs^4P5LmGVybTDN{gMf%2XvuA}W1rbU{?)dwh*lg)QYL<8twG?)u|n z`n_3kKZSHLNf~KboBiOF2;pqzG~sHBZrHMaksWgmwb2mco4b%E^X^Gwm-r>;S<@n>3T8Uvj8=dhn3*%65>_DeU#`TfL*)U;ST-LESsS9~AfpJ{w-c)NZkTc(hdG zPC-Nse=dts*8$nRv_Sr=?W*3Ez7@s}V@4i4$9`>|f+}*ojDYTkK?^oGLeFB@OMuU3 z+ISbf2Lz4=a_g7W*T*%P3a0hwQ!BHdSoz`GoURGHsUhsifsLbJf6FQ#^={weUH=paddHOKLAz7r<1FYari9aU-Y1J{H{U!n}0bgV))vj9xBgL?_ciO(%Gl=f>L_B3$n!&1p+b&r$1ZJ>rUmqb zxk!>drbTiFstCy!%-q7ad)fZrkU~HgJ73;`>OF-%#7!CT=!LG5>*RLskLKHjev=t? z;y1V$tUcAH9^$TQle5M#_r7Uy@>Zlvr(S2z2j|$i?H0EP?T$mM&lA}qM?uajHw_M? zTH5Y`etkxhoQhQP_Y2O`e3d#A4_(mjHjG(Mj61G=cdN615xy6{(B&`ES=IMbRIH=a z?K-IVThqm--=?4bncIq=DQmxcEFkCkeB>nbwk#)K%NI)bMtY{6E9E~`?=Do&uj?k4 zsX(5>PTlUCnCjHHs2?bm(N2qfXu{W3xi@cp->MY6xL=R?Zn#w>`tIbJJW>^L(AQO@ zIs6lop1ltFCueSV;oenYp2xPdspPQc4I`g{^w9t=1GAwemT^s4E8jZ*^LOu`*KN?c z^-z7=#Nn0ge-5u-_l(%g<}KdXiV;yle!QPt8Q^um=XKrrTI>Uyg5EQ()46l~cV?Ya zrs*F-Y&W}Q#$$PHc=U#~4#HH@IxOJJ?3~F^OW(fY?<%jpcb-SSZ*C;VUYc_kS`@hV zeSWcXGPd|Jyv40f{*+IB7P&Z}{O+>_h?jb5p67K&zK9gqSD-yA$o0kk8#QvBTyL8# zgdlmF^+ogHqt*(}m@6zqg%4GAAGvgLt2m>*lacK?W2CDe!=FE07puP*{AB;- z-4m({?|qnjIi$68bF%wH=jd$m@AcrHgGRo&z1?Wh;#dV^p;>6%Y)q!doVtho zpBR1F%tpCPVTVi8WiS5yt$=*8Jv$QFF2`w&*ye4I$C%rv;N+7YdD4uZZGVx26u2dO z{kEYZFgH1C1jCdM2%*rXF-tNM1MRun&j2&>IpY(1a!daqu>~UvK6fM3S(osgGD6kQ z@jm0W0B|ID@apTxg! z#y|+QBeKMT-RB-U z7k<-BIL+33X5a4h7qWtOZYXo*Qn}!+66}SJNs`ZSfZcze~tUUt% zhUQ|s9(K%pL4hOF#)|TM%o2-!9&}avqz)gVxYW+Cz6}_@_eiAqlf@8j)k!Gm4}LAS z@<#Z)-pJ7s4fg2uUsuh9nRfc7h3jg|PN)5=+w5vhFQ2}+r`4WVonKFkyrJqLE2;b8 z#h1FCgiVNnk5cT1*E@P6!dF`YHFf7zM8-cW?|d3Ie!m>L8UOp0!I3au?)DQ4W$EJgPS8yWQFpI9yIu|MUiMdt$K<`=PB(iTI8)hfWGbHH%Db;y*vyslP*`8R z@r6+CCF7FflW*F$&uX16@~&9FyuPTNZz7;?-xMpB|Kj;uIrUJBcgi_zwkwU7OEaCC zB1D_`Q{fV{m!*R?hPCVK&GYefk=jcAjgwt4f(k~NXI)Qz=8u(loMO?V_G~P(+5L;W zVN3Nr>ljp{Q2Z$l>)&D8EN1!EW9yoTmz^OE=a< z{B!y(&9mDB4{jI~28)b!Bfd7A-)P8lpj>Gl40avGQ7V6w;rosvQzK&_fdJ@>D9`N8_$%g zzPVLb2TJ`XJ8JOO;o*4j2))RLc6bwUQcct5k1@kBX$XOSTYnQ~Jcxip!rWVXI-LUS zb{6cwz9|1muv_s(SjX7kXU(0zgszspnRwbRC31Ch&hgH`*5ub_EFz!5X%_e0MepqG z!zQiPN55We?--mufEQeN@y0*Gdt{dC^-rOt{cc>;)bo7ZxPLjnw_m?mRr9+Y@aEF^ zjzGd!=N+XG_g6m_U4I{i{9*q+rIe6+F(kXm-dXy;SUa!;4_ElyQ_YKy@0E#mTir?j zrD6jKwDcR;w39FWeEjxa>-7$YXA0M+b+#P*LlMi<-R@--Bf*y+_>jhnkw&$fx-24DCqe_jaQ zF}RsC+*D5R5t_g6pR6Mi*gmKucO44O4w&6gMP{e|{DWxkiMbgu_(T0^=aY!E9(&tM zS7-Oc-uwyPDgC_|xw07a`-@gZ>-@hdxx?}8w1l&f9i`iPbrjQ~{-b>_Zv#a+dr^pA zFyGx9C#TifP&t*h!a)DlLst>2Qq^VEh97o{vXW+s3Z?Dk$zeCBQppdJpUF?7=iD{D zT3p=2to%1VHU+!h9eVnwV0y9ou2Hne+yl&E>4mojzisDR7E8`@!@TOBjx{wsjZ2Ro#iOo`2m?IKu1wVGNJG}bo&~bE*KLP?DQmtw zIzQciYgSc6{o|?2JkCHWJU6z9PLC;_GnTND0Jnvg5275h2 z_*PcqbVRt$i5#hlX3DA$V?c(p1e%rhM@n=NWeWK7TE($~)5#5kC$vVCe6?Z5$ELz9 z`E5>Kr;_V?0&+%Z1u5||lG>aOzUrVX!c-*l?ADWMQpEEr>=@C$RqQPy$So$|3(nco zKe+POxma?$=k-AF8`3GnBWUzHO0}PPYjXZx`t%PUuErdHK)Xm7@F~*iF<_T@tN%?&Kycxp3jH>A_L+=aR&^%{g@aQA@%>{f_8v^lRc+ z({olFH=lrOuhhjQW+mk;xFyd69EeZfa4Pvfvt?Mwr{qKb&)Ua#++UxzZ&R19L_Up7 zJ^WU2qaAd+)#Og)kEYLyS3i^6AJZR)LxYRYa14e@*Y z$78Qdd4IEC*mAPIRn!Af4X_eR<>S(gfC{kGIyUr8@O@)q<+d|(7}m6gvS0QJl}#=%Lmk`Y*nm(7U#E@x8_!;#TjRh`g{6JFqZ9 z)o59g(_GVnuajuxcf$^+0}z>aX_iQCcxLNFZYBnlvyW_+?byeJ_o8!i2I`FOM3I#_HNvVD@RZra6fP3$Hh5k+X-D(>)b1Gk8*^zGLIl% zj#Pe+R{l2KdTxNu*~~`!fQ^PP=wQUb;}0ID=(INBP#-(1;l)VWRouzL8?lu#^T;oI zC(mvnZ=Sr8Tks~!1a3wIE6(0~O`dRbo|FlB`Q`G$h}z7Q^Ya&-=a$17Qp(ZQ=%j{; z@AzB)8Hn{?5q+0RG0sg2tV=iUOEh@IzJHzj++GN@_Dqmz_wkvz}JkI)wO z?fo(T=}U=?68(iVCChzWl;>#Gy3c6WRvC0;jd!P_Y=Stdn*(C0e!?Q_H}!5U{Q0-5 z7y0}1a)8%uiHjbUNkF9*zzU1@2T#(Exu5$2`^bksYO}L7>zzw%p^a1O+9)HEkddNDe7vUrK8GWDv_>m7 zPGq>Ey{-skqtddq1J_ye%9|~3?z4U;kz-XvB$)CWvn7L&d#xKel_84l_GT=DVgwAB>0hpD4@tiZ+O+NU00 z1|$RJhjKFBM#yj(BcsDfRqC8I6gKB}M!oa!$dWBS{gAZ|KFhk*LpJWu3rEw}733<= zli_FTb@`x*g+zLwv%>IEuA#(8#+&&o*-ENjG?jsl+tyT-vz-kMEl%30`|h;iy&ttq zNB{V3);)E%?U}FJ^6;1)sW02<UrnXJI{-s zo@hy1EV<^xuZp6Ex((I`_U7OJWBaNv`zpKjz6Zo&-4+!Ee;)4u20xH`%*M^ z@viX-7e~X!yR(bdAF2{X1TAG6%*|T&`e$0QaFz838ivWCTD|SxhG-1tPEz9vIULEB zw=DHJ+pDPP+H}@V4bNKE@5)gO6|nT>jO4^@P7YR4n$R#$;%`Gl7wwWN(%=V>&a3?t zw!+06#dICTBLxYPISM8wYkcL2qo|G)QV)Fva`Hw3K$;0ki9#Wp+f- zz_~B6>baNL+TxvRnROXOPsc!UvKnR3w)#*GM)*eRsja?Yqq>GO!&w^*7Zs(DHfM

6N8a-xd*koD(SGMo-e3bc zsw8b&BVCr0Xj-pxhb=GGt(VOgy*Fzb2=iSY%unF-F9oT3_!!-?yMoKriuRKfa$jZ=eTcmz;*Tgi&ER6mhJ z;5&{HyHU%aSrb99(PG|UkXm06!T9<^R=MH%)|tQF#sftHqd6(FB8kz^U!RW0tSL}2 z87~n;Wq@N4o}^+!c8{v2mJStJth17F!-gBDY;fWeRylW<)z==d@%kyN4m;}2`5M83i4qtY=w0RWy{z*mF5DCM_#E zO962j$fz}EBMqxolCGtP_RCp*mK{I*)m9m;TDq|&888v7K~FNHAzH^qE%6{jA4wK9 z(Vg~YtS!Z@r+TKL(BcDfj30fQjZS~q@^;7i)vnFR!M1x18#XfQwFiofG*rV;3^b%+ zI3l(8UURDB4}t9*1=lPJ+;kM@e*j1kpOkef#0!J^Jvjx%#OgVD6M+8Jc|FRTJC-@O zb6c;UaKp~m57=yF!4mbjCqHvZWAYc-Xz(0cIB~U&TW4%-?`<}BVxP*T3MAAxGG1P1 z_J#`W8#Rr#6ZO5Unb7b=VRv25W9hWU?%faD`iVO&d+?*y*tp9U$166Ij6~Ofp}TK= z=eUT&71{6_)qNWDi(p!txd2}wsyjM}Y}jLwCt(CW&htna6g`Lv_Lx8|90z}xj${o3 z&az133s@Z8kTixK$VJ4o#&UZ7kqs14b>&q~$)PMf`-oMKyu?lpzDADpPOB>llMk_6 z2sSn{OP6PDU@Ho1Rz1k7cV@)LlA;;)bd8Q#XU?u)@7i^D{gpj%>@9ZpnGacKNxr8) zXZsWmjRzw;J-1@V7tUC#+tQFq5d{pC3?htU3W%j}p5=4lAsG7=FpVfK7hH&VTqe&n zmXo-O$f9EX_Np9#LioY83V-jnd(*pYc=OY(dev9iV)i2Ce^6ols)i@(QRN)!{hAGC zs9+20!|#@W~V5+r@Fog;UoZLBW2aqc}Fpw%zOlZ z5fPL{f27fcdQ(E%x-})_tee}QuAcPJqSdc_o;8+llq)!DgFZWB*DY(Q$7PaE6yh>oYAOk*v#rDt#aS3wtDYv);oEhdg>LMQv^X2QL7BqZVD5b z^pu73LE3;HC+78pFsKg}UO6ETBPVUElV9=2+k2AWC;sr41k#EJn|h&hvFcQ3Ph(-3 zc;QO-8ga-+6q8}hH~1P76tB`2Yjq7T`nKK~+WLxy9KDXUTeH?o_t~f~=cXY?y{@QC zkw|6Ol8h>fa#|{kU}Cp4)+J*7nsFZP;0{mC>1EFAHL^WZvfT z1<})0RFfG$L9i93x_%zYvIwVvhLg%MbrhEilFvwjDt^WfV^Qzrj$&lJQNxz1%hv9m zwb5*9)u(^9ZCv$2>r{>^w3pN9%vvK`ujg>QG(vt9i`)n~oH&K>w78|K$q(os*_yi1Y9P|Dr3%0OdsMH5WAu^=hWWLR<> zye0(}TNT@L_I}%Y>-)_<^fnuud!N-?E7nd1maeU-jk<~wRF()rp?IFQWPa+ARW_EB z>q(pK*Cz;4m;1JR^A&}zcGm1`H8rn%-siLXcvMrozSx3%f zU3t$Pn9)dWWX&@@tFG`RYSVh6Buj^uD#}n? zyZ$4<0M0rO8Ht+=EnUeZS7;XTknqBZEoX)jT)zH(Abbc%26b&e-zGy-Jn>YB%1hS zT;cVI569HDe9m6aHOx^?Vw4<1h4fO>1}8DUQrz%I`8O}i=>k1KJrE6#I2i6Qap}&2 zj2ikdDe6vyB5YKnLaF%oAy6jX^EL6!m#*wfv2JVq)7BlYT31dc%V(|C-fsgr1b*Gj zfA>T~kt*{yERRoCtUA+@L#|t=s~S~#)*i^|uG>oI|e^1IGR`F&VH?<`p{VW%6(h9Fz%x^40O!!Wnu zxMyivw|ua!;m2{S-+ZI3T>DLSymF140+VR!`4wvOh9qwsR|tL5(v?rsSx>-bSbVofHa}jMd`HT%U}qbLCC;PvY4;`8J$u|b zvuCW*kOR-g&I8UJ(xC}}yF%aniliwBF5)Pp44WBtC(s+azPJeR5cEJO5eGmISChiY zF#Buj8P!Y4K8J%uihI^Z*F4QSSHIYLv(Jz$TQ;NdbYg3kRWNC0+1cr;q27_b9J}g? z`G!J0u*sol665p4UkF>JkWpA!S66hM@BfCVtzsg z&Zod8dEsPv35&Br21Aw65MbQ!58YBZ$f|W!Ro@cHYdBc5Zg*(y_OjK|19HIZ!;xyZ za#DD^8cL+r+)zXz^ck}-_&PC?DJjiZ?K8Nm6gT?Mc`Vck2{$suWJNTE=d8GETJUp0=$11Xn6Virxv z1vC^2r)^e1tlGYM-DVCy&qnh%=-Hg{B_k^lN9_NYu1mo+{OH%Ly)kEfjhp#CqtzKI z>Ja{BZvB<}ZS~_Hw95VWTDv=tpipg4Bj{-3bEBZF7Z%p>iZ2Bg`O%{ud z6m_lLW}W*!Wc|)rtMTK=iDcowJHosSU$UnD79+`7FwZMh@v)|JH??kU-tKwIUfXl! zHMX3|q4bn5sjC>9?aEOrIH@vM;q4knNMs5-!S0@;K*3>GhjTq)-FrzXHT@$YIIsUO zF=SJbYt4u1>07gwvI29^u+`RHJMo<7*x5s0DFt4ZL+J`JpL);QpssMYF|^k3v^6`| zD*qKWSh~l<-?>WLW;HgSyZ3g>Klpa5-t*_Sw|>gz)3ZX`v(wG0+>D|UMGt$1>Pa>D z=eIX-TF}O)<;;!njRm_~5u1?CC)^`B5sb-y%ty~Lb{|g35pedm2@VC9#a3~JVIv0j z6~aM2q7LNb=`IP64~hdB>cT&@mmw1|6pl)HTy8isJ(E)$b1lAWVMpzxD(9Q= zy~?sJD#~C7&~f*Sbx(fMlGU@eUq;@VV{Rw0o}#pIf6+3w;j3*ZVk5#(6vAe`inMBV z5uymB*WR#|16SICv&(j>bIj7A9Fm?Tijat{d~Z)()o5dAq+OLhg#xx6dhGVeOz#NA zGMz1)`!TU0Cgc(sr7YjggH?(HDZ4sTb-3&%HMVxAXU*k<)_?vNStDPR7GgA#Wvbyw zDq|T9tlH259gWXx z%CjT`nh`O?C;f(c-XZafq8Y`}iBeO=+}vZ9vQHa`=DzC3S+JDajTuLv|F{J;vO5HC za~ZBXOFaz!8FC;NzJ~Q%=bpb+MFkozuw-3#r1(EM3G!CP8Yb}Fi*oz^7{Ws|;Zcg7 z^F0i;P=?Ri$Nb_Mldvj>TORWHJx^1~rmCo+w`%8xJ}z?XlKTI?94|#VGH-&W7iBGw1wKe zwlRCc?pqqz$)*gYGONg=?GXe!b62u{u_>+^k|6_81aCWdn?OI!`w&=Q*imQl5U-&I zr^n>0?=c<$V}o5Wi{aLUhiL==$H+&V3=tUr!!zGtXw)R9R7426vOX&?EA=Z>jPGNFSBSf5%kpeSxLf|_DXW~ZeD+Q|G923cxu)HE z@Oqm&aJ?-gMO4N{LeyO6%Ug{>d}S>JPT`_3jVPR5sW`l&==#qb*H}hTWf`#y5hIi) zvh9KLr?xlI(4yP1jvT{-FMO%3KjU-M+vPU9(vl(1+E_z`Ov>ro&@sa>TD3&c!Z=;B zVTL*FwJXp3xgGexYc0F~Bi2Y(t=7``x|doyn78@ftj)*@6ZM)2-;c-``wFiIRla#x zP+Ct$>n5o`szV1mYz<|+@X?erYYY<~GL4lm;0H&XHT}~)YaTFp^7?O)=$;8i<}5}^ zVCOCJHRT|9?a5MXhEnm7&}vg;5H%H|6QbgIP4e*GUQrYC9Aga?jOE#*Wfhp$vkj}& zjw#YQ=M#(hXi@T#;q!TTO-`e}AwF~4NV|%N`l@5zYU>Saoc)j;%s*`D;+l2#EZW!| zF%EQ5&l=XQwyak@D>??&=+D@xM%`9tL|DFN8}m2WspHSGrPV(X&&=n@X|!kkSJ2PAe@A4 z*)*1B$zWc$N@GDo0vUo7t8(~S%l6FJdUc#W)D+Ps9hsxh7aq1r)CrQ_wP+S62TG5jh8pnSC;O zA{02r5bxhV&_(Y?ef)Aw%=Kx;R033Sg*9=!0S;NwiWS}v9R}luidp}`E-!&QS ziY*O$w%i}szKxnKcN$h7$bm{`;9&{5&qGK~EHvZCjtA_|DTB`mUzm^_&1wjjO7`qe z0Uat)gm$if{9`{4+Mtm(ToOV9UOvOFWa{9r-F>UB2tmDAFlM{zZAB`3`f z9HnBrGR$qyo&~F~e9}5=rzKZKETW5rS_7Zl)Nly7LW5{_x+iatc4Jfl$392lI^o9Q zu$GHHFm8yl3qP@3a2L{?e-J_gK5RR@A8~i>>FSxH3+9 zWZHuU@eSX6f)E!bqu02;pjGOv#$+{Srs0tKPPv1^V0mqd(GyPNSom-()ZFlgiR~9xw1-fQ3f924yF1Hm$_~d1b1zh8E0MusfFL zR}blthz{0D@D{|s2a$2$C>X{#=ble=E9$A|>oO}QBQyUze63lrm1fn}9RznHVSsOR3!sOy$PBNMGW!K3_Jv(bps(sbPiV)@nsGsHQl8KxIe!_j1 z0EOg|D2@r#5pP9g@JX|&dzC--FD;=-STU{^;Ju<8qibap49 z!++|J<bd6m*QG=TdUKxs(_u zMY=mOITwtd-kmv$p`P(Z!*`R?kOF5_9}TST+t~Mf?LtqXI71(dlSBQnjDtCjV%UPi zQ9|K1e5j;|NKS)|aIuv{y>(L&Mr$ZT9k3#DM)}q)Q{>d;2ZI}Ha!zOD4A^ag1!+<$ z(NrDbG;koZ@||;%vxW^qU#)FeC0Q50azrxFf^X_q85e>6i7p&CU+DT^O2o1`&|;R^ z!A{SPjqkT)M)~*5YDia1^!CIe3&7y8GC+QEN#du%+oRFY&Qz|n#_S&Jubj62nfF`T z=I0sZjO5rVl3#nIp^c)s4OV`t9Fy4|8Ht|V1aLczC>{p%rEZ0;#L`>|iRD1*#bhwP z&`1h1mLf6P$?j2O^{UO~1D3Y-Sw5JRK>4Zvu8ms7>r=vGW(f$ndm1zMn5dIOXg+w{ z#&_JQo~&QiAlv+i$Ju)s?1_#CK<@5UYi+w zIf$xy&$_M4usSkmjp9YqkjYv(JBAzNF4SN6RE{6@p$C;`P+jWf#ZR}E6idcsnCT!> z^uzCjcC0--s|e|&W$8fPU|>mA&NRb$)@?AJw;r3=GIYW@f|Jf!G-jfs$~Q5p+yCW? zpsMQ8S!p?;CZK2szbbfFd(>(TH{veNWu{}Tb=7^(ajUPdSPjRVt-E8VU}aGCjdB?J zWNB4&4J}RNRE4fGvutw*ud!O1=svZ9_$43FRjRtElHW=}GEV#yHbK5SU>EufSsLR~ zX_^k^1w25Pkt_66*gW5p63HNjQc?^nQwUt0o3qybtK}G$lwGQ?9w;9+WZ(@CMQD1&+0i7m>Nn*Nm;xF@Y8#M{F6rwSdOo( zBprvQXEoL-$jCBTA*I;NmPyKa(K#=p7%0piRyM5F;B{loI!RMKE8ELy;F2js7u`O2 z?IAXF3gj4YMC?)7R|G-`&UDM7dgCK<2J`EutvxtxbCq*4uw&L4-)rN6jMYxq9?{dO zHLcfZ*qR)|I9FuTl%cXHO-5Uni{KOS+L*Z>h8`UqJ=IGTi<2%)6JCgLkby^dL?$^7 zjQIvRtxR$f?!Ci~CC5)#Uq_D9;iu31vvfru!dJ`cE)(8ZF&E+Mw$nLV*Lk#W!Rm`g zHFUu%=ouADmegIyUV>+`LlKETn}WlZp@$mCuXhWe2^bCioPgd0k7F49H2+;i-5I9FL5>%aBG7h$PzTG21dC zh91oH=c0*Cd$Xivr?a80?0KfO58h<^6n1y}9X;l(XWssT>8IRJi9gsp|CT1{sKFTt?WZUriz>U-KY3cyry7 zqi78@wCD~kn~}5Lx1{#b<6+HOeZDghE=6;rRIW&Zstn{P#LrNjLPJiWy)m-Ev2!+C zYg;PWWf~4?tYrO!Rh}v@AHk|oUtm@=!>$3?-EQbnaukH!dgj-=15ij_mtmL{54|NA z84+Xqri{FXlh9Z@(fGW>PE@mdZT_auw$+6zZJ6<9L}i9DxRi(jm%|UvDEuC&=fc?3 zqb+ykU~c=MRqnmh=JQo+COxdt$Iyei42iWFu8=fJamdx^A9D{lZ=9DN>kknIZ#JrR z98|#pKTO=zfx>H`qm+>iWz^l-hONvuZ1#$0*>z8OhRtY9zIJ-m#+?lx`wwJzV|I-i z59AQ#Tx4mv93m5piN^d*-M2);+1{EZb8S0v?M=4#y60JPs0oDB99q4l54HL zyvLrR(yjTHEnl&0d3#{T&ORt7(NOQsCNeU1{E_v&=dQ4wox*;&!Be=CfE)PaO81C_ zw>qToR)pc#P>!O@FfNm0Pz1NaM|Crj^A%TEK58oBX!z?;M8l5&QJ#s`5fjQywf0y; zvId{k^=$Q?JFUUnpyZtB=-URvrD{|Df@SDT8mlekq@Z9ofw#kj9R*5B8|^01NC_*f zm5{Pp9_W_ZbR}}m7{1`yMIK{#5w;J?G1&o!<%ll+RRN-prZl~| zSZ7hnBx9J#`mU(smWC4z;grTMtG8}_=)G1yeXG@~XRO~E+nGc?ouY!eV(7v_&}$*{ z^9TQU#mW8-%%Au^7HS_>Q)rMQV}@=TQ)zNY#V6%5#GVX6PNH(n4c53$J^#{PIh!l2 zFJs9!&f4hIiZwP?Y$olBPaIs)OZ$gma)@jOlTc;tjGWnurH79yczC`Ik37fLs&iH! zB(`vNWaGO(Z0TL^wz&u1Vtej;jkV8y)HV*wdE{+d?J@LPvgP*GiX>)i*kwNm4a>$W zVwE`;_TrF1OEwIBif9791!BuDb#TeqUkmFfmY0i1;b@8<%BCYlPkr80%v)>UemQU{ zc8%c!U$62ZUR8OjGJl4XD{|y@t2O7XcCKni)^bZv-EOt?lyxQJvyG;;vbrrQ;2YG` z)*8CRdWziyuseP0u>}wcLj?}HFnq6S!K34 zDy-Wmf^{`ssv%9omo|@7*H{*vCH&}d&ALK5R4+T%ZrIUl589PCTyM352W(9Y_B4nZ zW0>kA+4!Y0#u8+#>>B0Mn@rrQ4jJFb+QOIGMrGY*mgML(_P2#)J3U_TkJ>ut+IH%W zuJ!Ktqz&)i&Y-{xc??-QaK=FJ!~u8IXisS)2+F@S7Uz-bF!X| zHR1bLNuUX!G zrZp>nAmwXWFKt<^KW~je#kz7Tz9O=JR%7O-J?j%)JMzxk><>pjX;lqdD(la%L+euB z(T4Tr&!{dLXeQ&-IG;8tOPzbh9zhjOAd6cadysfes!$Zvi#Pcwb=*XYV+f^a5d#5a=UL~*6PD` z+t*vOhWKBtw(ag&4ZWW8r8c_yADEpP*^R@#H9qkNwsPC=iO>gZhR92fj0x9Mt*2N= zk;b!*owko(eZQS}uAI;{uN1{!WJ_oE*o`NT+u3)&)=ss5Njx3#^%eD0Zeq}tVK&4+ z5f)AnhXD5z5bLgrw2@94d?_lZif;`)dh6C19kRZnhnd>#io8~=^}H{z6W4v6ovuH{ ztRtr&r<7Eiid-~I<89E|vSrN&<(^h7n>%VV=SFtb@BWFMt^7BuCVYH1Z~UI?0Ozl^ zVOW;otRK=cPi`pmPV6(`#{3ZaJOQ6BDq!~rB)|p3z**tDuWB@n`Ky^P@L}iXmY!7= zJC;Ld-NiL$y`?q%S<{OPQHCKE2+vZpPaS3i6YRL||Nd%U6}I=UwAADEtTDX9n%%#$^@Hk>pZ#n*^%*a&MQ(rz-sQh+GgkW zi#$2Y!N4{ixZ66Xj>~}(MWjBA8T0;F+9Yg3Iks*~yvSKrgg>?3i;_nBB%dh76& zR&N|q^fi=I8E6;->blRXxWI$wV1IJ^P*D3ovho)bmAnlZ$}ccSWVW$#&bn)BY9HN@ z1`>uHqA$~#nAwLga&C+AIIK*NjiiVa&B>di`5k5fCRv9Wq&jg<=wEG$w?FqBfNC*r-mb?P?m zoRW+AxO#6nk9W)1|a#6>VCvK@FBo(wIkYYffGME2iQ&)Jz*hkd~8?EH?Y&8K?z5{_y7rWh-D)#``oC@dFMeCYrTc8A$_mh`ol~znRxj?~cqmfBsJvHI zgh2$w{9+TsOH

