From d130e6c05171df73d916e409ad814f0e59c01e73 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 14 Mar 2018 11:50:25 -0700 Subject: [PATCH] added gp option to enable hvci --- .../images/enable-hvci-gp.png | Bin 0 -> 37444 bytes .../types-of-devices.md | 29 +++---------- ...tion-based-protection-of-code-integrity.md | 40 +++++++++++++++++- 3 files changed, 45 insertions(+), 24 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/enable-hvci-gp.png diff --git a/windows/security/threat-protection/windows-defender-application-control/images/enable-hvci-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/enable-hvci-gp.png new file mode 100644 index 0000000000000000000000000000000000000000..59c071a50cdfd0dfae11350a45ce505fd719e09b GIT binary patch literal 37444 zcmbrl1yof3yDmO}fP#Pu(g+5jlz?;!3L;V>B`K*O9YYUDcS$#hG$WnE(B0kL3=IPV z40AVr&-veb?)k0%{jGIaYhp8de`H30|&B9eXg<|7D%T@1Y3 zZes)g`D0%00DNHCeUy;|75CF_0SC8CU(3G+fl9&&ufE^{$9JsXY1)B6#4R^3tPZPO zBM>NZO7_j`PfohKb3|^cV=4R>bOjH!3WgMRd!CX;ym1?z%=0Z#SX6tW`ff4o({mRX zO#h+x>GON8QZ;Js^|~cud?JYw(3o`c&Evzo=R$|h4EK3M9T_HU-k84X3%J91zrxUh zS4nFjViw~v8VuDM*%K9%#JF$SXa200xDEZ0Gs}>p#2I}<4W;%Yx(7Dc*kTTIidb!dBkfaFA z$(bF*;b{LFy(?(95i9~+rL<_^i~X~DztLJzasQaJ-g@~?+7%R2F)p-qJkG3esaR0J zkz$2j`s1*gd)jn=XBQmSTkM29<-Z<$xxc@b3N(=|c{ky8^FX#;@aLmhy8-zmK6$aq z-FcYn#mSbe)`OiMA9|02CM(PuY61y!J83z?)1Bwp$$Y&N4XIQ>_t5KJE{3QSLEXB9 zz@@yGJ>wxfdC5cJ;g4eKrfTDq*&p#t`>on(ehdoJWZGTok`0e@(2}y?u^nNlJMSgv z&8JGW{B78c3$fy|6cx<(SuMn1fsTTuHJ_qRG%^Gh_f2|#dFhF*Z$4%mRynefRIVa= zH%M+$r%tlj)u5glI%BJ4m0-=Q^ zGJ7#lSaPA))!`{5FsQDj!&u3xUd#q7#sRTBFnbl@PAl<5((7rKvFjNz8o3s?AZYKj zY#NR}$l^@BO33Q?iC*&-r*m<(UajDt7e2qZgrfJ*8A~l$Su)~Ri&8aOw@$AHrc7vh zV*3`O2SiHb6=W_IANp5Wd;JT~0&!