gO$dNZ5(}po#-vtjGSV6;^S6deV^^Aov`M(5mm9WbHo?3`d2v2 zoq?VWVB(gDgroRMR#0WrV#!o|W#?8cmt(fJq!&mXp~djB*@?aW;t zxBi(2t=(qHvm%6s9B8$rVFN=4B8s6x_e^y%jHp<9ywB3L70WbSsbrZOeuhp8$4>qww_<&@Z{v)d<~GaSWf7S2`M%;e6!)GYxl6KVY+2 zM+Nv&RZfLBOf2nAi7Yhqt4ZcK3g)2H6svm|tvP?S+Ee@xov^>DoR0ry%MMO_x5Dmr z6et4`00+8A4~Il>2APae|3>O%MsxFuAfBxUGKSSiNiJusU+4<6ys_sdQC==D7wK}%^bCbwI!SX=z})% z<~Q1bx4q5|-S%6yxAS(}x94M)FWqIwtE+adIcL_`ZwcGjk2l0BleE++D&#Tzw>NNL zBZdM48)S(MW)9f+(6x4EbfqQfVVhl9wZ*k#HaEW8ns&k(%+IJR_mv|uUOv-iZ;Y0_ zSSp<9a7K<|!S*JnY_{`0OEmPcR&HwxGq%3xX32xswQR4aAzCJyB!9ST_auTc7dhiq0x$AwFt=_53rz{s~Su?e>mA0L!?y+if!)n7bmJaTh zRm)^rxICO9EWxv!A4V#pV_&DW!N3wZqCAd0jo?k8}tuEI5L#&aUjp8PpZQku^$gTfqH!S0n5=tv; zqZx(yeH*GL?^k9eE%ok|zIvXfLSGsGs3ja4UNE&T>qv%u%N3fRJ0~N}Pg|?9W^Kj! zYl=2p@1&erjo-LX_^uwYh%C;xzMh5>BQ%Mgg^epNY4g+sjh)_N*4D;iT)cZ!|W_5lS* zZAomcuY6glrhQ~BCV7Khl zI_%+*%&BJ=dy@HxHzqjFg5fRT0|!4CpfE4tAOoh?uV@&-8>dPxdCO_D&t{^iVXiBu zdggwAbCV3^N(OQZID188zFwvx+4~oxLY2$;iSA+ZfMmmPs`vq-MEI-O$lvIA#$5<> znp-*dVQT?}ciw$~s)iJb-WH!R%vYs^=PaL@u}WRNjtr-23g`K(oF(3}hSrFs!HOEH z3TuUi#aQFooE^CRUQ23yTT?{QQSUylXv5gZ1%+n=7xjp2v|kv>!%c-|Vuqea-izv< z^&KoWN`~{cV7FO4x!pGA?zGjpdt~gVWZbH!H)~58mh3y*vc*-=*YB%LM?((`T~&+b zTFy>bJ_X1~NoU?62F3kfV^l>dn;b_|l?vYm2tDp4vjEs^JIo3*(04rkZQ6bUqDuhZUb(ZS^FRL2fgHQ#L&PZuxx;^B8CFIsAB0 z4O6#X`>ap8jztTTynIS;He;Oy@mrsm(wcoTHbQm8B}Gd4!C)!6_gKm&$KmrE(&*Wmdgj%;6}l7Z z@?lXi*I}at87Z&xI!yn`80BQ#IiGjcWng^lfjvvOWi0fqrU<5*Ehs`+w0@P(w#`~H zHn!$ZH8e`b>MhlKkE(S=5q$U1Q2pu|HGE+uDNDUQYLXFQd=)t?CLB{m5ItT6Hq6t>GT)s@^q!y9)1ck^>VBzDcg~`_CHs7)bINE99cd<=iCzv)M)Qy+=c}k=jf$V1hys3Qm2e zcxN}lu67gw?jXGLLTRNQl8SU$JyTD%IV;_gR@c_`oJ@L9VY_@L$q0jS5$ZJ=O4PuE z!aitCxq}`bTUA|+VnG5D=b&!g5nDYhQ=f;Zz6CMd>zRyaI*KS18}R!XqJdA=d#aCJvFrNBhiEuGVGu7k3ttHCa!C|rv_?xx*U)9yHGY(* z)?2lDb=4N+MEQ2}TvJ0HnA@DA*dCB=!9Qnl%dkLUP)|dNQB6Y`IXp@;!P$_rtjmWt z6ne>ad9Wo}qweU!y=;?@`D@^|nX6@t}pJ%Tdo3@~K zbyEb9oKYT@ACG;Gf?0Zg#HTQlsCz4%S5yp}H48nyo@^*Y9w}62>3DZZk;FdLwcj?X zOLn|jw^PlUjG8wcO_5CVviD`-Pdku<8uD$4{F@J<6h$%gz~Nx+b#d%7OExD)D~c*AibQzjDxWX>QwZ4g zj>4ma$(c13zRn$s8p((lWwf4Zy}`1=SQLj|ls6iz4jj1A=7jU=<=CmJ$t$=!j#*pA zRPR+}95d?u88oQps|>7@RMf)@rxcO>BV77B7)qh0I^<)B1oD#zDi1DesgN-BIGE(jHGf_fVBpSCp_|K<-Dt7mTY$2N2J z9E(*|>#R=7Yx6eOnU@Qp$L75S&$ffYNpN7(?70Em{9cFuz_VnXGRZ3k$ImQ|lA)ZF z9Nw^HO_6P*d*#GVtId>$4Rn%omUj=REfSTNGZ^(X5@F)GYb&*(4fid{2}>rbi+y$& z&M@!0Q_DOVVbcz_Ui+2W;Jh$)lUN=O#qeVy7WKOPbYL|j96w@X8KW=VR-{nLR}{{& z+L2%NmYTcmF^s6%m4mTeecx%j{pdM6-BwsX+GFkBg4O%X6Y#x(>`M}7<6YJOp^V#$ zy%?Xf-k|{DQZG(`-;lFlQgWD#Z9~;|gqoeB=G1#1S|8XU^``R}0-sazc0mzPrNY83 zdUkLTNeqQU_&uR5<5n-*T7d-_HU=n`=A|b;WHcOVSg|1tZOLYzrGtGk zE;*Ct3Gvpq`Y^GD4Gk{jNcYL$_HSg?SRKl_G(=~^PHPx9s5ER}S2Xr9c;^@PgE`6;T((sQD3%_^O}8fmnx z-;#suY3MXum7iNz8}@8CGjFSM@*~NsK9rnP<@OHj$qDFv=)cd0>6%Cn)#M<(Xo1}d zZm1IhP0mCW1iM&EO-ejeIL@`dTPLi*c_>^Zp57#jy;|Ge&-qf~N@)%nIl#+VA{ z0G$2-6x+d9tjUl-WoU$*frct_6mKU;Qb?=|9FA{jBSZEmLG&>x%L+y|ZSfg@N~_n- znc%E4*(&~sr->xs6UPS+LtaxVi=vSVi^eD~XXHP9n2l_xUYQT&YNN572SYACFq4tW z+3;JQ6!r;IMLw)$NJZ07-Ev0nt)ba?tZU|N#V@}>iUS%;KJdf!_I?7+onrlCc*hV$ za?l@s?y$z&B{`WM6PEDf9+w4b{5UboyF2b%7(!JUW{niXxV)7wk+Zi{a#ECn%oLp@ zwFNzaKiq?ytJq>c3mnF7f%C&}>4JnO@i}-Z`f|RVwr#N|J)jKR>jUlr3zgDNdNi&> zN`(L?g*i)EeY<-Zmk$e+jNVn0R+Ryl%aQ$ZrA@hq{sqoomBDeVafu=v;6bTG3J!%8 z>7r(R-f*xnZLQ@88^16)%iEevLye5ZVr&?r@)#!*zFsT%L8U+7#({AlE22ToI%p-D7SU-7eyneK5o6Pk&il@X)xHuZZs zkjXW4e>$$@?H%8_`)mtylaq$(%D+yi_mf*7ecX3-ZL z^7w256Nwle-VY{97;zTv9Cc79e?}a-^v~o0)xn!0c;}l7em$*lHJ<{2n<7CFXK6;0J!+35P&#zcn_?zcQ4#? z<~ixQK;h##sY>Fp+YlcSOnO}m11LL+fXO3WOwNx2JQNjXh}us`_iKg;To*jC;xkE7 z>yL;O=w*2*`hBRRD1q0zGNK`~lX58jbAKg>`iK*75)>cF$lOWj7z&4f(B<{f%NN5V z%n;f>Ym8>C@gc_J_n))%CQN>wddAJEiK0d?Y`vz$vWT_ zhcSf$T-3W8$|@vq3oZ_K7Jk+}=^PWsF;UARtH6gDXgtb=Zu(`RXec1C=^TIwy2lcH z8#vXm`MV&KN};{@DZ#`IH<2?Kvucrb6W&ADjNkGshD)0@{`0`Ss5|#uNgugk28wZ9phSoF_`<3R5@-w6Rd2$>CZiU|vjNu&1JEx+wb0 z!pw?|Vt`40o!o98bpU^1K%2*8qR%&Y@g8;(^6TuqyLjM-k-NPO8}|7`yD;X2pHd_W z5MRtQWJKzGjO9ZKFbj)LzI(Us{ig+ZA~E@=K`d)+|qVY{ms!}Qz4Ka_QQvA|) zh2JbqS~jDSENF7!DtzZv=!n^R)j@~N?%KTiWUmU8x=`9}0HvKY5K{+SqR?Ek9*iS^ z-kkaVTw`L)_+FEJ|}|JW>Dm=_($NDil#_!p&2 zFb;UdEBWDMiZ>10K}dz?Fbend^+Y17-}jtgXu}e2IVFWLEjhQkXs-4f)>8VQDk%&_ zyYlBOwY5}&@z#-agddb@htXP3j)8^sYF9ayns{U5UUx>j3EV>#mu0{{B&L9p*6kuF zo2f?uuD7g&>{&PONoiQOz;AdGLNm^m0?E1fa%k5y8E1uKX#GSz@~lZg$1)y0Ly389 zC`0rerV7;huR8TVB8>~_BaUM0b4bioJt4lEk*;w(K5wGjyxL=NGpm$+YkwIk!-l@B zeIt>XGyeA6GVqZc+@PiiLj3i`YrZ0cERL!x8d#KLYFY;z8baV8`C^mLwTrF#fHCMk*xd8}TO^$@&|=keGr7iC4W$Xh5XAuW+>J)N<> zoC80qJLHXl91RP&eA5`$JVwmLkiU*9(PEsKUGkYZAsX8ipPGI1amp6OHhDs*EuvY^w@I zNW)_N!O*|dV!8Ud*P`}DiKM?@$ zI@pqMBu6H~aYKb~fT$`%DskrR#SjtaB_yQjKa;LxttcAFvP|Tw&3Vmwxr9B5!S!Ma z1u(zhKUpBDG_sZq1Cv(R>JxH&vDlPWu1jjXc4OiX=OKl2=fQ_w3ch7T{OC+dCz{E5 zBy2rbC?yd9J({nrP+l*0si5oth(LG0I0*~`Gz>f9b)=tlfG&nL3_|!}AGWy1u-W`3 z6}dA*MK*Xes+J=u_S1aO+Ty!9JgNMID)Vw84e{M@rm!>XA6GGqDI%gw z4zcfhJ}ANvzkIk=lS8Rg_A6!1KkKe^<&YGy)Uuwj*t1jV+FIIkItyYh6`)^37={zb z-tQId@X5afTpl7=pHk||AlP45&61jRI3;=(CpBU?Yl&?v-WHci_o0jmr3`Qp_<*UnN zU`b2kdl_m^Wtb~yD7;Q(Sj-jp$6ZRpNw{Hqef+sFc(1K|J1H)YdCqD}-Y3wBVh_IW zgp8Jt!}u)TBa4K+8oa+%K1B)jj>w-=njAt$PJ^i!RamRd*xtrITddC7f;FuzFO=XI zaFMH^hHWfyIo59%87b;gm1H5=ajGQhnjv z`9Mw%tC88+v4&KQy7h3F&|i!}r!awC?430~04oCqN zv}0&CQ}k3L<(IPhmqZGwPc|F2v2aj%n>MR)|E!cRtDLi5lLF7!(%qaZ{=YqNOlkUIkWV5XaknjpY?y%doOa(?8A5 zlcufn3Hazv8Q1SCvRJnDR^Lt@?AgZR$W~dQ$#e0=w?9-Ke@pQAe>T?V^EIGz*7>P*b!w zmIEFs%EKX6#dllIdLUZX8jALsH^`aq*Rykqy!Oda$zfDiB@;Ofm!YB^7MEGemItZT z?m1=il2>n($#F8TQ7?piF}j|_u$6T+ZNTpI8O4%hW+xbzNG+%hU732;)ke)W_9WKs?A6d^pm093ZoMm`QLn8qn9t06 zb&bulda;)UmQVQ$fM-Exp-lwxvPHVB2!|mDYZWlGq7|WsUm+jVavyi|^($M)CGsRv zed{S-r`}YVfue~-JhpA1E;yH?JD2Z~6S!CW{*H|7fUVRLyZ4H|tsPoZgwVC__?*=S zd##-{Y`K?Pb0Fs@Cs<_zV9D-yy`o5JWJd=TYoC)rR*%~8<_m1YmW}N++xI+R_0>~~ zX!^F2Eo(^DU^@s&T5{M{2=Jt1!oR2JnxR5%G%ML9k}W^h#8}cQQnTY<`n63{ez#wVcSp-M8C(x?mLzjp}N1ma11Z%-T&0t~Pm< ztXWM(LSCEZC=s1JFjZxV3P@3s9YP%STzF z9P)j^6N$Vg^|vk}kdMNKgy#yeN6CirbmTDjdbF!D#V?}Qv&frb|yMIM8cPtUt@I8|%+=Pen`h=_*G zCBi+ZD?*X4yy}RxW^Ys^bI9iThUD1&mY=*|b(~dJ_57kSQ)I&LjF%K}2XHC7v%oRC zBTRZ?dZZyC!>*BSh$f~_hP2Ppk_=rDpqDG8LX*04@koJoVUt2YE@U8j_%1}vQAz5) zT%Bd>{42};$qt2+I1k*FkBhg{E&xJj{`x=Zm45)HXoBAn%{v3jH14h`%;wc2<6U}a zN=UjBMdEHiDwyO`=sm2fckfs_maz_J)Vs5|2_+U3c5qR^P#}vp zCp0Scvqr*4J$i^EqsMg8b?|u;2N_09IW>NhBOk~?^hMKT)7>h&c=IdlY$;P$WYM%% zSH{wPv%;0TXn<}p&5qi@K zZ?K3^E=bqzf~lhrY}zWuCZiuo;cL>c6bHaA()}|E!xfSbWl`g1p?D6Aucb^Vp~Bp8 z*0rRr@!i5<>n4jfPL;RUFn)fYJt3GYXbjux1=(gE8KVgleE854t-l4%pxK5{Tblws4JlOEaX>uN0uhd(!U~#_)wY|T)BpeN zy$Q5s=~dsi?-}m+=2ul+T~*y(J<*z5qa_(JNH!RI8J3Mrz(7cxtd%${+lpCUjz!`X zhJ--8WNZw}Cd3dUuXx#l*oF|v23a5kvV;aSbxYmqxq7Ja4R=0c{=a?hsk-&*z3Qo? zu2$Xs-gnRRo$q|Z-v4j!Z(NYm0w}~rf(P+Ql@)HQNnjcQ>pO~P#;N7QGs>u4BvDm5 z495e1)q%w?R0~m)u_#NvvSE|vij8Sqmo^c3uL!lcM3JTIBy3f~+ARCw>4V%Hx#Gf6 zOzmSabWu(Cs=YIkLD-<0k%3h%VFD8RKL9dDP;!MI7H+{bLFFzPmYzz46^INdvs0@5 z&pvHQGPRvzV3W1NmX7`@nG?7A(t8`brLU>kYV0V)zGdYZ8|by+p$%Jq?K@=}Y+BNo z*s`>!$;08#RG-;xGE;zS%gt@>jD9khaGN=XTz zsXvlhn!3Ke!zR15Q<7rKV# zUtSP2<5cKI#7|UFF_gH_*#c%n2;~^^Olx{1NgD4yErHs$P&O<;QELOVj`C zgeJ1Vpl{LY5sO!DmH>66O>``u(9kAkmGClw3T9++-bxUvu=aB_e>k@~#}ZfF)BT!w zOgyP&c}VLCGcx(}XA(%ae;BGqRLpy!6*^t0`&XXpkfn)#( zl@sitcIY{T@KRQQBlAP5MqxppG`~=wK9mNKcb2WWe8{KHvu`SzRAqY;axABE;=Do~ znNO(=E<9zE$%~?*OJ_F{RSY3zRZJMdRN|OWwM!$F2H?AZ zi6O^g>g1FdQ?;%HpS>!izxzZlNv4Dl21MXvE2PQ~1Ss*w9kQQ$QhIm1k*rXS#^kD4 z;b-{MHzI2NtK>UEQ9q_}l7>7cn1!sOHG43nD@Lb9Q}Ix^EIw0CMyhS6wyfH_n{P{4 z*dTeJ@Fq5ukg`ixCV}vw%M9@ZWOSayi4D8b6b1s7GtxZHT(IfcFIq7CjIUT-v__U4 z+p_h$|E%5iwm)n4eB+<9*SzI>?2fztoU{!FqD_>2%7@);8$No!gz!E~8)v)?q)=LO znLkOqt~3ngRI@AZ4wgq6ma9LIghpC4Ddx_UHu8N?3xQrlAFF7@_t#k8bV=z_9_P6Q zN`JL`JmW@~_@=KF(jH>PQ=A_^y=~3uIcs$=L{?QEihIt2H!5=nm<843l~F}-<&8zu zX3nbqkK(Rh*{2MHW+yN9=;+X=EM_Xw$0X=tzC>@x#+BkO^;Jr}p0l|QTTnF;32?h@ zgJxpgLwBkUyPH-;RaLB99jOK@ttGX17)vO{|J2}DWyiUP0GX@dx(7&5aBdpuns$q^ zE=q4}kRV7~X-UIjZO&y0WoNo$8(H6$LJ3E6S^kyg zXvMOJw`}s*Z(2G09SKipgSE^~Z#-q6U;i`qz}l{k%}{9cvQ));U!I(iD{o zj8;`N+$3NwL@dW9J(wZPML7M0>i7G_w5&MYwI*7H zGWmRW;2YM^c<2(Me6I!Ol0#T@B$6<-$Fq9Iw*TlNk?e5!l7KdRss2ENsuW|F^PzGC#e$VN!Jf4BVGJ>Z?m+3%KT&egYGMSZc^b#A+Y#w7B1Q9c-i8# zulFL`I(d)fx8EzT>mG1abd{&lU>LrwkQ(Wl1G%o!zh`QKR;tHq|-f6VN9bnIJ$WMJ&PFkP2Ho z^LdL#s=2WD!@f`cqQdj(-QHl<7Q=S*ek>JR01~(C(B_}ey@8mHjdiMZ9=ykd+JB~Y z*TXP4UUCSGx82JJ1%`iK*F)VyGifrilK=#4sM=Gxls!7cBuG6Zd_eSU++0LrxrLt4A4D4KEYDq5?bDp*K+ILvmIw7y;>$gSB8;GS2OKX@i z;xbXKJhGky_^_~Na`xABPeN-)BrupPh4q)1_AFC`*{QR<-;Z32&~u)mVN}=pBDhrf z@HroB8!(nIH1(BOYIh{_BWO1r)7Hv!wlW=9R{~o$p0vK=K1N6dGzi&hI&#f~=FCjs z$Gnk3rc%ISHpwC1y!UXL*m2dwH&36owe8Pa_ZgW`XYRAk@DYXkd)6D>ZyUqRZf=~h zL%}Ht-P4NML>kJnz9CZ}V^9`tJ{US|-jnG&f@5%x^vTtKq={kY9KC}QkWj(oAOlYE zD&jM~H%cgTVsj|a6d0WOliwhax!v+<&%#zJ;b#`v1mVy;)VtaQp)-go_^J&FbAtp#bS_A z5Zi@t(;96F+BmaTUs4yZTX;-nNRyWPBNDI`g~3kZQpvN9WwDsQDXDEWE!Q<*(HM+u zv@M}4reZwW6I2M%*lSjgfom4HN?-s52M@Ul7`UUFmcsEj#QI`rpFS=>^nx_$3e@u@ zx*pSxGz+3rMiEb**D2XLVk<2J*0lXi2??O+|pzxKCOdhjv#U>f*ytFfBnJRwL2jovC zn&N~|GEokuBNXR5C6NVz@JsH{>w)G)8fm^Q>EV#()}0E0GnsbsbZ#TGox5LUqdVVf zS$fm~xRA*K;>idUD2=R1`^xITrcG&xgN7YL%ee24tat7YtsOn1GGPwPvcNM_p2%hs zh|=!kN)GY5!Kl*WNcSb6pc0)CVse9#^266(kZ{n|Mza~K9L1^5WG;+jF{RYkmPBA> zM|#8HepTI1tEQHKN)U?dsO;^rEr}U>(t{D2yrs+)>>q z-{YV_J=UxH)!v zCUD52o`9ySSkv&yOiY zMNSu~KFoa|mQL2AIp_`k3Y80OFyL9Pc#fq-tV}z0Xwnuq4{dkV?EGtQ@g5b-E|wUJ z#*B4gSFxdMNS#dDRhKx+MaQjoI(3ZXALY zDTj-W>zSL=C{&~H@J7oVF(KRaQI}RVx>Q;*Y#wjP?TG1aQl@Rn-^g~`Q%hG@Eo;9; zOvYZFTT*eGs&Nn7xGlSzY0C7$ODoAy?;8@5j%ro9uPySolK|(2@6QzkaS;_}8(zHw&ab@}rw5RRL4YbAG;BBmcC8WC9h;3B4zvU|a+n zNSD$?I!n^79{x{OKJfdtsxmx}@}ci-04@T}VJ!1V8U@|hzLOczy@AM!Q-5C8lrQ(> z;FKGf0EtRa9VC<^Fz<*OlrnC267yqjNi#{&@^=FleJbc%3TcP^7pD|v*X2c9Xy=+ z9)6X_V1Tn6nJSG3lZlk+679(wag|;Mq$zXdk2a0MlvUPIKD7nbo$#Ergu?ovG@SKg z*1Gu>Hc14(%)M9Gp+EwFaZ^p7%A_ugI*Bc%%QDfVG8BCq4dQlflK57#6r@IXuPKjjBD2<8I< z92Wx543lW0ntt0?Ngp?565eu;g&TL;H0cTeVh7xY1HViR2PzRgOg({ewjncd#d>GX zT4U!cHtB9z5=%?LL=%8aq)9N^(^p1U9GFAHaX}T`&_DqjVE$IMoR}BpkbtL=?CDgD zH8|ok9@AEzehirkj49X>AAU%Dd`^{O({ic7)2MG{t79p(9E=&Vs4o2*4QVD#+itAb zSWqb2b!pd%r1VbC`v7nRyiWMKBn@c_8s=xv`M#><&Vk{oG5sdW=ddCnjA z&>>o_NuAHCh;6K}HJ;8uCskiWKGW|#KaJep81699q6 z(%{0eZDwQZe)-cDU--P)a%RIo<&d_lo5r@)$-JSto1(+eJ3`~BP8Q?@``y4KhVp*< zss{o7qP@a5=naO}lpWj<EhMp?j@yJBmlb#@JNmFOkf!)-PI;VJfmS#0INL2AI-M)4w8Fl4i%i70m z<>V`Eva~9*Lna!->StY=As{1@E_W?O<_P&UNu=$iw!D*B|EVW!T%NZg+O@Pfl-4Lv zm}wNi)lx#4F}$1@E~uutUXL3uTL1=U+}XLfO(4Nlpc+LgDP3|hFRB%$dsgITtGeF# z%4co- zw4`OD&`0zGaWU!A<+U8SC9 z45A}K3v!x?$&E^4Rxt?;kZ2N+tW+^uR{}h>NpwaxWdCLzAJWTu1+0CwWb4*><_TLJ zeabq^GB1*WwRnc+0e8vVV5O{(0aem6sOnIrr*YRhcfa0()z{h9bV-c5Y>oD+C92UF z=MXm;(?Bewm9VNeLhtcIO-HnJ%WK%Z1V{UeF9FSj-`#$ah53XoR6VbR(9Z;>9Hm9+ zCi6O&pB4+C(c~;wP8YG#+f}|vbCdSgZ`@>)o8D^SO~& zoHP_zgTB$EwDoe$)}DF9cKaWEvNnsvfK`xWxnJ5h7dc@Fnh%uH`aoV8SojV~;G8DiL)}?e>0!xG-8Z zR=i^gCcQ$lwK4<@kWwcc)=>o?1rUBIh-qXG<1PgEk*5ss^hhBGn?z_?Uq0u1?KnLHmWr28#t9l4l#CvDj?n|D~NE%4cX(uV!9 zMKNn91eRo~#i$|m-BPMCML~O9#j{e05hg_p?St>sMTM#2nvDD5uS(jyySBu)p!tw> zPTDVfM%xZTiwVc$Dt4H6n0#eO%xOoE#uO+INE;>wTLE-rZU_(04>JL9)5=cI;yb_5 zo;mS$nH(#YwU+go3Pd2mNZKIJEJHJ-7XxsRxzQ7-o*dp{OAiW=pZEo9$B$XFdBH~P zAJjZ-W5p#bCe{`pt&JPDEsgF%H?Y+y)yJ$c)zfj~ke8rqvO0s$W_0Q71|?UCXS@yb z(jL!%D;c(K51S2jk72!H%(7>BengenkY!&iNMum#p0#wmV65q=gX zKBRiwVpL>T03-0|uG;FcTkOdCVe7SZU#3bCG%b;^OiH%g9qAfPLTm~k;1rWekce)j zJ%H>)omv_{#QtkTRV*s1zdLJVaaU_KiYIZ^*k zve??WOueLKMb;LtN_*>cZR6-MJG60=^%~1QlC%&QcsoKiQQoHli_9VxEe@m!qHqal zrg3VM!5JGo^_Xz}g01PhErEcQhpi}AeJ;q7OqSJ&G!_9hveDA@G$M|qX+bsJ&_IEm z?7L=(DX5*OM|{y+R$pSqCsU(a+g5~3D~~N@bYG(-rrcI-HL>pauuPCss=Xexd`Via zIIT4m5U>(0OZ_W%v&KkY+Lda%YhkMTva_n%kVRmccJr~Dt$p)x8^}kRrsC~TU(vhS zs^YMu+7`12RXvc>BjHlqQfzO56sA%|N`*@$1CBT%2!8u=cg+bwB4AjE@1oPpg9RXg zSs{>>5SJlCqB99~)gHwBD_b?kqDjz8j^QgUI}dNmJ^mP9kF3~ zNcM>UL}4(#!ZoY}ZB7~??K(}BnLs8;r`BQA=h6UOsqV=ZTao5wq`gGlL}O*;n@j1=qX!Oa|O$)v9=}b18WCU z%cK^Mr%QHW_0_hya?-Y+*|K1G-c}oZ)pC6s`_5bvoRB?1Xvp*!Dm;OO;t@F*0CPN$ zkkKAOxlvnts}twdp;Gz%QFZSc5PFOUMZn}32Ym?Pa_z^zCqU!cwGU}uddC|piLzY8 z+!7rJNyoy@nuNcpbdPM>7+SNJ+IVu>_a_M%p8eLpAam{2b|KibtSMn0PAwYCF&kH4 zo;JIdcG)>hA4qqsHyYTw?uXl@jlc3Qty})Owb>p(=HOWBbjS{Ax$;~PU54~(p^;(w z&=^e%2V-fJtBzbG^u{5|gcA0I&zT}MN8I<*KH{ESc)*Yt87)x$};t; zS$&L#3}5fc3%fSTyLvpao7da6TG&7C^$+;uLv119?U-MXizf2sW8d$|G7{ z0WR{dA;9xt+ImdIr07{o=2lYxF_bx`nv#Lc6n#%xM<~r8MU#+*h9($hL)$+4*v8{6D|)g&*6vcRcg#xcZWBNh&&Umxx66`{o&=~RLB^JzsCrE; zRV~)ldjSjGPGz?bCl-$dLt^F@8{LG7jT#f5!k#lL6$X|-vi@{6su6+JuYiq52r_Ld z-mQvi?}d#Zb06O?jtGHCVO2=fzWO6<1We$7u+5~c2jbvKULaGcuC_8DtSnA-B2%5S3DIBax<$v0TI_6^G4Rm&4GEX*k&@tzX^L)WgE*u>d+TC^>S zm#ihUES`G6!iPU)M=yLzrkV^!*3PJy+vB#NtJB3^59gqYE}bptITHIq(6XUgidmrg zYwP@YcEMUt?}$myT2^kmwopg|XiI?F(~)X9X&V591h&caXqhc6smCo$l|K7;uH0=K zCtqvFkKZaVNNj5;Q>5(MrnHtQpGZ&0Y}{cB0hvFpO`swopi=cEJ-(cr&H=Mfu38UN z_=3i94GEdkzrI8FVs*oJPeXzM3;!+}4 zp|moA$i~Tg?C@Q0wsh@Q8%ppKy-zx0F>c9(E%^-rTP2bof4uHqEAM!-^;w0xIHp{dU{Cro9T+DOS~FxdrNnZn%!Q+OWlCT=#Gy2S@hM9m zz0b;r@3)n~d4bT_qGY1?rLja)n+Ej0(2F2*BLE~QGXaMy4T>MLTs>UWbcHJufExUo zNQ=@9AXO8(bgAzV54u0G`*opj(@hLKC|#h6z>-N>p)?F%F2|PQUnR>VC$XtazIHIQiEB3tdM?DABeZ1Ycy&XxFg>0pkvnJ#m7QKl7-(XXfTXca z;<1EC^<1IrR@b7H;}Re=2?<6Z^|xT}3#r_Zv<+zjQ5sq-M#qlVl{6G)m74Xk%vP4W z*6p>d7*A|^VMk9@So+DNuCwrOAnk$)P)HENp8*`EtGjI};0Xc&SRm6zv82iFvT}9d zt;j2XPt~P+kl(Iv&Akfo4*Cq51NlH3344V2lx=+%i15vh1SGUh5KpFUGi6*EU~v=S zZ&)HzV^}DSYbR~(6@SuNH{ETMuxBH>EERWvh3|M*D>HJ1&dl}zY#J&9+KCGJ1BjPL z7c77DbC#X@qLjHaw%Ts^dLQgBn$em|Pt=}tENFk)&-9q<^-zJ(5Vgq7s}QwkL&B^K zB(LZ)m9P|zuBEc2JLQ(|pHWB)7)>+FqYZ0p+#w zl0W83C}_%4;nSm23BIl+*z}qdsxiFIfHA}rF8sPv38w%+?|PenBSXa_&OA)GLh!lL zyO(-1B-lD(SVWBG1Yi`^)Nejswn901oJuQ7QlFYXz5VqTeZ$)3oHT>6P21}VZ6bjf+fq8VRw9AQW6SalX((L@NZVS6j##$d6L2(b zB5*3QhV>;Zh182iQ-VSRsf3fwgrcd0TIZ#-7dFsJq`gEEvPgoPt86cAYU5B)365(Q z^JUJpoP?jd{$%bk?=fQ30YtSr%f-w$7cP$ot^|XSUqXM%1!b+wsbPE*5tGp zx@SpKf>91k(BR>qLg#V?;}noP7FL*RDd1n_-qta@?M_ca!cv&k zIuhI=vb5DG?fNJaygckoW|@F0kOnkWSUb|7!lgrY)19xk%~!p_?8vRQ6|LHUW&O() z#Y173@-5mC;7$dA%IC79G>@f`ty$3Cv9wg$hipr@WF4hFzwi}1|CtY1xbviSTT=^~ zfY*wp0;s4IU@K!Y<*=JQ3*LUtRF&+$KmkuJfa2Ln0^-6%KB1ngwhm-D#|WJSw`}`D zH*En&N18=3J|_V>Yat6iE_W>xGiUi!3>@j5iE9wN!wADfHDD$HVxUshFbDvIHk9BG zq><#U6>F?+T7L5#mgst-+L;}}BpVV6X%7s0l=cwhW0^IH$@=%vqr^2-oM}^mXyl}a zzz1QW)9V|aoXQZXn8f)&j-#9pz~QJ%((J2HF_l&EgrR7>^yT~M(O`#jm-8xz9{8s0)|`k`!ZnIj56((@z@B?N6t^?pOO@bbzLTj{M^L#9X}o1cw~ z3)%g7lDUkT;zHX+BJiR;B4SH_-6rY?Js?N>iZ7w>We#Xm_u0=wSNL{ta8-gUKj$5N z0~JU>M#~0KW}+?Mh)Oo!No6J_HpctXiuE>++u9xPu=Y)N%c43VtKpDL0~P}6TG;F< zNI5W627ods7CcU0E(z*rD|Yn(tWt?VBvimgQ@KP zj<4cWhO0JZ^dX}*_2Jb{Y$rClc5}~cwH(@XByB~;IYZ2SYJ4UDkx+-Kv$L?PI8_6d z=%qo}V;Tw3TolJ@H7NwP0uML^xBw5_%+eqCN|_s7nGk_AA)kn*8Xp{CioHbN;yknQ zWNNK$$JUP?v17O0VTX>Lw9)Dj+i9-Yw#;-!;369Nnm>5OvP1j}&XhHN;qvP8j|Iwbe~29mlq_=es^pqG zd8MPTbt%sFaRX$uYU5B$i(L)hTNJ6bV;mLCGBv2h{i7~YOtqGue57wnc-EI~hYS=JW$LlGX$;L;}cAeq;J$^&!PnX^<%K*#R4dvg^+$412GIx*Cl}PxwEzy zT(v((x97=V3P8_B-VVV?LWEPo)?2gqmbns2DSPPZ*?s3w#^ z=iZwk;hh$~cgRG3G6ajkMu5EDl+7VoL~D?+v?TCpX>l^JH(oevckP_B3(_uY&P3c?^U~ZR;-Zr&=kcf7;$BX6=%v|$4lxM5uj$q`%p`w88KsDToSNVPJJr>O8uxB_`7 z&;S#GH7Qlw=2Ev!8UfuQ?PNyi=*^jNa6%(j0t%l_!Q- zpO_ugFjcz+?O1`dh-MsH8p(tp?efdcX9#H4SP@7G00amVcu3k4T1mkoFwA;GgP^-o z>84keHVO*_14^qgZJc=3zg zJd+3Zj>x1&_f^~Gt*(`^m^$0Gok3u`67Hb{tRcHQP)(glP<)6&AVJQgV&|biMnWMK zzF<8DJt9~i6)A@q$ZbnCO~Y^ zrXa8^651su0uV7;KDJok88N9VZ%eZfu#%8`pnOUcW+}ie1V*8?Sgfbtx7|mdu+hVx zv+|h-?Qp(jd9Q7|N@Fzb3y@MNU%9j{F|;%fFA3M)$QzDTO>>lqpjrdP#azKS-Dv^u6i*FtG3)b@(3fK8^2Oq^+BQ$D3xBmw}N z*jjkj?3s^S^7tQFc;*pn6=Pe;I@X;wZ9DGUxSLp8@yv5p+*GbBN~Q9`>q3(3-(F}G z&xf9iMzH{j=S}+o1yJDCW5v7<6cQ4tvkCmUPL0Q0shR6bKgK-qi zHQVhSvh>zhS$xwS7Oo!knm?0Z`ZQ}P=xHf?UYdr)T!IcTF#?ehjP$%n05J!owl`GR zK6y=AjJF!%U4SE)*r6s#hTXya~0mUC#JQ7Gq zBVirVHjCDjGM$>+!p%(K=^HSw-mk(|$ci^}P8LA%{OP#>#lrM>F(e+W1|gBbvzpf# zQ}?Oq97^<<{6q+KhwDtWaX~MGgrqGVZZV3pl&u{mHW?3X(x;16A}v#d2Eih1i{k|t z5{N=IeiTUiC_?KsR0~Ubnd=d&HqXLT!XyES1yuT8$#CeRBL|30gaNwe2%)$TA8rd= zhNOQJw<{Y^`#7@N_*2*q&YRFxeZUBx8Y+CTl(aE)|@^hqvnG3%D!@tL1W8u z%}R4)Nx>pj#36FqGuN-GF(NRx5~lp~mA5>{0o01e7qmaQ=|SbDbMOExfN`sw)#*Z` zcp-$)E0c5}yOj71Snv2r&#bA?+02u) z_=gBrrk1Y5A%nhnjtgvg+Op0WX(Z?V(9+W%vG&=I*=l;)yFCYun{5;vwsF*vM$wlx z^^}6{E5Br@Wh=e_&VJ;d^s|{61=x8k(I_e&U(l8GY#If$0E!n&;>8Lmgua(Jb;h*( zN|2PN2r$<^8B4WdBtd43#6;QwYkjlgHUq0V(gxb$z(&)F^>dc>KVjv{Yb{+qVd;_M zW^1d~=`2gZ=vpRqKUFPI$X-V)ppC#agG^?C?nDilGZHihj)ub0A2D*IfOJtUT~{?E zLYPd9J#h16jt{E3#ordV=$Ql$aEpZ!h4;k3JCOycn5@B2^h)(75T>9sqlvMDdpT{` zcrdiQ|Fq>>4_ox~L)IRiw$;X2TM33TZ|Dz-Z4xcnSm|j>+iKEV!dMZ-K}L>iCUsoq zsY(|20nwVS^tYhPX#o^pBl4lo%CuVkE;6S}TIFDH{_%@Jg6)h@j>E3bWnv(w(g2zg zme96jhDgPZ7y-Fv+u5e=vXayKrrF^Qiw_^QX!VF?@rFWPvpiL3DpW=}vZ^0jItpnJP32KD?dn-uag+%oZ6{+Q+dkwA`#SJl9`6NRofbgxH6TRCYjgcp=lp^Q z`kz&7m?HE{U}O6tFW!JCV39`9Du#jyso>PMs)Z*Ci{;@0)!I=uF&0*6OW0OgQuTw0 zu>sJeShwBwx=mJYv)--uTCsV%ZAl|3<0S_NMsAiY7Be#^%w!hu@tW%L^{6s_ffLBl zN+uJ)#<}iaLcdGrN{cUqixRE4}ZXN%*bS&sHS^&jYnczj&*l7e1aav^^`3WE(oM;*V1@eW}PwkBjjj6)) zY(4WK&M9w5p6NPm3lLOWN2#q!=$53ahm(<|0*@qa*tRr@zCdLdu36BzS?0(smLEQ5 zq0EwI>yRZ3MrtX1g;5NTSs{(Y!gCU0+6-t@;7bxJU2|m54PQA55R>p{O*ZEQ-YVF; zjJP55C{6(`F_hvMif=ai^vDD@K~Q(Mt(b0GIXQ3Xxu+~RD{vS+X5C=h)`DG&7#WHd z({5NoFHLhr@msYd)3r>lrsB|&Mipk5Z8EWxUzswHy*U_A)yk^;-b>`OM^JfIWjMS{ z8DOeZV7{O$X#o^pW%5ePf2tbJPyGz$L{aCex`P_e+K&~Sa7`iT8Q`H8y?c-L0d7%K zOMuEU7O13Nk+Yvg7O`eUWSi5zcds(2i!RAY#v-+5{kFpD9JTn+vNbnPm>oK7qu`BF z=Wp`{L?(E-i870W2b@i1K2(!dF^A~toyPQngaUxrfrPXWM@)&ZAtvhN7D@|f6iv&r zzz*%6wG(8@d4uUBj1N>I?yHDXb+EWNF2U-nwe@Wj$`$ zq}@@7U5goAsdo#3$yizepA2OlG}6Sn#YjLhl7=9FnvAVE7)Zu<_2Ge!id5h>?n{6L zI&{M}iydnRV{0p(mZt*1%lVZvn}#<@GneWg2}FV= zxtNdY`_`E3*mTslrCQCQjh1RWlFBW()g?%V3 zWgydm)u_;jm`N*ukS39vv?SMRfIMJsQPW>91f0^N>?R1R?VRSe0E+9K%AB@C6(R$) zXb`2_Qvyc!DyE8_GrCfBf$aXkf;_Qi$^flcpwTuqR%dH~JRhj=6;L5n-rwbDwr&H3 zkvSOgEf-<^U?nAtZq)Y@F-)o&CXZtAPAE`f(V3>q5PCPHScD@RX3{SF4MvJqJCd`! zU6Co?GL3?eH8ANBskRWHA(S~D)yEbLcRkPoC|=Ga;YF4tew9#p;h?T#x6{fm6G3O# z_iO=BracL=u5*TQ4{a>r9ybeX(JSKqC8j=x13~4E$~>iKMW7>aU_8Z?we1vcz2B4T{L(ZDCkPZ21{2EiU@X6-b;KKtS@6-Cl3ibtU-nEjbEUeL z9pL~GCejRaO?RcYCzO4Qqw{V^F#Vln@_om1p9=zS5pQ6L#!{sR2GjQerukZHK`$-M z1BLe>(K|<}(b%~FitCstv{~1y_Y?>yq8tHLSw#}KF!OFhx;yDbC`(3Uq}DDl00bfu z&X$C@EfJnHm>w?kL_Q`09lB_%#dTJFQWf(!=zc_~{XUh7xF%paw`%@anhjbAyOcGW z7Zi`s*T;-xLa=9O+E^C;%m4^*&~t`w({M?!C2M>>lyebe2@u^0NSn>xR5kRPHop z`Z~HH=B}zF0SCJ5g05>qkfZ{tb`OwV5gY6<6uh9u2OtCh8Qy$!Whp>l0+xiEK}}`H zhGkEsPZ)Gd#@2K|X{u5{GY|{NtSC5ALm=$bD11w%hhvF=hGp~_9&StolgWYMFb!iH z(oP{L2?Yee6XE+@59WCYXc~<~eiH{FG!;_8;4_AadjrRUt|L-;shk*7QB&P@y3i=D zXL1mjok+k!X%mhI1$%1HEy`4Nj0ruLKSpVz4fq|Ga22>}b$^Rt+2|7`b0=7DB9Vqt zNaGk*pdg~6NA+~=L>Gi7(U-Q+*0-8E3JL&}yyv4MbN_ZVjGMJQUE?4S2LU3kb7G@= zMX2x42wNE_BI1SvRPei?mzv-sLAZ*Ha#gV~AdhpvVgVG_IZ>i=k%-Ddxvi;K7=m_>J?@H$vvfZdtqqEBMRufFCApRYI@w*CR9v z2%q8*J))O_o0T8#_oI#grId!lwLpm84DWgcH1MT}fi@fidNw!{m^dKd2v0|a@0Sa@ zE@%N1FH>@H;>QV9pQ1F&=+)4PZ%j_Jh<+x$BPS~xGu;Q0itC&%id%hBlgemT zoK9Y3emN_=OE;V{nNGN%>y?lrm!vH*$&Eoec{N(-P^(1I3p1!0EF8Hq0*C}{Xt(94)+#aB0A@q6i5 zpI6t_S$(+VgTG5u`@0ryAG&yZ{_B_iE)sls8EKe~F z)d6;_pI7c8gSwG>t=t~|nZ?)Rpy%`7zbqc^PvBinS%Ft!^bus(Q?BMUi8_ydk>KAJes8MG>s-M+<7j%6R zrQ=1V6Cb?gEJ7D(EXRu4ENsL02iB8d)F&OPjGbU-uu$*8Mug%aT_ble)q9cD#8?uX zxKdX<+mH79#tU^?E-B`R5nh_3<*l`BHFG+-eC@&WI;4{dAbO!w!;l~m{Hv(fVg3WUD~0_bWWumFhb zo1D=E5RAqHBv@tJkN!-Wgs*^I)m^n;KXETGZN<2kn637GiFs>RZIZOt;deh*KfCxb z|3#6&3@RlgERf?PJ*`?K#{t6Gc{adIk*Z7)h~K^6zPe*-J!^XI=c+LGqdM+iO~?3J z(x#L$)LLMP#!xcXM)z2L0F8ihVK+KP>!!%7-h46iq6S>;1q@t0mz@TXn&#)XFX;Lq z7~XeXR~a%qoD%br(n+YAIw+)3=nm_3`g)sU47L#n*m+FEpztb`OC$L9Be8{eK=1mu zW;aFkJc9j+`+O7bFBBIpb*{j2*1FJr)(iy-+@~Hf2PO|Nhf==}@swr!s+#v|vAmM1 z5U!->7fMCs!G3gL@(&<_@irrsk59DoaGANoq`N|CM~i5x+?X4b>bGI6dgj|c?2WnJ zW%RA*tsd3#>kHR#@8VpKswAE_)tW+mtP8sag!+TrKbR2~^wN{cPvw*O&sQVb15axW`cGsJ`b;VfmaFj?dBUdvoUC@BQ5sUMr`c zN)~4Ex#$!pJ$pWmJYYG&%BTP^*uXN4M3qPAW!Q;i`wkP!dn>jbb*!hl zsh#&F=mTfIGU{0{l^Ck_av_Bg0S>ArxOl&;5NPgmnA;Pd3OZo3d;x0Yoml}_W zW&~4(k-5piCs{LtxJZ-Gk?jd0Uz{hCOZ~frue&ufNBphJX+FC1&$;iD?XDme=wYqW zy$?O6%7QD?!;>nt&x7_x2GTulCkXFs9S{~DVsS(EWCc+3&P{fPEhy8})~6%S_kMTD z;+*{069}Ck?Ada+1exh>fO90|f&VAcM0PX-lLXCHcL2sIiyU(ok?*cJsT9rS3 zSu@OB3#kS7CBe<<}$}ONLw4n)WOSC)S9jw$wPM z@>#aDdAmK+RGGA5d+pXK+fn+*EOxAX(Z@XOi!=-0lg%TpXXYIj4HnlW{lxu+0EHK@ zgnvGf8*|%C`f6qALE12l%$H%}5-Gi{G6mgbrN=5v)YicT7WcO^|rkkwW?fNsq>?4D(`XG zu`(`g=gh;lGfwSPcDvcD{wy%>Dz3q+d&*m;3)>Z4A zd-5?Gj)qca*KPaQy_UY^FNqnk-Nh(UcN3}lL9lMcm@d+h6|J$f3tAIm_D~kvz&rah zPyKy;7?0ek@|S!2y+Rf%t`)JY9v{HLtGb^jlK(_!Dia!2Ne^Lqm!6)()5Ha#_Z`o4 z+^^WU&x6^5IzCPVf%J2}&vWIO?)dA~1KrjMK*qON_7AT!?PotCts)1f;% zi&z<~Wzl%U3IPQJtwL!OVJ6vA*(BZ2;^cAL{I~zaqRv!U*;iIp4Zv3=MeQJ<2$xq@ zehlV;NJLfGez`As;o@(W@S5>5)w)YdOMXpbCW2QB7W9HL=o(TT-@U|r;)%&b8tV24 z8Zc|1qmhT{0av_akE?FBoNiS3S5j=2QCw`tj( zud}Gp5ePI@*&--1CuQrlrT(&dcP@iD&^gL|AVI@^_BOtK9Q%@#x$*$pK#mrA)Og;n zhhSfFp|`}tIlh`#UTsZ?(n1XKbfrlg^|N6LBlg|t!ZWq!_Sw7m7!TV1HQUptr)!Q=Q+QVm)hA>sxY za82Ba_e6ry>-GE|jkDYvjYhV%w&vHQvvzeDHO=4Syna@n*Uw)nnvW|)d^}F+$Rc() zSGjLpIB&Z97?QV(UR481j`L2Cn7Dbq3$_vnmxi59v=BZBS zo^rSNAdJk z*j?Z9U=Jjse}G2uf~0qz`8{K2#QD4+*7Q7UP+`q@iK#An{sampL2m8gNGA(S)@N<|H_K*mI>S~wB& zA*f=qaw0iEh6sm>*(xoWXY0IXU&l+=c$Dw;y}@_{a$bF+JTZ(o;j)OS;9a=P~T zq!a7X1Sg- z)#=*r**=cZrD4HdvP!Sg;e%lvIQ0$X1%u+EQlP2wpd3PWjF)j3HpVs$6@U3_>Y8Eq z83WV+n-@VZSc2yT;d&>80s+Sn?^<)nWKN(})NX5Q%fSFM1kgBj>XcvO7vf#Cu3FGI z)^0BtaPQ?rFjBplPeHGNRA{UOA6SIii)_#>DHXSsOAsY&4L}j0BB?qu_aIjOTnp#I zA$W+W)g&yr00ZV9O~=+5Pb`*zOau^Vj4={htI@VV+Fw&(vZnH5tm3eoS`tVTj07?& z9{>jxop(7#Hn5mDqv|v2l+mX)Qu_Pec&o1~y#kU@!q}Kf!vsfmZFB)4E|e9CCA%YA zUS(VfnoUP>7fl?