|b9ib>e?%SymjwEp!d+isF+WdhGU0QTDJw)%VKbn-oo;=Y0{xSPo zAk++Y3le3ky~j6mP(LnpGO-oP_oC^!f(U077Rb{s(+jZzdT^g0+1dc5Cq_9}XSx^; zaoTvgGtvT2GKz6``!ID$@9uOSlOew6da4L*K<-_uFU*u-NV3QXY5R_%Wc47Y>qA3C zZa#bF)EbTJnRQ=5!~N$eBPww`XY{3654htuZoR=d?>FeyDQ|0qA%_~;1zwdUSVcCO zA(q#iz!@^_pKIe(dB*|*o%m+j%~bz18Eh; zl8V9{m4kx24JQl`T&bIkO0zQXF+q+}}Yyi)h#|fTG_o_3%1TFIP`iljEqo&Ze}Y49pfSOYRN)^Oh{|Z z5XxudV$Z39w;@ocG{PqQKJORTkl^Sb@qKR=szTkBWZ%nt!wH$$&L8Tlx9;s0QjfEi zK2YNsSZiycAx}T}+Ngw`^d~a>Fq#P2STJc(=NF+GR_K zMMeU9A00lAne%~*U58BVht}I{t7ESFqWjVC{o?ZpNWv*6=ZD>0fh{kp2(fa7 z+M&6|Hs@Q~U9H!L#3EP1N4IsDissg6NjPUKHcF zpoq(0!OF_HiTNF(S>!kOtYk)pjGTi5LsTp2y5Ko?x(vd{TMw?*y07gf*3q+S=`O$Xo2rLVirBU1DUPc4{d6i(DPWU zfXvug>+4rT7RT~ba=Pc945ISfOK0Y&Jk%_j6*On&E?1|@D<7VXMz&$g6Uoay!BR0# zaoyA)dlF@zO6BELr-TDoEy5;tfj$8-FRdm3Wl9$c!e@D>M6AFni|le5rywDx zrgjEV??~tOK;!4SY}ZM}I+vE5T;*dLkVKyH3Mewl{nfqu1b6E%4%6l@&Pc^Cvj;w0 zj&GK9&>hEBiCrAeFe{?!Ag;#yUO4#kt{500+<6G&(FSffhOp_@J9SOKJyK`ce^B;J z)!S<37$*jVH5apKWqNWuI*T-&9ZY_G=>FJq;c18Emn^TL(a%EW73ZVpQC^9jDsBX~ zrrB%glgjuJnd8g33yr3WRE|@k>ot|4$^(u|DH-a_P>P>`nH&hZsYP}+|KS_8+KiH^ zZT-9o(b*oLjc}eK!p$Tux)t=Q)(k=Bp>e2ZZe=y-!MnSgnGFO%Pe=q+XHG}=$=1l2 zfW*BakSHTPGuffJH)enngMx}(wsl8`Q(fClUCM-~Dmktm=*>g+vkZ~qs4~p176qM< z+xZ-Lp`a*5Su>F2dnXrxju6G_NhuBpzWkK&h782gN ziP+QkZXnVxYDpmKdw!B)0S+R}{sn5_Jp@0|GD+Ip&C#c}{xxrO= zem9LXjQzW9{)>w~FLwK^6%`p6Zt%ld`F`}e9c`R|f91)F0HgKHWKd(eONdLoaLziN zTYR1Q?hg0M1L2Fy=rlJOkrScnwc#@LlTQ3ugafB&y;G)J1ean>PgUqFpNb{^jI$jo zOwdgFMOK#?%;NxoQY*x67Hk`l#=|wKj7xWvu5Son66&~oU&2?sp;hC2zveqJZIG;D z_=Y#Axi3{z%hDNk&`fAcXdtkWY`02&D}aWemFynDWU?1G#pK}GW?R2L8TjR4MboQE z!KfBP&}x}x7n6evgxsr>u$;{lt;$bq{mN{Moyt}cUYSbz0H!