|VVDqyHc*7B$fQll znnEwoyMQ}kcrm|VdcobJdx={3w%cxV!9qytn)Q0nCLjcv^Z^LO5s<(E0sz9XW5?Xg zsLhR)l@*UW;K4o8gH};%6m=TwYmQvcgU0m?7ImD-le#PW{P_#k-mz$&q)37Z;)blX4?#?Id(Es}nWtIrQl!gj+o`v+8 zYu1=~5D^%*JYik0!ZP0`LA(GA8eSPFcKhwO+dJOz4*TOj{$mG^ot+&Y7xHc2_H7cN z^X`v#YCx#-tQNL9&GUH))#>-Vy^it%B0lsMgp`@MWQ5r@6=O;`lg;Bcx#jhsfqY7J zHL1C}&wP(1+5T)UL}R9vG#(NdTNcs|K<&lxMLLD=n=$Jg&83tH5XCJU?@B{hmT*sZ z?O3m{KmRTF*jrzD%+KR|Gy`@_!)&VKN)1fe z=~_6T?Gi?xTyxd4bYYJ!znL4Qe>f68VHL`e8+di`^^P_7?A%M|$%WIW> zoW71mQ8}FxK>;@qO8Uip#JOW>97If?W=#T!Wz3W}?vcW(FArSeV@A)44yMOoZ+HfcvSbnK_ zUF({GL#>(A0L1+oAb2)^ef<(Opx4(rN>s@6FWVbeckH&| zLv~N_i2e0%e~rCnb=BJy^L$BZk;y2=FB=1eDS=^kc9j>6d%hEz;vVD!c|lw1%kMxr zFjiSAO%gr^bTyNqHK*IQr2AodPNvX#TM9z^JKy&v`^ML=S!a6Qg7H~t8UQJ6H~XaJ z1v%oTZ;}rlh>|$5ikqZ3>O>MbZre6bS9S zFeAul761fo5+DBXhwY;u{iyx$5C5>8J9p0Sf7f??m;K-m{-8bm^wW0s>{&n7?HFhn z{eIt`c;X2^Zf|dUxBv*?Q8#|p;B>ud6PJj10Ta|-#8ow`fI=drnu_fP(I`}>Ne#`o z4m-Lpzzkz|rTft{YFpj+F%{RuwJeh2e;3;i{=x_BW0S|N*F0l(;iFcLKP!#stl3uI8cPzM?6j4mN3BdA z6J|VYd8X&P%hn#;F1cD4R!GPOj|-UYvn+km^5lp`t;ojxM{RfaK^yhYS`xMF=mV+A zsIhT(U^|;Tw!68iT%#T9TBcuNN!!UhZ`;ay<+q@Lxfpq)YpFnR618m-DvyGWCAwG8 zhJo^gR#C`rp?srFL+-`0-wgp207MNA5a-;Z?V;8vXp{JfpZE#8^Ugc%o4)Cr?63Tl zzv6)LxzByhzV~~-*B*ZOVf*42zi40j(wA&1l@`GHsh|2Od-BOA?Ngunl>PQ^|F#b} z0~qKjp}~|M6aWK|xL!322M2m9yz6kbjGEM5R#38BHgB*khx#vuGu;ciVo<5O_%D{_ zZ=~9HAiuG~QU1b_*TT7mqwiwg&`uExpeB-noeTDjx7}jL)&};zfA^bahhAk91|Kc0 z+v%N=OhmeAk@&ju-4`Wj&mF!@PQ9} zz~1wo_t-n%`A&Q9d*5p}-+Z(EXe_?Nb z#ikS@)y&z=c6Oy}pFe-UO`l%2t+TQH&V3KqUGI98*(-0g{u^(#U;X&UY-c;R!O^FYtPuX|BBeib{kJ*k)8fpA?A-lzF+OifSB2~swh6Zp+ zU|$lN@fp9)bESCu8kFG;0Th72yjDR5(#F6&%n=$ZF+&h;dN}AFz3;yJ?DXl=_J%jS z!9MxPPueg3;xF3I|NPI}KmX_d+_jD0`@P?@@BjYqw@-ii)Aq~1{LA*^KmOz1Q-VXI zfa;!-mnBGCq?d^Cm1ku=>{vB8U7BgLw6s&&px?BpyJAHo5K$gC>tVIe}g^RG<*2aj^)j}#Ww<;q-|MK z5uWka*Mjzz3}2@C!bun8AC5UFFE&;$Y8*u^WDx50^*WBCj?a8t=Fe;MfHnxUiFd#I z-L5GxrsB+*GxoN(z0JP+yT9B0(S3?W0RYfm0Vr_IyJ!{w4&S0N6aN6t^=f)l`9k`= z)O{SqRNzPLovod;>4`Us!6x#kymP=%%^t`;Py3cjC1)YqDpd-E;=XDcD}K0=_J79* z{y|Mu-7-TWCT_JDygabwNy~ogKYZ4H=m);f?m4z;uROGDZ+p!#d*?UbBQSr|-udcp zw0FMg)z-N=w7+o2t8BBoYCruO57@i@^hrB$qG`YKp~tLyp=m#K^oVVL<4OCC4}Zv3 z&KVBhfiP5XgweY>qBef!@3>|NG59@+yR`GS4- zfB9B>@S#)orH|Y%4dbYVikGjVMTYL14+o_mIw0TXU-2@i%87MLnP)<7lnoZnr6HN_ zQM6Z~g06$fwsju*kdLFFD;Q1VfUjIemG)76czztk3kHh4g2y%X`8-f?oIiglX+9nt ziD!L;sQuA0I5JWbpa3)wa(XoALWR&2-v9phyIH~<5P$%4<5zy=SL}fY9&oTk`@odp z8Fak?1?h%}6LTF{@{C1tM@S>@7Oa#60wZ(E5%b1lG<5mIicLa!+2A zK0i4yjryJg4bS&D4p$ImL`}%h>X1$ug+RA$YSt<&k=ZafzibzNXJp^fe!%Wb{=gc^ zr|qL3|CrtPrNmZt9<%o2AGTMFzi5B>Yky#0`C`L9Fy6I1*|LW|^PoMbayxRy?5$61 z*!w46wg+}od;H@~>wn=3cGuDcJD;4g-+K5_`^-~aTl)Nm>~)WR%I8CvWT+erFa?LZ$68vFqY;JD)HQlFZ6!_sj-J|%a+dMed>vO!+>F4{z6Pi!E zWn*i^Jxd#rZJm9_hW%X$W@f{a@3ft_{kQT(7ogOCF=0^3rninQPfyu2V!g(y@y_>> zP|`{a^@EZKU+qUe0&$;b9!33-XA(jdxeN0pE2eE*k#@1NUfTGnf%Qw(=;FCiXJp;* zW^3msE#Ez3<5H&KddH&VoOPBvHVlsndCpsrp0#$fZH==sEz5gstMQP`8|g}oZ?&-X z`&NdZuw+Y`;E}r|hM5$a3FE!2dEwPot`s)zowvK5TDP6(F+1CNPy%$fmB}HQK1xR- zIjTfy4=Ei74ej=%SLLxk$pd*LFUkhT4zxKMPs5_GVp*1ECxFsX_KO5!}y#9;f5`*AGc`jsAbWT|_G2Y$@kG32hi`km1&O}jiY5Pgw|j?;jvlq~(h0Nf8-2(K zjj8eRd#xOItt}u46u*{t>F!5YNk0;~Uw&P5dhVLSEU%rYbY^lzUO@$8U>E?WTLNqr zAI30bY)8n{``X_Nq~{G3Fd4#MGuvJPm9`*QOL-t}FGsia+OQ z1++OpyhHjJpvC!9Pd(*n1SEJD(}eKwk3WD0jqRn(1HMgK>hp_n(UG-esuBbwRCAQf zS5OTuW@F(Lrkpctk!AgvY{V=|y{LbcF;3?m9#x$OOKAHzYSicI5Q;qX&$;Xo^+=l8 zvf{IG&hne@wc(M&*572FiGbwnRN96#!y~&kJ@S}s9c^1V+OcB~{jr@4GnLJwX163( ztPQLgJ!7^pwodVcbsJAuzjem8dQV!i@==SLecARWr746qU0;$ma>O==ud&VT6V{G? zO^Vg;DNmlTv%Ov0764^~d(4L7gSaUyTehiZ$DXuYbV%?%&J(vMujU={#VO>bfE*?n z8lFF|9x)`7fmnbzw|rVT{#`!3U|tmQD=JX7`Ax*)YtqvP+s7<$1#flys!G@TzAXTu_ebY6sE%Z^uxM}j zMN9R*6#^_(Bq{l`Cmk1^QGx8|$cH+gE_c;_t&|a!P1UIEYmA~j2o&;?-N94_Xe^Dk zthGq_5Gb7kYumuaDo5WX43qIi(u-P!8{!-xA&jH4<7z>n*5w||_i~}V!bE=5*Yy!U zIG)#F36a)XBf;G8yqpOn=e57-SCSo@1}#gd@u~U96N(w$*_SF{*_Wt2_a((lG6egSVWB*fP^mU= z$hrLZh9dYAfT0Qaz7-ebM@JT$;o7IcBfL6#t(#bPC^K#nN8V!c8;Ib3ONYFz^rGc|L@YU#-6O@RYB!V10q1 zfSIJqpE9v5SW{frq@1W6WF{8*wjIl#vZ()zJ^qn@Wj6_kd&!nfBf$SzNZ+6_voa~k z`>Nf}`Q-R5C(2rwpA9Jdg&D(h4%GsMaBOUBxGG*#?Y9=H>z($dZSQqW+^_TExjfs? z-`AS176%%?3Q1poXUop*PV8K;YQ5w4*zq@fi=CF*KIohf0H$KniC81Co=Mvhld?#D zA~iQ{bj3GxWfIu_%ya4c6(8u*Rcm(h63qC$c_I`5NIH?u00NyWZ03gnZvM*bQ`KpG zqdF44pU$W{)lI)&ABhVmTvz8F4#LP4k7nV`AFFKS9gcN+h+!$SZGS#zLuF5m5?#OV zU#r8~kB}K60oW;X5#mhWX)$KP*VG_P85u!WWw0v1FRhvH*rtGd{rs2g{*V5qt%d_@ zu~tPxfLeumFexs~PAypekA_{JD5!gs!wUflguZ?U%2bO&wDJQO`+)-QE$F48y4-4@ z;Jk8yYE%ioGy_U-GD)mInOfOBVoB$)bx*$8b{ZR&^-frx(pE6BI7}_fr0OH$(xOV) z_k~=Lx2TQ?-M?`K)qGV8(kw1snI7;8Kylea4@2qLUluQ?I{X<`yRlzMo+r4ApP8K; z5GN<%fmFGl*>@BMXEZzPM^~i9&q>SP`!x~1G#BJ(keFL4y#zmC@e{dLGq!1(S=L^&bD3;k0Y@Y|Ao3MqQtK3F zUDeKDP-zozK%0ej#c2wq`q*ADAZKhTfH$8_`aI|&80<&zD0wn_ zUgy#Ly=Nm2-;cD_?2lseX@Pj9`qlwRDLJhC5FRJqC*=*zECO6z2}q>TKK64rAGc`~Uw~+Nl6p0rE6p$A%894(A9QU$WTLt0q z4B~p;?}A<$qI_zGrW`0Egu!IHdc&(2Jd!Qn5~BpNX&YhNcA{0AsHQ^r%jv*60S$^Y ztmXP`%Is+S2+hb?9h-(mhA16e#&!AE@u-$(+h4HuqrLC%C7vJj?Ad5OZ)$fC&HIJ8 zuH5ra&q47eXf!<+UYxZATrHJFOQy%Jn;tUyT~lEh;4$4(DoY@LSz6!PaL0Oz&$*zm zvz^G=iL`@*lT;DkxfZ4e-@L0^5U%b+fg+QlmRBAr^Q z@+&0tVcfQIBD_Nm94|tzp6Lz!R9~xt zzglYM<5l^q+cox5^#$c43kKz^GERJyyUPDOEUYa#^WEKnWyP5l$0jN(-)ltIK`ejc zU5g{2Tj#N4lBxDrX3OQIsLTTeZ9{ebG)~-lOIcsIU|%hzSE0QbJ%4YZOOf6qS~WL@#5p=zbDbS_RFKs?%KUK8SrN z{_6Vx1#D04OT*q(816Ejp=%Joa?ip_wJ2Zq`T?IgSWpk9Y7B{=DS-MTvj*4M)xLBw zLbNaF-_5Sstt*IFAl&kcf903p!B-aR2$X$YP44J@fMSZa(U3W)Jc{GUQkjSVMIddF zh4tuAeJ%u0&;<)`uzf=X7>dSCHy?G4qSgxHuv)r(A=oztu_j|EhGl{g%n3Mf4`O}= zjbO|^#5AcIB1?;8dX!?!%mflt3SwFs+SnTthTcou#YVq^D)g9L>?K~f@+Evn#N{O< z_RM(xw12*kw+F$J_wx7(;-nY3Wb|7s!B6xKi~p(uc9;%*AXv4&CK?7kQIXzArRgQs zlA|m8xkQ`pZZryt1t13#91k!(IH|`02KzR-O)7*;#kk zXa-PVNI|9Q0v6Ib3zql;SO^0qr8cV=RUZ8QUUE(33i23Kr9pQo)inI`p4QFaGci9FWEGif+$d+}gTxfU`Ra(X61S`30?@RdKkJohnfZI7MR$cj- zuMO$bjN>|(4oJ^_Hob1qQ{i~H=dp`lp)#4h2RLEcp+zvCgLaEtp8TnRgQ?_vwkQP_ zXaxwm0`@r{qF6w`=MxucUe*hR&zKsDF=Tcy_f+;5M`mJrWSMFWd8kpOJ}&6%mw*B9 z8l9=IldxrzpzX}Y-VxZz=$SQR!hpGWg{||NIlUmP1fBYd(7CS_zrR^aQn zDe3AletzjWI4uY|Z4?N&@>%CW&h&EKlSY>bm>F)5qQaPpuz|)g^>T9)L}e7|e!Cc3 zGfM;{mCzqVwXB0L4S`psT`&@M1{AgFQBw$7=^BppSR6w`x=Uz32*&t6L2_{dxkG!4u{_EoKx03aq<2Ox1$`*C@~~b5#(+2Hmf)z|8Fb2do#;jy1l!j{pDw07*qoM6N<$f;H7;h5!Hn literal 0 HcmV?d00001 diff --git a/devices/surface-hub/images/wcd-wizard.PNG b/devices/surface-hub/images/wcd-wizard.PNG new file mode 100644 index 0000000000000000000000000000000000000000..706771f756961ea08238c57a5e14aa7ab234b12a GIT binary patch literal 12354 zcmdVBXFObeyY{~b5)qL^M3Cq$YDf^hlY|(eGl(9Y(V~k^qPHMgqLmWhHsyo0K;J03d$#QsylH z;An!6z#9bM%B#*&5%33&<6C(t0N(#-4LrazmwY1$0A-Ox=Z5&;F`@lSZASpO-Fo%F z>9or;0RV2)D;Y_(5BiwY`ABv3v{mdi&%EoTXPGqnRg3=J6Ba_FjEB-kBJXTrb}-Ve zgO9-ok{scrbyf@2VU1fExAKntg)z#CKU~iFI_OC$Q{L7E+{0^6P?6&dGrBEHr-Lg+ zCd&C}bbEHb3MFQaX++JLr_=ZxuaHoBc z54t>`cVPhlRxT6~3p)BBT6x4_dy5+r(St8odnS6awCr$#jnl&i2Bq)EZTKM5d?u;F zoUp>>d#kc1g|qbY(CEeMbFrD?bueNX>#VctO&K^a=zsOxZqmpA(NXnF?|wM)8Uk0s zPE{Fh(9_Q%jks_+7GHvn!4FHfkA8dSA7csYgL%1Wwml#h7efL|xn^g1=L?fZ=oMZpg?;`s&%A04o zg(03+M~>*z8N+9DXCv}6m91DSk0;d?G>?kA&ThQ{Pi7wpYGwu(5QKk}2NJeTjK?;v`1r0Qll(m?DCpvDnK~GuDcE>gXEGR0r&F z{AC4J)NS9uYbUe8#@tyJ7Cw+!^+?P}ma<#@M5EtpH@!cwg!bNIEdUTnrof!N(>fUw znNW_q+>n4_k6)M$SEsQcd>5sx4rlSHgIxRRkxRNV4*DiRcJA|7vP<#Di31o*z&9`> z0}AOGzjRe|@$%GPeuTsxY-Wj+P3mXP?`L|NpioP70#U0CdgO0o7fz+i+4{@LuT}v9>54uA~M~kLp%Qt2>yrcSj-m@ zGLLErFa4q7Q#w^yYLvFJy^8CcnS1 zq^-Rad|RfA`!*KKSA31P(&H_2bJ-c*DEjn_P|y`Uu#5DmJlhZ%Cl~*OVOLG>QC4m; zxHW0)eU?-7;jpw}GnI`1Q0Bs4ayQOHjy2X30q=JF|E>sp(t!hj0@;5SgeZ1Ef{<1d z@VzGi{)Wl-@BWArd2s4Fk3`b+A{z(NW2dRbm;~mfGt+X<~AGzOoX1cxlYPccRSh3RHNoMWEkXt>g zPUgg)pg0){wY0(dm_%LCU5@+G*z&FSD>?D>n!qY<0q;&QS@9>nuuQUYtco z(Jj17nuj&h85>E$ysYB8-R1EgoRklR4T?1+;f(<|-+Rdtj2HTD);)R<2~|&UGres( zZIQ%ZB+hZWpcCEQNBye$E>d57{7?}WJtdvTQCXv@MyVhV53jBvfay{8KCUfk|LsfD zweGKLT4g8KGU!#F+c(D!!%$SZn&X>zOKF;L%qYv7Qh25rs+qiak~jsiJKOWfiiWmQ zn{vJ}H(-G4=qPCyl?FQ>(@*d}U09|Fcq1Jw&|4}|q&VaPf$(e8oK}AjT;J&X6Kd|o zD=rY(D9e0>O-08tyjms6OiM5oj)Ts|@lcDVKoH22k7!K_@WL z$lr*Tp+_W}*0?^5urfpP^|n4He@rBke@00t*xBwLqTyFo?&hAuhoFp^COz02wVALc zI-E{mmDfPTnNWQ(O@W{Jn0h`yaN&)qQ2Ytu5nnfI^mO@jK2Z<3BP>5nNhtvrm4eDy zI55_*Z;3q_Vy#YGi?>?lkDLg9RQ#o(vx-5}z?*^*FR7@agt+n%GbZbUq2Y@vJ?|~j z#h~dWm-*9gMq?i=>lLT0b#M@ecx>sbD+N^1x6W~4rVFulY0ySq{^zU;olD7L{6Wj) z?DEx6zJcQ=!_gi?JSsRlqvQK@S5#K^@r0epIX6mV*IKHGdAv(3T8-6Zwam_%7p4ZzlBA!L?(r-kN_4) zaNK5Lk2aE7h@g;bEPcsUXQ%isQ-XKNvZnsTEF96XS_{QGkML-wi|o0>5#m^X7|Jx6 z!D*F4yA_uw$u_XB4w`M13F|gT5q}JN?qz-cd<*6v;SiKTB%qv zQNzj5r!%=(ZH6vrTi2Kt&~I9rW-Ci8tZz)vC?bBoc`-!8K-KPEJIIe9ucU8bdlRPa zPox73);~`U%k~rHBu^%@x}(^R>zkHyka7d&mvRHhSowVjRyx?P7ES=j{=sk^?2`O~ zO~HzfSK@{PuoCMl-vE@E$J~-qUu?Qn9U7iEC1_e*12_by5;ppdAU!AS^HWR!pv*G2 zn{kxpC{2f$JN)xx((61-4;KKO7eohAtFFp~^HRhBSor$i7yy9QdLAiiOUy2D_kTCafKMq&3aGxoqVFT~6MWt`k?Isvj`~|uPLwUU5|D33n0a1KlFic|cz4c| zt4fGpC^}(I;%S4z1)Ri%?q`TxZXPCbN{d|8XbTLw1}$o#7` z?=Qqhl<`yEw6}N#4@=g4HlBY&2&E7XcV)kWC+Q@eH!^Co{vwr3Ijd%UxE!PfE!E$_ z*u0v0{CXc8Zz8RF9r1nP9RdUD zG}n~la?l0Ka}C?{uJ3Uq26(O*kUp2KlSMuq2URa}wa)vJ1_G-jb3lD)r7-Uum5LUe zO|6RG2;Wy<4qvw|5WHr3?;abQvI2m_XQHuCx7KUmQU&h*0vP}VfFO_<@}dJ`nO9(qnmsDG^Faa4Q0D<~LNMiONg3dkuJJ+qxYYVEDe-Z=CgW z#OJs@r_1(KVp6xCOpDndM+k3lAbqSKx>G9YJ>28NrA(|y}|JD4|=JD?w^>T;v zfZoJ++Tdlr@RR5}&;I~T5i0yq$5l3@kGWl9Wi1lp6`lpRA)b5TdgR0~-lL=*)%e$;==>>)w z1VWrvT{7(mk;BQpD_&4Mtofu&J!ZU%Hj8AO4lymEvGQQXfi>Rckl`NQ4_nLUy5Dus z!Q=X?=|S){Z`wi<+xW323Vi9K?lk^0!L9>>D6zZPFX_>eXL5IiRn!MJ%uRateKBG~ zkp3xq--1&bkf~@muwL-EV&WkWD)7aVc-fHhw z{>D6L8P-29ktZ%m*G%<6id=bPAOALF|7ofYbvN(WZp8Z6iTNT_H4GJqp&pyO<3(+o z+J?V)?7A1&uqzz-h)Rxj9Abt}h9)Yo_+TdISlH*!e=ZMEo+3;>LKQN# zBAM?=V*+?slJ}m?r^WGEOpul(*uKpPUCM&eTktVy)`;MAKOeCe4c#rYgLDmz57^}X zd6=t|qqrreL@|5HoE0Zva*y=gkBM4r^OMNf8hNLkx*YKpt*OJkf)%py?1Z4ntpuJK zedM#~OEu+wcdUEJdfu%MZC_}d%k;(SWxY3NSwd33+Yl3@5qA*@Qg;!jkc$bzulMAP zJm65TwN7Mwg6#R1tbhg!%d}8lxvWSM`;EAQ^yb-^wE(1HWL=Zpf)-?2_RFH^^!aWP zs)i3y=fk=%9ecpbIL+eV34vMGpU<##5Z53vO$V~=1v{fINtKh8xUfc?EJzz(8Yv_+ z)t*`sY^emW{7aU@x7;=I{}BCPCwbEvFJI(+A^u_w`_r9q#AR=!j)@6lbQm5#o0C+a ztM5_8qPgwLsIAGM#TlHd=N|Y!VaGfcAI3=(`Ec=A_8W@V+}QdRLtas3^TbZcV@JGVS7<6f>*e_E^M~u<>O~tOasXi?{e0-{`P9i9v^^tXiOw1@*Mq=}g8snKGZT z`XCQl5rl8VJIm((<`dtIAp8WbOb#_2l{QGV@_Q9VrL<~v!9?ts9IRRbOCs^`+TsrB z3uZsc9pj%)SbCz!NHeMrhXZ92E-F{JYo7q2!Eh=Oo-}ANDCPrYH z+GPYSY8)1|NKsK$uN&;Q&8CNOogo4PL@g&1d>sGg{GqaSQmKNZeH&lr1*5;F`To zul@Q@aDmkaqZaG@&R_K#hIz*2q;a@7yVX@3tvZCrBv;(?hYoD<{b)mMZ#XB{y?LBl zfg853p{J9;4ge;9tG+mq>Lp(r&s!R1&dvq*MmfAVGPlF1B=5Any>+z%4K#Z|Q#)!B z7t~MTZlHb`J6=Yt8v|j(anP}ulp{U#ZBAfSFo;Bte`};(?bE(dN=#wcK?E_`h$B9* z%D0bTJM|Cm zB{%920E5N*s`Si&g5ovGS)` zb~Y~O_9JYQFTACe6-qfkz;b`cKFJT65Y}gTR}Qsg>nmo|RLtI;FApOsPv^ z5UI4B8B-9?UXTL$*pcA9ugP9 zh5L<^bJps0gsdD(vEDu*vb{o-Q?qY+va^eUz0dwq=Ynr&>`1`bAxkyU?As;|TzU2~ zc*(`|IeV)TWfCU(on_Wr2t%~ldSr6E87HO<_NGl`HpX#~vXlA*ep#j9qs&Tejnz(L6-G5xHq_O}aSwx%ghi!W`8E0#Y+ zLjtZqc+~dnQu8-6y-=uExx?k|^ zzBh3ncaz;0TbIUXOX~@Z!N}i&0&)V<)iZ;JBa2Rm}4QKo&5`+7iG*tMBy{0u!H{!WvNcbb)bIqLA$QabIu%FtgEI{|H$ zKa1s|L55y2eu@Vgv#{$bC63-6wWCvV#$L4h0e_69{rN-VGi4BFDB=dR{$Lnh;qxaN z#9Z$s1+@^vR(`T?{vA!Mgy@?J{^NG^U4*vuzPl3eQknm&*zt(@@E?loV2G?94*=>T z4Wd2LgsuM4UOkV~k=N>*%E4MzYP*fEU4Pb~_geKOoV!7s#nnd02E@^?t=s|h#W!w7 z)W*CQx2tVYSH<g~w_kM0b` zK^Y>_>)DXh>HGvJb~7O+$rVo=z=>%6xpRt;61V=^L#ywZKw<*AAP>Q3oEnzl*f_ch ziW12?G6DfYZ)S5MMznEc-3z%mk)XmUm;4(O?