&@@^RU#*^rd< z8gN_Z0gf(4(yo1!7@}_DHt#+BiW#Qgw36$AS zQ|GHu>vAc}PR{*+m2`SHDlKYZE}$pys`+ifBSpvodcXAacoULVzbKW!YdS7&RuL8w zaEv}Z2KQ1uo{5E?r5@1F^1rOhmlXS>`bjYQo0sqde)5+CcRKMzu3ql;71#DuQhw0B zdRbs(^vqhaxvMF-*5Y?%Pw&i!iowAS4v&E388+|%kuXQkwx$gqjmLnlvOA3JgZWZF z^5NJgsurfDyi6v?^1EYFE$rF7^cu|hsXUvo7H=h2z1nkSwNTo`(+6KAz%=w?BhZHN zkYSptIY$_2Y01Plou|cAAkeDvWMLyNg|_u!)wRdeQMR})yf$k^9lYRhMl_+r3$-*+ zQ5oruVRdzJNfj#HP18-O(Ql$k(L?9YGPCyVehE1kiXPmY;}PhMzQu>LC>xPKaPJat zuXD0QqHzqX0!w-I&dC(3OGsbIZar!*KW;Ub(v*U4W2xN0WJM@=z%gQQ#o+Al@bD}< zzb+;EtDXZHM_$h9r^pcc?kUuHV}rNZ*r&3k_u02OzfNvAY%(HdOT;WG{MPLxD?KOf zfIzk^Y-I7)C-HF9MI2n?Y%5ETS`;~{_{nXl45DSzEx3_-7D_cTkcO(FNQTV&I&A2? z+DY!pNkc+``)HfS)#&%iHBrytsUM$;{xdwP?)_v@Qy*zf>Lt{o+(xO_=FOnhl$CpR zN?R?-7hzfI9UX^i1%Y^$RBV6jtY=z+i`;QUc!zsuDyK|$sbcR1K8eK2f4p-uv`k-L z>RdUAQ?iPZOMNq_&7&3^(PHHs-I8A4zCKn zZJ$gC5}r|iCi2`w-U$5hmTJc`7FUGp3xi~q9~p`6oW1=?yHj|&0$g#6FqggO$`6$>hwzIrsE6xf=+M9fE$Vz_Xy~apB;6cX#L0T& ziA@E2c+bv9T~MVeJhB&iAs_e>`9XB&?l^@XdG`)({ip8b zya4_$%gf^qIHgU(`BxOTP59L2*i*|`xnk0P1#~`cGT+@IA}1_#Ix(1Kiok=SZEbul z4mtIr^X`b+xxQ`N9q7cLGVr}4I}<%(vO0`!MRa;bFTzI85Z~CJhDCgcg!Z&T5xv2BH;1 z@fB%OQEQxv@Z^f#@b;_JDMuz_VdkTQI&3n6yA7xYhxVF<^HII|_2;iB;o=Tm&ZLg} zq~R^fds563A4Fuuj5H$m(~zOZJ4|T?n$U)m;X9DiK=lPDMX@a<@Cmu?Hq{7|*5!(7 z+Wo6y30nJ9X-JC+?!1fZYCI{k+j1GRLV~uuO{1o%8hSvz2#mSf$fAeAw&1WoYZ*=K zbkG<&R2C4?rMjS@63+$PO&#=B~l z#)S^>PnCLhNlpBl;br0aIS1ay>QP{3RaM%vtK+B4moncyPCX6nkci0Sx||UwzGFp< z^J&ECr71rqe6HKUGg?6m6^=PNFSDA=Ld{s!AErWC96G8*da^%H#B~T;7r)fgF{qkkGr0UF_JwbuZV-`U~^K=7h2=yP|yU%;8szt{c%z;~y~1 zaPf|Ib1onAxAKXbdjjCSw|WkQf~OkbAB%$p9SZ1n{%a4}IV%6_H)BV(y6DB@5lm{3 z=23+r9CdAzmS=13>vo$ESDHBV3Nb$;Bb_Qb-jKambX{dK>gJ@oR#4XOvC(XIeXy5? zxkAB(mJ&=a+R8v6DrXm78fVrQ9A%Ge@kiTtTG!28(<;+UnHOD&>)RD(o!KNJ8$Tt; z8H`*ibUVxKmDf7rwPNQe3hIep#wozv2x(f1dYoRR^GlczPMk;F=E|*5++WM^9Og5d