_dJ zea>sZs)icey@mag6l`owqd}So$cPXd%*MFBUxSvQBKoF5tv$$MT7^9X&A39yF9N_f zYSo!r`+iK}Trn8QIPA`ZKylt#sHP^aMIIsNhRo5KiPYsgpBs+*y-)u1HpHEDh+k1c z-uWV+VP}f%q?^HOxQ1WYyVfG!`jI%@9+TDsFpeNsiC^>g9~MU^T4>Ciwq<-)avd+d z!c_nfY<0{VF~%?;#WTvi5usmdQAKjasSGw!AFZJ}t?v(Y=%yh~IoCfyr;RiS{7$W? zM!(Y=yI8FZo#&WL^#8ds=RoHC48#L<7i{E|BB>mSF&dr*^_dPD{h7nHhh*@{a>T8k zNY8R>ChEs=*o%>ZCs9_qZKj%H?MqV@LiCzi&z;6rv_+XAwudjv!?g}i%c{-q(W0us z@6YqKoB_wJA6}fdub)e3(9EzEdOf=tv=u9Alcv*E#kq^NtO?(M7!E{zJPCzH8)9Rw zPg}-3-$*qKnt+@!qlNSxB5af&(6~2LlsqxtG#P#V9diIXR+>7kbMi>CsdD;i6YBEt zVaRbI<%-FNMy~qK4kVRbqRClsr~LF!r``3G3$f3FYbh`UChF00 zxApgP_thh2A!hHHx9I;JN0l}e5^!RN<_3OCqq1pBmH^S6ZXi0^b}0@7^d+lk;kJO6Cf!lQk{I(2Q5j zDYfiYyQl5&PPjPi@?y5*9IR7RBeaB>_CgsG^b9J#9*d18Fm#U}LMq*CsrcaX9NXE7 z&T0fAM!k`BTHNWg^x}tGq;35})j=D%WSH(AmBy@PF(tC!i;Ocm`5=}nq%=2&ohf%4=AXv! z^i1D6qw1K;q>z#3=4?~MDdQb+ioQ$#0a3D{?gESH%g*f8I0ktg_s`s3K6)e0pH|lHh9+<) zxTrk z!7;CQN(^NPio+u62W?P zC0hM;qW>=7Y#DzOX4@!}9GNJ1o=|nG^K7KBkIYxft41lI9AW466Vv0_VESp%ufLJH@d61zJph_~~> z1Tb~p>AW)NtV;-{X0)p@gN#ta;%yNnbP!i7D=UB?HFrpjgKX0RF<7MK|Bmg!k8f>< zu=?M*NA$V>bSobah0tBt_rH^_BlVIi5syXs2n)RBy3PVujbLp}5{HfI-JnfH0%wax5UPNc*YLZY z1A6hMkq|2X4YFscF&U0c08oej57|Xt;`F&{NZD6G0j54WlU$}GJBZM?bZXT72&Pk1 zSLu{$=US03eWQ9}!V(w_P5xcnC4q#Ev72-IJmo$T^XV7iQ=m~;tzVG4gI9K68r)&z zy5`!R`U8{dALa)7#-Io3#Mk5oKYi%??KzVs-_f!cIReC&d&F<)#PG9yt}*(?3Gj4` z8jYpf_d%1?o!AQ=CT1XuKMjV(>X`*qciDk`UbYE(E)GUb4DQB5c4<&X8A0>@6OrU4 z06;6VR6yQvC9_g(vo(9K7HC$74}~k8;F@Wfe{K6#W7^JVth=(;7$3+ZZQNqIf@wY2 z3eYO0QGwEl!=_-57rWyOzJS-uUimcmoVPDbH~nGU&{{v`6*Uv>C2u!Qao4z` zwONBsO=pMt->}Pqq7`4wbb*9jhurGEG`q=JX#f7ZXsg6$)izSLI^qnfE`pKy(N7Q- z(?xo_PxYUC)yNHv$ABQb9E-bUKHy|Q7~4r)KvUT{6D@fX4M`|&`|e-v)6YCZ&{dV9 zLRehV_2bltUWXTkx#7s$;4MYafuZNn`){gjsy#0%A+ne30VymnyKCm-na-oz#~+Kt zYSlH)%y(}Luaw(evc%Jx zo+r~}EdMjVe`tR!b$RED;jMbTM1}=eYW&BxQVEgmQ+|QQQ+LrhJ-cb2 z(@(xz==f8fJ{-?1K~GyN)TD>6%UIVd<*ow#;t%LhNs4oe)URc`dq-gWLOZzMf zqB%3k@Z%S#2tAQKauDhUMRdrfC={I&qt}ZIQxaD`)b!_zD=FX1tws)b8O_+&&ur-$ zs1;E{Y!Y9AaS|;G&baBkW=dq}9iO&IX z3vC|CnSi=wrc=i~zgzh4YYLwm?Y=TvvNArY4jcJY0i!6x6}Zc7%=$A)ixU2M7hMnl zi}<-rg>4BLChED*?o;gTOxLkNUZUy=;+=W-@S@EBu=`(F;nxmXOw%n-Bvk$^r&^{~ zn!6-bVMOeguT_dC0avCjo|lOtosj_)uAy%-{ltI;W9f&#E&#m#D1RHA{lOza5&*1( z`g^#5GG#-?9UwyytOddj6ML4J*4;IZl5qk+3s%XAO4&}2+tX~Sx^j7x8kQutMOTCV z!@mQQ`zv^?xBZ)ps%uP50Sj>Hs0s`G-w2T|W(>+GiPYMS@0$kufoOMZ{q|CSIN78F zx?JxX7|!K^nap|z2biP_@;j=Zjw`-iGD;$)0;gyMz??mWNLxO)xy)K2@`SM0AK%yZKOoS~{@B>&`TbwRF;FtT8nYtRyH4;#O1*6j+8chWLCU%L z)1wYT>=`fZ#=sT}7m(opYi8=dj7SWYLl1f;|6>^98KiHx^WG`E_AZ_zNBh+d`z`9H zp7HoeoPQ=0QD0U-^$~8DRwzc0!3v7NzDBos*{wk^lr%mbG+h*HRH%B%UHt@6ptU`r z%p(ehlls!>h2I7=Ra*GJl|t3?EN$9u0*#+<6jvi%j0^uQf0qI`Qb?`Ep zsoV&OQ+>uX@8#|mfaOUOQ)4~DPWlB7{ zzePbo^AZ3;VprrqiKLLS-k|8yU~m{A#z4}z9~EwnZg)LI2AeNu_X=Flffx`f*keJ5 zqcpl9)N8R#Rg*idZwgHoj|r2wTgtDrQb>U!&7-&rx@N_Sg>e=FQ>VI$per0OL8GKg z4w1#wZV$pTy|rB{9YHHO-`*(&eW$h>C)7MUd3X`}ib8 z0;OR6*~-QK*zVYob1+xTTAN9R>FvYEjz^(Aj|w4`VzaT&q?ugO!8|PIk&5=nZYT}S z1x|9Asq1u2nwhuTPxsELj{0<_)6E&L@*uaHqvGn#6FfUE>v~O5n%*nX#;rHnPP;!t zV>e)H=n~QCGn1thg9#BGY4Kc+s12!17E=skuTbV=6*<4W)QL>3jZPWf-WaP=(I_Rw zs3hY?L!GTxVh=)ekBHmXm!nyO<0Ua#x?59+FXdc@SjaW?qr1K@5_R*@W#&i!B2lfh z-gT|c?TJ0+Q1qJFzh@J>gJ?spDra0&8OP4!==GoX{*R#+ElO76?LEWDLaz8qnR{o) zN|mFbDbjOINh}UhA_;O!VPj01Tn2yuaXpF+^8FllM#z1Nr{)&oAaW(K zUl*BRolcD&bvZ#mK2zByPJ3;93R7Rq$M9N!$UwWd4w1h0Na_wz`r2`CFYSlhPc^lh zW#{K-X2=$nW11hq144UJJ*h0zkFoW`Jrcq0ukg^Z>kjEsOjeVMkg#1E7x%e z>th&TZnHEB->jId^z#Ma)ILDmJr9Eb5KF zb-U;6Dpczhh!CDwdWpdL;gPwwxDW@B%J^>KG=98)hZTq6RWMe><)9*K#B=vXJM<$Y zwAB{%ymN%bJ@qMuwGkYx5Ikes!Fv7t^o^N5n-jqn3S%}S8odmWaqEmc3gx_CO8l(k zh5quCiz8GD9u^H1B|eH&%7+oZtadK9@raor(usZ-&)i>k%9L}Sm;N(}$)u6^f;L!>iH2o$(y`#*s zb;^21?nQ^tzufXbI2y~kJVIEbt}>@}Dd%r>JYZ+79?=JlZ{mx6i_ltb1MR5xJ}~%N zmKq;gv)iN;2mP;G7(s5(ObmaAlfj}=c4(KBaFukSOh)3aA{f6h>dn6#MI4}x=6}nc zaQDCsQvLxX_np_BT2#dNwUvyTvVFxA8)|r|8`*NGdNOdFqK@t#`BeW+)?r;|3vJN; ziz5CnGrxcFtCB;r5q7wHeGj(1x6-Rxv0oO@#BPfxc}IcgY6ma-crgQ0Ni!nP!zI3D zu)Eh>Oj#+2#9@7{3R8Eqn{$m8t_0_29*Q|l)1FCiO4& zpL_c)aAE%=mrb+urfuf@& zr_841vZgQSjL)dy-XmR*C9CF2K`2Pqk6Jyv)u&x#4@l(T;aL+;qS)hzV1ez|V1Zn? zh@T5|@^H|%J23qCUVLv)T+H*`%PixF@WaC5NVE|9wJIA`-mhMg8ju53i;n?wq# zFk%xeDt}^pgr^A?)M?~Z4n@~!e4#MERfn_Qt80}w;NH@VZ&>IJ-96yHW9S^~Pnt{Q z*C`(S$s!tLyLuafFe`0%nD%W`y~HQ5K$s-F^aHB`obTsvf91R`vL1Z!O=aFfL}>E5 z7yjpA@?~zPeKdRA-`@GZ)b4v-cmtLUpp6hJ!_+kYuTx7zSAp&Sm9I$Em2)2X|H{Zx jUU&Re8)&kbcu8_u&o9lQ(+`Hq;6De*D#^g5-ueB1uhbA7 literal 0 HcmV?d00001 diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index 537d6c55a9..d05ed24b2a 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -13,16 +13,42 @@ localizationpriority: medium Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub: +## New settings -- Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [Learn more about the new settings.](manage-settings-with-mdm-for-surface-hub.md) +Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [New settings include](manage-settings-with-mdm-for-surface-hub.md): -- An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md) +- InBoxApps/SkypeForBusiness/DomainName +- InBoxApps/Connect/AutoLaunch +- Properties/DefaultVolume +- Properties/ScreenTimeout +- Properties/SessionTimeout +- Properties/SleepTimeout +- Properties/AllowSessionResume +- Properties/AllowAutoProxyAuth +- Properties/DisableSigninSuggestions +- Properties/DoNotShowMyMeetingsAndFiles +
-- When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery) - >[!NOTE] - >Cloud recovery doesn't work if you use proxy servers. +## Provizioning wizard + +An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md) + +![steps in the provision Surface Hub devices wizard](images/wcd-wizard.png) -- **I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) +## Cloud recovery + +When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery) + +>[!NOTE] +>Cloud recovery doesn't work if you use proxy servers. + +![Reinstall](images/reinstall.png) + +## End session + +**I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) + +![end session](images/end-session.png) diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md index 873c393efd..311f3f125f 100644 --- a/windows/manage/new-policies-for-windows-10.md +++ b/windows/manage/new-policies-for-windows-10.md @@ -74,6 +74,8 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind - Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu +Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317). No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference. From 1224d5ed0d108a93f71a7444f5e081cf282addf4 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 13:34:34 -0700 Subject: [PATCH 43/46] update vdi in prep for feedback --- ...e-exclusions-windows-defender-antivirus.md | 14 +++---- ...e-exclusions-windows-defender-antivirus.md | 21 ---------- ...ployment-vdi-windows-defender-antivirus.md | 38 ++++++++++++------- ...hell-cmdlets-windows-defender-antivirus.md | 4 ++ .../use-wmi-windows-defender-antivirus.md | 2 + 5 files changed, 38 insertions(+), 41 deletions(-) diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md index ebc0cbd396..3010dbe37d 100644 --- a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Configure and validate exclusions based on file name, extension, and folder location +# Configure and validate exclusions based on file extension and folder location **Applies to:** @@ -41,12 +41,10 @@ Exclusion | Examples | Exclusion list ---|---|--- Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions -Any file with a specific file name | The file "sample.test", anywhere on the machine | File and folder exclusions A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions A specific process | The executable file c:\test\process.exe | File and folder exclusions list This means the exclusion lists have the following characteristics: -- If you exclude a file, the exclusion will apply to all versions of that file, regardless of where the file is located. - Folder exclusions will apply to all files and folders under that folder. - File extensions will apply to any file name with the defined extension, regardless of where the file is located. @@ -63,20 +61,22 @@ You can add, remove, and review the lists for exclusions in [Group Policy](#gp), You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. -By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting. +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. -## Configure the list of exclusions based on file or folder name or file extension +## Configure the list of exclusions based on folder name or file extension -**Use Group Policy to configure file name, folder, or file extension exclusions:** +**Use Group Policy to configure folder or file extension exclusions:** >[!NOTE] ->The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. +>If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 4e972c4578..86d980313c 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -201,28 +201,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use - - ## Related topics diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md index 11bd032d6e..54535d3ef1 100644 --- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md +++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md @@ -31,7 +31,20 @@ author: iaanw In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. -Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. +Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. + +We recommend setting the following when deploying Windows Defender AV in a VDI environment: + +Location | Setting | Suggested configuration +---|---|--- +Client interface | Enable headless UI mode | Enabled +Client interface | Suppress all notifications | Enabled +Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick +Root | Randomize scheduled task times | Enabled +Signature updates | Turn on scan after signature update | Enabled +Scan | Turn on catch up quick scan | Enabled + +For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support. @@ -54,8 +67,6 @@ There are three main steps in this guide to help roll out Windows Defender AV pr >[!NOTE] >When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. -The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment: - ## Create and deploy the base image @@ -75,7 +86,9 @@ After creating the image, you should ensure it is fully updated. See [Configure ### Seal the base image When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted. + >[!NOTE] >Quick scan versus full scan @@ -102,7 +115,7 @@ The following references provide ways you can create and deploy the base image a ## Manage your VMs and base image How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure. -Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. +Because Windows Defender AV downloads protection updates every day, or based on your protection update settings, network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb). @@ -112,9 +125,9 @@ Following the guidelines in this means the VMs will only need to download “del If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows: 1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs). 2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this). -3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md). +3. Configure the VMs to pull protection updates from the file share. 4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. -5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). +5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update. Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). 5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. @@ -125,8 +138,8 @@ A benefit to aligning your image update to the monthly Microsoft Update is that If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image. An example: -1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). -2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. +1. Every night or other time when you can safely take your VMs offline, update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update. +2. Run a quick scan on your base image before deploying it to your VMs. @@ -148,7 +161,7 @@ These settings can be configured as part of creating your base image, or as a da Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). +Scheduled scans run in addition to real-time protection and scanning. The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. @@ -170,7 +183,7 @@ The start time of the scan itself is still based on the scheduled scan policy See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). -See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. + ### Use quick scans @@ -267,9 +280,6 @@ This setting will prevent a scan from occurring after receiving an update. You c This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. -DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan. - - **Use Group Policy to enable a catch-up scan:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -283,6 +293,8 @@ DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a 1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans. + + **Use Configuration Manager to disable scans after an update:** 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md index 4fde6f96c2..d3d65aa3ad 100644 --- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md @@ -27,6 +27,10 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. + +You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). + PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md index 83c19a8f4f..cc74e07307 100644 --- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md +++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md @@ -26,7 +26,9 @@ Windows Defender AV has a number of specific WMI classes that can be used to per The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts. +Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. +You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). ## Related topics From b3efd97c7ba111a0243fc8f6589577ed41c61ce3 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 14:12:15 -0700 Subject: [PATCH 44/46] extension updates --- ...e-exclusions-windows-defender-antivirus.md | 21 ++++++----- ...e-exclusions-windows-defender-antivirus.md | 36 +++++++++++-------- 2 files changed, 33 insertions(+), 24 deletions(-) diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md index 3010dbe37d..d4baacf3ec 100644 --- a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -91,7 +91,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. 7. Click **OK**. @@ -117,7 +117,7 @@ Using PowerShell to add or remove exclusions for files based on the extension, l The format for the cmdlets is: ```PowerShell - - ", , " + - "" ``` The following are allowed as the \: @@ -126,24 +126,24 @@ Configuration action | PowerShell cmdlet ---|--- Create or overwrite the list | `Set-MpPreference` Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +Remove item from the list | `Remove-MpPreference` The following are allowed as the \: Exclusion type | PowerShell parameter ---|--- All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories) | `-ExclusionPath` +All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test**, **.sample**, or **.ignore** file extension: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension: ```PowerShell -Add-MpPreference -ExclusionExtension ".test, .sample, .ignore" +Add-MpPreference -ExclusionExtension ".test" ``` See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. @@ -184,7 +184,10 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the file name or folder path exclusion list. +You can use the asterisk **\***, question mark **?**, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. + +>[!IMPORTANT] +>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. You cannot use a wildcard in place of a drive letter. @@ -193,9 +196,9 @@ The following table describes how the wildcards can be used and provides some ex Wildcard | Use | Example use | Example matches ---|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters |

  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
+***** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
**?** (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
  • %APPDATA%\Data\file.png
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
  • C:\Users\username\AppData\Roaming\Data\file.png
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 86d980313c..d9be336928 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -34,11 +34,19 @@ author: iaanw You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. -For example, you may need to exclude any file that is opened by the process *c:\internal\test.exe*. -You achieve this by adding the location and name of the process to the process exclusion list. When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). +This topic describes how to configure exclusion lists for the following: -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). + **Use Group Policy to exclude files that have been used or modified by specified processes from scans:** ->[!NOTE] ->You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files). ->You can only exclude files modified by processes if the process is an executable. - - 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -73,7 +79,7 @@ By default, local changes made to the lists (by users with administrator privile 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 7. Click **OK**. @@ -104,10 +110,10 @@ Remove items from the list | `Remove-MpPreference` >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined processes. This exclusion will apply to any file that is opened by the processes that are in the specified folder: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined process: ```PowerShell -Add-MpPreference -ExclusionProcess "c:\internal\test.exe, d:\org\ui\compile43-h.exe" +Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` For example, files opened by the process *c:\outside\test.exe* will not be excluded. This is the because the opening process is located in a different folder ("outside" instead of "internal"), even though the process's file name is the same. @@ -151,15 +157,15 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %APPDATA%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: Wildcard | Use | Example use | Example matches ---|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\*
|
  • Any file opened by C:\MyData\file.exe
+**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\\*
|
  • Any file opened by *C:\MyData\file.exe*
**?** (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
  • %APPDATA%\Data\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
  • Any file opened by C:\Users\username\AppData\Roaming\Data\file.exe
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
From 59dfd0f092d8997636047c6cd4777ff523fbb892 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 14:43:51 -0700 Subject: [PATCH 45/46] exclusion fixes --- ...e-exclusions-windows-defender-antivirus.md | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index d9be336928..c8456fa9cf 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -34,15 +34,15 @@ author: iaanw You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. - This topic describes how to configure exclusion lists for the following: - + +Exclusion | Example +---|--- +Any file on the machine that is opened by any process with a specific file name | Specifying "*test.exe*" would excude files opened by:
  • *c:\sample\test.exe*
  • *d:\internal\files\test.exe*
+Any file on the machine that is opened by any process under a specific folder | Specifying "*c:\test\sample\\*" would exclude files opened by:
  • *c:\test\sample\test.exe*
  • *c:\test\sample\test2.exe*
  • *c:\test\sample\utility.exe*
+Any file on the machine that is opened by a specific process in a specific folder | Specifying "*c:\test\process.exe*" would exclude files only opened by *c:\test\process.exe* When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). @@ -64,7 +64,7 @@ You can [configure how locally and globally defined exclusions lists are merged] -**Use Group Policy to exclude files that have been used or modified by specified processes from scans:** +**Use Group Policy to exclude files that have been opened by specified processes from scans:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -87,14 +87,14 @@ You can [configure how locally and globally defined exclusions lists are merged] -**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** +**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). The format for the cmdlets is: ```PowerShell - -ExclusionProcess ", , " + -ExclusionProcess "" ``` The following are allowed as the \: @@ -110,18 +110,17 @@ Remove items from the list | `Remove-MpPreference` >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined process: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by process: ```PowerShell Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -For example, files opened by the process *c:\outside\test.exe* will not be excluded. This is the because the opening process is located in a different folder ("outside" instead of "internal"), even though the process's file name is the same. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** +**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -135,25 +134,25 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -**Use Configuration Manager to configure file name, folder, or file extension exclusions:** +**Use Configuration Manager to exclude files that have been opened by specified processes from scans:** See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). -**Use Microsoft Intune to configure file name, folder, or file extension exclusions:** +**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. -**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** +**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. -## Use wildcards in the file name and folder path or extension exclusion lists +## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. From 7711df8eabf2a2261d993124923dd915a984a2d9 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 15:32:45 -0700 Subject: [PATCH 46/46] exclusion fixes --- ...e-exclusions-windows-defender-antivirus.md | 8 +++---- ...e-exclusions-windows-defender-antivirus.md | 14 ++++++------ ...e-exclusions-windows-defender-antivirus.md | 20 +++++++++--------- ...dav-powershell-get-exclusions-variable.png | Bin 9714 -> 9323 bytes ...troubleshoot-windows-defender-antivirus.md | 3 ++- ...indows-defender-antivirus-in-windows-10.md | 3 ++- 6 files changed, 25 insertions(+), 23 deletions(-) diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md index bed4fbf9c1..874d94951f 100644 --- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Configure and validate file and folder exclusions in Windows Defender AV scans +# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans **Applies to:** @@ -33,9 +33,9 @@ author: iaanw - Microsoft Intune - Windows Defender Security Center -You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender Antivirus. +You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus. -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only aply to real-time protection. Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. @@ -48,5 +48,5 @@ Topic | Description ---|--- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process -[Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions +[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md index d4baacf3ec..3d78deccde 100644 --- a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -42,7 +42,7 @@ Exclusion | Examples | Exclusion list Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions -A specific process | The executable file c:\test\process.exe | File and folder exclusions list +A specific process | The executable file c:\test\process.exe | File and folder exclusions This means the exclusion lists have the following characteristics: - Folder exclusions will apply to all files and folders under that folder. @@ -95,7 +95,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 7. Click **OK**. -![The Group Policy setting for file and folder exclusions](images/defender/wdav-extension-exclusions.png) +![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) 8. Double-click the **Extension Exclusions** setting and add the exclusions: @@ -106,7 +106,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 9. Click **OK**. -![The Group Policy setting for extension exclusions](images/defender/wdav-path-exclusions.png) +![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) @@ -184,7 +184,7 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk **\***, question mark **?**, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. +You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. >[!IMPORTANT] >Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. @@ -196,8 +196,8 @@ The following table describes how the wildcards can be used and provides some ex Wildcard | Use | Example use | Example matches ---|---|---|--- -***** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
-**?** (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
+\* (asterisk) | Replaces any number of characters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
+? (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
@@ -276,6 +276,6 @@ $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt" - [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index c8456fa9cf..48dcf3df40 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Configure and validate exclusions for files opened by specific processes +title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. keywords: process, exclusion, files, scans search.product: eADQiWindows 10XVcnh @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Configure and validate exclusions for files opened by processes +# Configure exclusions for files opened by processes **Applies to:** @@ -40,8 +40,8 @@ This topic describes how to configure exclusion lists for the following: Exclusion | Example ---|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "*test.exe*" would excude files opened by:
  • *c:\sample\test.exe*
  • *d:\internal\files\test.exe*
-Any file on the machine that is opened by any process under a specific folder | Specifying "*c:\test\sample\\*" would exclude files opened by:
  • *c:\test\sample\test.exe*
  • *c:\test\sample\test2.exe*
  • *c:\test\sample\utility.exe*
+Any file on the machine that is opened by any process with a specific file name | Specifying "*test.exe*" would exclude files opened by:
  • *c:\sample\test.exe*
  • *d:\internal\files\test.exe*
+Any file on the machine that is opened by any process under a specific folder | Specifying "*c:\test\sample\\**" would exclude files opened by:
  • *c:\test\sample\test.exe*
  • *c:\test\sample\test2.exe*
  • *c:\test\sample\utility.exe*
Any file on the machine that is opened by a specific process in a specific folder | Specifying "*c:\test\process.exe*" would exclude files only opened by *c:\test\process.exe* When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). @@ -89,7 +89,7 @@ You can [configure how locally and globally defined exclusions lists are merged] **Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** -Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). +Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). The format for the cmdlets is: @@ -110,7 +110,7 @@ Remove items from the list | `Remove-MpPreference` >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by process: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: ```PowerShell Add-MpPreference -ExclusionProcess "c:\internal\test.exe" @@ -156,14 +156,14 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: Wildcard | Use | Example use | Example matches ---|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\\*
|
  • Any file opened by *C:\MyData\file.exe*
-**?** (question mark) | Not available | \- | \- +\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by *C:\MyData\file.exe*
+? (question mark) | Not available | \- | \- Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
@@ -212,6 +212,6 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use - [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png index adf6c2b6613bff859cb30361d7fd0be1c08c2a5a..68b455b5a3d6e45bde77d3ea2d3073e370597343 100644 GIT binary patch literal 9323 zcmbVyWmsEXvvw%Otw6Ctfx-h6DPCNP6k5DEZLtP|dvI;BqQN0(6-o)3;$9pAv=18G zDI~#NPk`rrzaQT@=Q`KBugK2qwO7`fxo75Hvv!n@mMR(XJz@X=K=%BZvMvCC3&NiJ z5aMG$q4V?av0p^4&rCc30P^;$H%=-qIU`m`0Di9dlwcm0nHGn23Vcv@EqZDUR`3Md zy0`-hOAybnB2q9`q-^a0bhmQ_+qpOcsEHo1W97tGawQj6Uw1njTQC4dfsn#V$*-mE z)|OXIS;2Nr)_}){6hzo7L|0ezTtHxNOLuF4sq5ucbCT=M?L2^vme{85fa;bX5UiN+ zN^E55?ri65188AfiNwkXZtnMV2U-L6FGErPYNq7k@EH8zpTwRQ8i{63OS2)RL_3Cc!?={~`M|sg9u-qE_Mvuv8bW04c!&R( z`Y2*R1XYXwkSn`+~TeadSNddP{`z>PQsUv*2XAI&?wAi0f9$y&7+!*PT3r z${Mdz5UQ34ZZ%(WZ0F!a;Ly`Y?AwGQHibx6g4akIPF$LG*FWC$i6G*jKwO;8HE%)k zc|sS*HW`a~+jDKZ3OE1ME!!#>`zcpM z6W-1az1Jp4&%|W4zdmBJNkK;T!pKORcah(Ydl54m+$sOsAD}@!sAe0yp>W|I-gSd&P^^;l~>vEgZH3Tl6A^4;kd4% zAyhYS*-BM>OPU3^ha*X~;*q!ktL_!}Nez>pp0wjV1rPSPj*RXbd4vAJdVM zlkXH)qUi74%LKdF+P-%wHtm|5n}Y=yKF5WN{0?6DC=i6_apo~|%o0539V~c!IEYw` zdKyKFtVw;4b+nqQ&5xLMbCma22{=+YNLfiYQsrfVvix4pSo0V<$MZi37V>u4p_H+Y zLA+U|pTFDqF$42Ap@X4BOkOau_@jvZIfdi|k<+U~4^<#^JZMyoq$}w%lFGETR`Jr1 z^~!?YaU(@WyW6T(Z zE=}{V>qWbcCU7u*zt7wQdzRpbF3sgS0zTg5ed;O}4}2wz%0Nr6d0eBy{R%PYF!=8! z8pX!BeZ;XXAFnE^=tyhdUG-8*dC=XypE!F>;n#XoXr92;U^v8uBzT|d;B$~82F%#l zsl6_GS;jq2*r48yJx#Gz#irl9cgzj?X_T{d&IeqnMBAiy*pX zbm2>TCOv3y(_xN30&1N~T@hM-4s#;6@y(OGRJ0QRJeWH!2Uix_FPYBT%CQGJlnjH0 zFPtly;o#Y;sR|n*L*cr&t#y93pbs|X7sZX@Vk?0L<~dz4j45>8>6FuGV1Klo!9Na@k&z~oeHO8G*fH^Wtvx#z`BV_BvyCzM^iPg-TxieU& z&VP=DJ-3kqel#W%loICy$mGu$I_M#26gVsb+IAO#s%fmD?^E4pBWHoOyaFr2W3=<9j z-`*_hK@=2cSA08!cJtiBAE9(9Y>zv!)EEex&0=6N`hx=407TT#D_lk)6o%X}pG`9K5sH z*)#cu%QZqemw>3t8sA5nvnFaoC#Apla=z*d1ZH48maP)9JlQIbn5ojsw)e=t;Ala5 z5$i7dSTETwvkxtqR?(XKrI-6ErwlyiUsa+hh-2Sfo*4z;umSbnTKReCa1SAHzv(B@vL8o^L<`%xI`$K zpAiR}K?{bk$a0X10-ZTL!46F!J_1LTtg>L@8ON`K&7Pca9!gb|s9T2GU& zGN1Bh;p?1H9rZWy78o^#AJ$=L_hO+?Wu3n};Z9M}jaIX*ViUTkzI@i%(*bD^?+~)y zlY-rhf}F{xft_jEe>9Cu6D*Q?DETTc$JV^8U9e%+Q0pH1us@IXsE~&vkNH(3hn~7S z?Y)SegIT>bIb$hqK^wJIkMEerd$0zi3hfO)%@wWnR(T}^djl< zpqj4G7tQNCmL3klHxZeq^G4BOtnz>?@n+e9j|tM8fXUpbY1CvpXXCC~t`PqI}A$Adg`GMi+MsEFjM31EP}YxdKF zN7(q|4yk1vYabaIS)TgC&XA2g>F>2+07Vh&;0Et9=l|c> zMa2A8<}!1;#t4ScHH6jEl&()U#XlM;@g6CZb|N>m(XngBK=9X9kHV^PsuUiJopE;6 z&0PQDDejqe7GByZ!lM{M!J5w%R_9rm(2PnBR1*x*serI`IVmciVy}~j#)ZbJ`sG&>T67>;Jd>ECk55|N+j=k&$Th#1+y-Fb z(mwm3&`H3>YJTsMu(I|Sfp(+T2oBdX(T3L$A>n!CVzp)48A1$zF(Z9N^udHNyh)@G z#aTV)L%*O66cy-4!?R)?;60hMT)z?|)7=GYpRR5T7FRV3cBE)!zFsljqaJuX42Qp$ zG#<=rk=+vArP|!@*f6UrGA#EBO@_qSIW*g%Z0ho*2(FY2^#^4N`MZKx^2jq`A-!!5 zee7uF;-!7rqCYM>+n;|g_>0I2xJ@@F9pcKZD|S?i)O2s;wf%}$^8P`1tG!C5>yn4U{Jw=Yuk;Lt(2nSWN}`?^Kp|j2hd2&iIW}geYIZkL}Of`zEvy z78=DGtDI(ks_1hp^sQN$#}v6uWsOyIF*dY0;#iNW+8p#S6$L4Xf>FT3i!u-fllL zLvM7%=C<@3ygW@hB=9YtBald$P!p%_5_cvSee*dH24BIWWb8TFxaY@mRT5 zO;fXCnpMCZs*~o0TuEpE^;^bn=yNXuPVGIa)gd1CdFc*8s}nBE&NjS7h>?OTmW`M~ z#grsafxJI^XMDCBMmdXk;$YB;6XXAUqW<4%CJ?WWPhy3xo~xA;rO{x3_FKVTQ=zY8; zxs2)Fz3Ld7H)s3MPt5&2JQOmaxbN?S7tuBS`F^g$kqp)S4-75Hk)tq5^NtC!C{}c% zb(pl)ulv|vls=C?@4q={&Ng-ts|eFMBV`_ZG@;T$9MSnlOKwcZh2%CJ)(pg?agKO|KT zjFUjG+O+>1(_!6!js@{P{GoPFJ4E(j|3~-KP^aLF@aJQtmwCJ3oMWW{uYyk`mi3h@ zC=7O1T3iBNhZTJX2>n4Fk+O;x(p;~_pQp_}TK)r&=t^^q=3D+wt*o~x)!6A+afWKo z_a}dS;8k64>>Iu+wO@YaiO=|{MXYPz!IK=*T^1H9V=G#JIt;*c+bxZ&AG!2c4m<`C z71S$c2d{9iJC4CLOcGH0O8PYc`ZdG^)|}PuE{XEOEZ+y7jIg%^%vD=C%G+%gxZPQ& zQySAPirxMoZNU6~$SGBXbM)v-FN3sJOGslZC2RRS;giLO`j7ZCKC17JQCai6a>=Z$ z)*WQLzyHfDC$M<>Hr-(R5lYF1D{z^l7vSR}dAbM$vp{x=`8*_~02^sNhoE%~NZ_$a zsHVd-eS-02Rfb20m6Aus2Gfdez3#>1h^cLv_kp2g}52c?Z5RVOymN4+OO#P05PTehM=H0!W zfrym2ljkB!*Gy~xLB2HCM7I<6+`q?AiznYmBp}dz7E3|fR$Xf0#aDK#{KEcQvmKs0 z1FcfbqoL6aO&9_12c(lz2a9ZSP?g02idea=s;Q{eB=gZ}s~?3EBg`%6uI89xXD93u zKWiG6;j{T6D>EK1DrEllbYSBT&dyBf&jzp#iC2CM+6^ezdhgD9{*|mY@PwrFjwp{p zJ+|#oZYb8A-RJxaDV|^Z93q{)ZjtzTsyQ!O7VAFELYP&rMwU-a1fN|9dqit zaph+ozki5;IQjk9Cyia2eRl5in3Y%6iKmMT4lfRj!^$#t+c>Lv8#tOh4JSNe<>Yrg z{uVxMB>hdjMzU>CW=X^(PbOefawuHu=#|1za0hhcF!-#EZ%?cqBU|(Kp_c*zzUAQ^AzQ zvkE(h%iH92Z(k6Oe0@hJk~>~EbD<8#IKAg07tlht+s6JCT4tu<*a}^(zN5{;pEHr; zR*%tuFRdPq>Al1oc#>72jSQZ}r$5}Cx{BpioS@Paw>`Z9`0YsCXvu0vwq!N4U`vi| zrMC@}>#H(de0%CAdA{-aM1zAh2%*ViQ(#PS`LK%6XIw)lu%C=ROMdMIu$_p2T7f=_ zZ{#3+YX_(k%-zTl*d-n!^elxcbLyRoK-eKn36DoN>iMxiU<+6^kDUka|ueA`b z3_vsm7E=+Kfx(J*#KxBk@L0y!S_=tm?`tcJ5RC_k?D~NpNVu4^(i^pUkYtNL$Xt{u z_@nr(&I!*lF5SX{A(pS4Jl$C%Ufzu!%og(bfVdqKsbL;Y+p-oOVW4vvuPpF& z6X_W_kL!K%1ofTzR}BCdN|&t-%z3e*$>f*Qy~7dOHN20|MXU+VoD!*=+D+X*9XC3? zog;tF`QVjT&)7MBF_U$%hsZ9Kc`idhevg#dbWqd^-#G(&^M}q_hPGp+gD$QgMd!@F zG zlVLggbuVT&5?wlBNs?ayvF7hLy@GGFNLz~|$0?iPmgjVH7_R2pV>6XMk9c0o(bnE- zHzRa^wDb2D$5Al-=fL6GfWk^g21TXpSz$?sD>eRH&TEIo+Qy*t~yGX&p0fT|o0Kj_<7x8>_~QLs`|H zxJq{6V>{0D;?VNyNTJV-cgU1z40WL1GwPPCiO=EIv(do8Gb@lm>|xN)iO^pYhxoY^ zQhEx|9x1UArK1*sBcJHJG=Fj~NvW;7(^Y(WFYMFi-(TKu>~U{T)C*gH=;|d0%;{ls zKmBU0db{vF?ZA!Wzh+~Ar;M?xSai*Ps3guFuxdtj>E>Res#^mgD98vZ=u-{9dgXb_ zLR+7D$+OJ0gs1xKfCl&}>j5Z~=`nL}AM4KHS4x z%r)xV7a-Y4e_vAAUrYtQ&j-vi{u+xp4y_gSU$OBRh?8O(fzTjl_Zp`i<18`b-kUmW zrgkgL&f162QuBIgdGG6WQPjUO^xU_tOp&6yZuFy0eObSIYdiVo!A9?Q2W6h-U|vqg zhop`av8dfnY-&J_!z8DA8=qcu2Yi#lHGlwi-_9nLpMPo0>s0t=PHL)NEZiBop&t@< zouS|5>PrHAq?gMZS!0}jX9wPkKhQlm!8Be4$cXh`)xIg& zz?*7xb?@;@C!?R3EZ;O13$G{eA)avms&fHBX>#hHFE8&pUOeE9Z*Eonty$<*9(r8e zS$!-0KKSr{e(I2@I8z6*n$OLfY*S_S8J_*<=sp)o{0#ju-oSx%MwMjPq&Qve(8AtI zt|Vm1xY!d^I}-yBmFX4w2LpC_K(Tb}(q4Awp?}^c&{gaN#T>R$N5lY=wy7Fqye?BD zA|Er$B1(hLQFhh;V?uA-%ticD@|b$wo1vK)71NdoD1DUI=rx4Vy9y)9w>R2a&|2kQ z@3M2?lh=}^8N&)whD{?+>05g)CW>cEg4^yCD%Y1bh&f0QNjPdrf%O5{R3*Pqz~Nhk zyskYYo#z%8ulYuyE>e?A7e9$FJfM|mQ)$lPVGVlt#5BF~X;W>(+mFmBDXvIg`9X;o zr*zcJ)q;X{M_+O@JV=I7n@NCF2rTA zj4QA-T#%9L$73v+STe`1eNYph@&&a|FsQn;Upu#c)CBMmlj>D2OJ-65*D!7#atXHL z02C%vmRTcEs~kgozd5LRTz3a zc_g*afAdnN?-&^WRo_%X$$aO-+V7z~bK`gHp3xgLKsgVW(jH=!oV``K{1cQ_cZ3nJC?!0xuuVl=~AWu6&iFu{8EZW!l#R zNnA*M2t2q;z;*#nXcLq+O&s>#Y@)I_rj$RY^j?1{{5kE^jHL)yy>^EB3y0hJc?g6h zE-77TLbdOs!QN@;>s_TYos2^h>uGju_+&mw4$LL>n0uEMn3&$OZ@A&*dy-uP?QVLO z5Qw#z`2N_#Yh`=KapeWLPdJga%|EtroQ5yBiuS-iZ4*MGZ-$7^B% zT3B#x4+4PKPJdLb1V`l~PoLdPCW#j*3G&u;=W0Ldncr*u`=)2_s3dgn_#P-B5XEVB zA5?&P+*Jcaq_0lc64RVMLT9CncxN8I`!WK%9jW)&6^PngX(yJ&xJvf=qjQQ(df0Pj!kjsZe(Nlxq~QmoU{0WZYK5S+C=t+1|d{ zY@Fg2nMnQpdZxwV8kkS3%PZcLU4-MWbM6~K>#+IT=7mMZ_fmnZo;z10QdxPWfx+p* z(y3}bpGOsGxe{^TSL_n75P1tGcabu}l03PD+C_(vDJ8jEFJHG;1`TP5Uq0+9iT%eC z$xwU{hx9*2P>%lm|5rUtdTxnO(?zo5n7sI_k!+8KfmDpO zZjXa%(wNAg0$kW^%|BAM<6!MmwGGYrTS2!|i!}L;&aTK~lbwY1Uw1a;H$dqHcSY!K z{QfT0#_ews*z*oHBQ~i=w5ymRqDcU9#_u~=d_Io=avRX`dx&|?Qfiuw-Vg;q+Pn|b0EGM1 z&91daTkL2Cw2zTKyG#XkhnE*0WuDQ16It6J?CDh2H~6VV(7@c>@I!OV*&kmP8h(_+ z3%v}9HZ+){_r9w35Ox_cJNv@!@fHkp9xmt)za4&K>}8#bSd;I3(UDIKRye!bGfiw_#|Etw|@{*1@A&ElacP%I5GO_xS~$c7-E+#w>sWumx-&k>%EuR zS7Gvf_iNEMQ-&dhWEve`A1B|i>CdSRO<2rm$~p9%ut9UvYc|Y#PH|W~^~MKgu!Wvr zawTb=HSRk{|7_|%h8y)toN%w2ylcbhQOYi0^VI>L>9C?&hYDBSb8=|^U9~k>xrt*Q z)Bmn#c1yV+7;6;OwG$i?S+Q^hTi|)DcIBsUtAYBPIHP0rJF+S13So_r zX&Swm968MOx1Nm91}B=xT#qF2Z{8lSV@`gvKEin7Qc1WPWu)bFRRcqDwgZAn%R5}+ z5}`MYEWz$&7@IVnd{n-()>j{Y6CIbdGXEpiHc|ZIdiX1xHz0Xa_5a9C*;MGwu>5Cy z_5{V9r!u@wlTw7!vQi(v>cDZ@d2o#n@3;QKz#F%4=i>g?S^EF_fX9EnpYtDY4k0fI a-n20&x_^amV4tZ0Jb$XCT%u_4?!N%;mia#b literal 9714 zcmb_?2UJtRx-J$#q}k|I6p&s*uOdj1B7)L;Oag`u(u;snq>1z*0Vx&;2nYzFmqZ{0 z5d=anl7MtVuQ$PS&O7V9ch|c2zPDEhd;K$ec4p@L|M~uJCdSY}i}o_>Wim1{S{-c- zBQmlJVB)>sB?{tq=FChq@gJ4Dwz(G>8C?hI?_8=79UIX|>8+!GpK|5``$anT);j_& zXQumR-fGXi9o;<1K9!-hi6$CvqDcef1@v@s_jYn~CA&^_^A^#5nPgXYbNBajf;f7U zmC~aXh*r8Yt0%~wRF&J?$pu6vy-QC;ETJNm7`uVJeeFF#WY+Gdr0UdXjXQY(o$ZNL zJ;`cYz9tgQmq=z)drwy7Uiq-CSHiuHIxj=(J{{ zje=C|v6Htmi0tF)Pku5oZZaJWwa0!rD-)s4gS+qW8~Ajo-Wuw{wk^i+rPJfJ9_g%Ga*V6T}4jDatcXLl(X=K+6^>u1#jD#RELFYxqxP@L?lVy9T_m|uk1n}y0~pK`X_ZJ0Kr*-m$$ot#-` zk9`j}+-g~Fra!qJy4yJrRB{a+Ben;t2t^*vdhzj{kbBKiqs2}-PY8IupbdFk2R>-A zqBE~WkM#22VRp=#YJHi-=D(Bl67893=;$h4C+g#Nqaq_e!r||dJ(#LfHYVLv@NRC( z=Zj<9XumeC^Pad@w{~>kO$=o=oc??e~0 zCC*0eWV+x*eYdcS`}jG?Pd15f=^e(;1`sp_xR&4bMG`(_8WTd7#D`+eioT7Knb?pU zL*oN)5Qia?tJn#5WD!k4Nx8p+)Tg1P)vuG4lIp0Hb#-uecQ;Te`51)paH9VC(dJy0ad?%6;Z9FtAGo(z-}KRis^*x}3yDex zih6oMn328a^*Pn%p7&Z!XqZ&UyVvDno=CZV%hzx8!Wi8*=p%%VP zx%*6p#@2vBv|z^O868KsZbb(}TjTVu$eyF{t>GrwOF2s*n^T1jQ4iPlXXBsLzVs<3 z!o*0>x-Tm)C!}deai0z?YRxZl-3N43%Ptp^J$3x<{!teuv{UtTZsjr69FvLrPLbHD zsPsdXw*|wG$!0e9^JQ~#d0CXvnuxE?b2B{&Y(9*FZ|mKjthnf3ze|MDh+IUV!Ma6Sujkx5YHT zRR_ymD+9VWlGjEN@hx?XK44uJWX>8NK~Z;Ggw$8+RKVZ9(x6w5ab6+M2ed5}O*Xdg zH#Bq#8aGJ!L`((w03XN~Ac6#%56u!1wA#03QFsTVFXyi0cTL>u)hYS9e5vu}PgYpL zJQ=%$K05i_y*{?(-_cJZeI#4z(jv@5bX2r@id^bovFwFKxTlqxHDgOfV@f*Qk6edW z^mn8i4lWgAf?_7~ryYodv_t2Tpx7}2gC=V}{^bDV&{e;Fleq%C002=yAuUCz7sN8joINo)r zf$6{G^A!t0=>1fpqI@ehwqMrhoh@HwIJNx!&z?V!7)#2PlF zrtw6yzjh-i+N&#Fc@ZBK8_dNYt_pFN*d%B;jWOPiQY%KPnT`1uNXjVcwY|9ISiAm|4hteY2Z6dUVUT#yty0dzZWV zQ`92b54_~drA6nWJ!QvR;hB=)%su72uKDFCe?Jf70pt zj_u}dY*Sb5vs~O%Fn*~k&l#WgVY4K&D1 z8Km(R+I&CgxW4DU61+Ctlo-P?+TxBIv{b<3t`^t_^nsSXzGhvP53d#ieNVdT*si*kn@F7MXEHr>c5Xjm?xJ0e?j@onN{JN58s}Y%)!<>@7 znlZeHL>#+MN^-)rRpshsSuP zXv{_t%uJ!U@lX&X%!BebSxsY|9KoM&aHiH9?P%{hWQ}rcbzx>!6nm76&d_(o7mbOg z0%$I@PsFO4*hSun-!2=OM$-_Tk*u;ztcRD_Gi7jkA3fg4Tp_)$&)rcjwYq0d<%2{S zHmGKTQwuCZ=qrD%8}nA9U0=6XM+KvZIe*AV^f>>P@kHqCGbpsmbt~x-hIoVjT}4x+ zP5!Y}^)w}P58t6{bCKdjSkhjVy&dzS$Bgf3@9 z^ABp*o{I7|>9NYY`W*=#c+5MN+EDI)vKFH(7rULiDUw60w36Ry8yt_b;Sm|q_m`Rq z(UEFsGq*n_`GdCtAsrtIdT+ttD710VZyHYr|0GX1@Q1WG4V}@ReW*JZ;B2~p=if&TN;D=AEgGPC<&!S ztnsd0&+L{A89anWiz?6jdPEa-*Ak!a%;Sr*eGXD^y|t?BuTZb9tSNp&m`b{lcwJAv z@zovqleQa13QnF8$rTU3S=pja&g1NqLn+o;s)Q@2mU<={y-iC&bBwah!i8|c`vO>I z*6P`he>#)tf?U?EI^28w<0<)LmC4eC%>!+DHx4u1P~Z!$#2b^@i(~C8HPShB6d!4s zCNa~j<)=3ychUv`=}Tw})v(>hmP;?8$*r+0%~Vfb5YiX20& zqj#avVo`9}>Go7+;npKZ`Q@gBt_L)D{O)k?M3AIKmP+C^Z3@r^#QZA=v^g5-01}w% zVSytsJ*BrhXltGbL%vQUQ>E&l{`5-_wxz?D30bLLR}4kw--b())`F;^@l?r#pl$|} zY0q<|ZQFxeS=lLsAzf%R7j31omLb?=7{E;HvBdH4Ab!1XA#|0Tm0wwPNfOl^Xj~pI zQj0XY-X2G521cc86Wr`(u1b5qe(QR#iB0P2b8Cj~5A9%PU56 zIg@x$_SF0k0y`$(Em*ZJKtg+!tZ!JR8%K7Xwj2$`qoY=jtiXHYuOsDfLWLKEG7yq7 zRdJ>~(47b!wGlfATkpkh47B>HccHfQ3=q3r$l@?iw>5b9GV&W$6Jq*=#z9wd_qyd} zhTT%`(isJs((oCED-X#XD1_`^JSEfWmFqAqs)UTc1h=e29aJ0c#sDYAm^;cotja&v zn!Y6#IY#eVE)9$1Wwtz;4q^Owv6icS1?4_w-lVaf(U5ENI#Yk&g6Y&B^+&)qa9Aa+ zYJy@HBL3y|Zsj<=x7K>_Z&1=$;>?ccw^^DQ3cvEM#F>z^OFi;dYmlU|J|4yF)Q4`N zypwR*OU}n}?tY$kgOh`MzYMIPKHBy;PVjf#70_>g-tgFyXWtdMkYJ71cyFC6pW|%S zb|MlZ|M=%`1N6-&KQmlb0s9S)6;VePLLMueIuuo5tCtSVdXT@(jOGjL4oSQ{$;!gQ z!gCTvL@TSp`S)KWgh zp%~&AgWj3!ESq@WSA$NpbdP@NOvFw=Q*Sk`bvo8Yly?WVK*SB5j{ThltVHe3TcYxs z884J>-bdtIeR1-@v9_B98+h)3NTYjZ7;1mH`jK~tnVp;Y5?ns{C)r+B%3MUx^)81Y zQ|tK3LU%CJ_iGvs)>#b-9VqR&%6NW;M6T{x$k4U3IlmPg!Wk1jqAA`J5 zkbOg$xF^uee@^aryQWZ$bpAZP)Bz5lv%>l8g7^IQ@e0Qkq$EmPCK&+2hF86JPIsG~ z>HS*SdIZIk8g;~eaWcicZ7+qQo$-q8R{pNa)d^6OV&RUJ`kUQK=em{lBP5d%*xK)0 zHZ%-Od9xmN66?^PH8Ag;0r5-Ed-A=Co*?&{WX(CF$DpZzQE1TH`M4E`U5h#LlAW8} z`5)rv8F~odg}2Ajs0_?dHn?}){im-GGHG#mLfBnpfQ$XGccByY_p}Owq6iQg#^8&5|M? zQK1KluR>>l@T2`mILD{8hm-_Lb{*ZdrCw^2ojdk#^Wk!x+R5Q=hP zozu9)w02*l#8|pnm{}ej%}pW5Mw`TpP4HM5D<+RE9ohthNv(FJP{ z+?gOfAzvoddl;cPTqvXJHwD0aP3fO^czs&jBUhVjcCf(S+qJ~yA! zZ4~_KRSuU-we^X}KD_Fujot4~EG#)~a*a0nosM;M`705j=|O)#-r&acE?Vf=kx1;o zSWC*vpWZCyEo*HX**d7pkE;(=0qEZp-p1?l4uI^bakw=A+tD>*)8J&4_WX^rkpn zYvD8A;&)wIA#uDlqfz<7`1D@0CI0m$Cgw1A7fC;fxt*bHjO}~qs@k|p!^mVzKeNF_ z`^F5paKKdg&0Ga5g*wGKS5ziArf;ph;M-5qEr&~ zSy8;kue$*Gg>AAnLVQ{H*J{yvce0_cay4)8U*15a|KH;c7L>Yu)-eUxb#*=m)FpnL zDIr)CrLdqK#QAW*L-0xELXZp;=FGFaT!1^YN;rO#zH&I_y7GMlwr#c3rxW-50ipvh zT{y~QbU6dMD(1`89=FojbA5S9HwgTU&UjLHw>TVGX^0~MWK+D(bG|#S87C@EfCB+c zR8es2tH=MZ48a`Z^;+cB>p+t$L+%_DCavq2m)sX4JN8!E^H#_bvOJ;{=`)+CdS8su zZ$tA}ucPW~C8Dh#PI&!EXwjM+3>#vA#^M#`RRf-& ztRwXOgiX}l-LXBDgCuFj-9$O7is7qzAkLn9SqM@*zX47Q!x9OA$@+7I3%PatCutjE zv?E6BH2?6prW>;+-hC;~Lwd}&f(HZ6cU3z(wW(WSC8VJ;BUsH$e(@Eu-WEDLiscIh zmTSeXCX-d+6=4q)OKNV2GW}Q_l31wiX4=1#s&iqvy=X;vbdvhVnw4b@yN!os*y#G@ z=&^J5vo?*@Ma>e+24y;cI(v?|M#XTJrB`Mb1;2!M=MZeDF8J{ECIt({0SL*tPb5^1 zsMw~Wf`i@W4i^k1?+|^pMj_h!n7la$_W=ZJH#eXu{V)mE?NnP>qL#NIK6!(#sg#w6-~jo#sFE+; zEN*wLd4KmX^8&p6hhnM~ByC+)H3QSoxe@(Om3v0`O$30@RXfqn%zbR`^8z~4`DF4P zS+6x|bKr>FPNTnIqY!5N7W|Wn*Y=XssTUK8onY^D`|R^^PU=x7Y?jMcJ-8~?R%|T~ zurMFaz+!wO>o&&&o^cF6+ogb)+DyFR(4g=v16JYOWe*wm+hg-*&p%e86Q&5!AKgjD zgs@WNyUKf)eeGtR+U2`&d)%fZr=Kq1@A7Q-t56-jLaRl_s+s5DKS^U<*^FZzzy=JI z)@27xI+jNab$_k)*$<&GKXlo<$rXw(A6ZzvZImw9RVAr3?Q)_rm1~li&_oQmO)lTw zdig0}hsDNrEsK0#UDQY~2Uu)~9L2zbdntk#V4kEEyKDoL87K+}7Nd4Ko2R!^!oDCh zrn(^BQqgD%Mu(%1j9W(tv%!hkE7m8c42i~miwnLoKP?vCfLj6vj$H1pzw`)~IXNmF z!J82nC~-ZTXUHCuOP1Vug>p6)j-QpyZ`+S8w?4RZ+sEWRuJ zLHrp0+cl>N4B_ZX6-U;%iNH7k9{K_s5+^=%@WF5((Jc6ni%NovZVg+o>h92<$#iA< zY7=mIPD!8W;k)q4HP>nF<&~#-U>EC9nYD%ZndX*>`pW|nQQAv8=Y1`5u;T;xB<7N8 zjPO{XM{TmYz*%7AsgjuULNiKUr*A~Trl(_rX)yOgCnA14RuqVk4#gcbNDzTSlvoP%?!U_ZW}N~D)bCBvXenwvn2Qi19SX7 zQ4(GN1fs(1HZQ$Ah7A9Z=oLA-Pa+PC;qP72Z4t8CrwI&QYwyP9Nty75OxATs_PgU3 zm8J!mYx1L6P0Hi0mVj*q&VT|H%?PHEQC!h^VzO*B=H!y(M$DE6f!6rt`v!PsNd8LY z1lzK6LFqtK^QRvoI0)W8c$i{%!GpckebIDoef;`hTh21_EXkC#eeKh-1yw|1-5`>D zTni0^cQQ36ZQb6&go}#-&zMj_p8|U|Mif55&8_!IVX$b>`5g0#UlxO zeJz7Ug9>J?t|iq0*C_(=aRy}*!w6gL`@VH(;>U>uqOK6=Bym0mp`N1_x{luIP zr++S6bs2l376aN{Wdm+K(Oj@Zfkm$wTojtg|LTn1PkO>$HGD@Npdmjtzv!j1Xw6^g zhsb-Oj{ZB!@873N?liFGMRjDASUZ8BZ){xCD?gjHcYWWd4mRg89t5b)M|myUhYXv@ z7oVvVSL>R41%V_fB16E~*xCSojBmxrlsK=jnQ+^I{Okz2+g*@ro)f?=ij5CLMzA{{ zN^JUuJ|I~*dI8`2**eT4`b4KJn}=mT-N5umL5r#r1Z)uv!8q{2j=K=+gR~orgPLm! zKv;~CKKU8wJXM8^kj~21{WXJPlU7fg`Lm8zzn7?ePORjOZ??o#j;Lc8It^6}k}4TK#?UB*mJAZHlVD!fEqY?DB4dE`5x8 z*qCETchmEo3*9!=HGZ&$i6DpU{h;7`e}2rWdRYlY8ug0h`?$S1!HYUt`jH|+61hVS zLXy!15kw3fkGKlrjcZ@J1@U*#hk)J{rCxHdQl*`y4_t^ZyOqQHrTZ5@+SV@3O}I15 z_D`m@;a9Kzv%Ws9Uq!5J0yreLM@PdBbGrl1%gChbt*3 z-O0lgieqMs4ceWuCcWV3PffvrMCHc=EgLUG?HHmsZ1 z6EB?5z*>0V$9DY4ZF7IGpL@vw{y}I|^Zw?a`#XW}{SO$~uz+tFlrpc+Uno?8!woo=K1xk2xS#fe=H&dY5&bkS-T zMu@A36V3!`|7ZqY;Lx5y^jN>OGnl+rIY!SwFcxHl$wqOoaHHhyO^`y*#XMHcPE?e) zc1nv>nQyML>um?rs60s%T=W< z&EPm0gNa-f4>M15ytLxn08+yCM(9X8DUhx?6*TgV63;$dtRS5QfQ$yOhTFXu)>^{; zX_&Fl>HNiJ^}yyEQ7Rd+FsHLZxZzO7HiuSU2mPHovtWP0U+ymkk^*p~k#J;8DXgXL zopZJjU==-g7RS^nxy%rvX@0>^Byf-`AVlz$=PQ%k$NkFFG?=pi``u(xDGeq@hZ@L8 zQ_~sF9-R1GRb?%#0R-Yug*ml078f4EXH2|JHv_b!w4Vdn$`dEKPX-^DL^R@_F_e9n z?l$wN((#gR?!v(8?*^ePK9_`D&C~chzDad}5@|5_xpGAEkl{QK6i*C-v3Kj5Iw_&XTF&i{tt>PK2Ov_`=Vy*2<)3{fdw9So>{ z@ACL|xeYN`S{TBxD3ADI+aoelsYe!mNyoX^H8VLFLD7h~b|ntG${LsgpJDzr%3SU4 z`@Kf=4mTaoK;2%<_7~LtdjHyG$iqlv3qT2P{uSN|FW$&FN6ZzVT3Tn&PP%rd``iEl zP7Efk9XO`H4eVyJK!|~EOVhUk>)-Dolb%^)|ElN>eC9( zqmn!@BKohgaiuxnOgN>wJzQBtMehMZ4VGd_x@qo<^MB8vn7;wDWLOjD>TV|KLzqER z4Er5-a$B1YPxoZXBS>Chh40!nG@u}^VAc}6&@}fDXZ9DbIb6uW8)x9wcwK&nNRj;f z03veT%{a8+{f0}~KJ#ctkTnpjIK_hN_FDS%+^S@P?Q3Pgb9J99EZ^%ANRowy##0rB zl^0IK2{NuL+QFd;8LG^ZZEKazUx~U3WXz+U6#$u&-1$FLE-i#KX_GMed)rfH(Pr~M zYG~>IMK99=#Lwn@vn4y4V-E995#VZ@VuUoRssuw9fAVpi6?$^{{X3Ne{GGSMoPTa% n{TC13{NFau{=e?Tov4P{DXR`^FYXYJHj(MvH_#}%XBYk-9mV60 diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md index eabca9e983..ebca8b01c8 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md +++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md @@ -2,7 +2,8 @@ title: Windows Defender AV event IDs and error codes description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding -ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 +search.product: eADQiWindows 10XVcnh +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md index 243eb9a1c3..a9cdcf6735 100644 --- a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md +++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md @@ -2,7 +2,8 @@ title: Windows Defender Antivirus description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10. keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security -ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 +search.product: eADQiWindows 10XVcnh +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library