zM!6Xlrr1yG(Vs2vhk<3rN#-FKG(SEDb?DD$H9uQ7;Bu^(Cb|;5rYB%?FadWyorGT} zK@}>InAm>g0y_G1FRciS+@J4zBsh<0g``KO`Jt~Pv)VHiRKadDa~_ugY+lKZdzd47 z=D2W#$4+P0{*}i`u%3{Yj*Ec#c%0(-T;txHmHYB>n%MfU6=Su|=s!w}oRI6DYxm2~ zT9_Wpl$-NNDXSI-s?AF88ckw}PUD|LFNcqdxuSOmi0|ILD!nY?^f+Xz!2wAy^~Y^= zzdoBUiMFH(erUwjsDMc6xsW|vy6zYc|LO*2J`nA%i&WTbJMo5NB{=OiKC0nuP!K{L zTkX-l5LOm@mXp%c5BK%mNVRYFAq^Av3ngM!%#dK%w!L<>xH} zirwFr=1U4t2Lq%`Asz=_r-6zJP8(qE&GYlDmTHLzQ?HE10r~4=$n}8vL@~Nc(PMac z*mgklY}R=rr9d6pa5^sS<_-cK`KB}kQ#n$keA?ftfte1Z$hk#&GMBl-mQG|<(qhYS zpu32V%#tJXOMxUbOY{M4g~I=Ha}+M7~E9x2spg&$34rTzuI%2I%GE4=zPH z=~nqMci?lF?ZJKKPwp$)1!wdaopo*jx51inOcTEUmK)|LXL9DlQ)xVLB}`tl!u9C> zf}5&{z||%H0)I83=!;uOx zq{sbqZa?KxLIkY3e!8ymAc}EZx<^4Cb{THzmi~h1Bl?9Je{OD3mG&)cEU+7jLP5l~ zQ^+f&lpa&l-A$T`Ikjrlagnlew?1E7OzKFx=GVJ4K;?*G*2_5EMZ9)xhP#-}tB6wh zmck8kuA6`;;pR~4u&j3(WKi>yj>wmi4pW1%zLW;m3_#m z=V?59;Jo=wk4i+%dIa{iqySTmT2QD(T#fvU?eJN6 z7$9|33Far4Ic*YBXd`2ua;v=qWk}EtiE{y@s%Awy zIyb(=CI3k0&Vh}GYC7bgZ-o_pcpA75PqUT=MKu9DF9f%jpw(X!Yrq%}dD_ydf_Y|*&meFGy2bfA>L5OC7K%w z>iPG&x&HxY{Qn`ZFx>I1WjMicFn$f~J9wUQfJ~oVlwbP%@S5 zdJz7CFY6ZNU6yK;&Xhc)AP^&~8q47Hw9uDkpHLe9{uJS}@(~5$z3P=sP79UpJIu+0 zM6Yv00|iOf@urmdP1@ z)i8vzh@AD;Q|5I=hq>Xhzi=$IYM~?nMHmcaG-id1)mkq}q8fctcM*u6B-&*Y7Fzs` z8wory-ZY!}11yzXmdndKaZoT6q$FT}9P7;{W?dWgR)Au{7_6O&z0$Qd3sCCSNkYzg zhN`GwV%*#lCB*;fQ!Fi@rjzau}>3&aAVS5`XGlz$hRs~Onl||15 z+q_D8&V;*3e@5f8S3vI}{P*#VXo=qVWAE1=_vhuLzMzjE)UZ82_=0LQU$=O*=mcO6 zl?vg-kg6PGN1T+USpL&y(5@K7Q|A?f9o|~_`K`|wmb!|)rM6hdXq{5q2U(Gc6!M5i zU*ZIwU3#)SH{!X{Y%pGNU`cQj4xp`82Z7QV^6pER3`y9tSa(0qsYfGcj=b)Kk};>) zN4YI_cw=3LIWip(3&49V(|Hz-)|J3HFw^5u2}dz->^fTui3Des#~> zxcR9}7?8&jZE0yCq~J*Av!Et|{B%Cso71YYEXvKT-mBdS6GdtyRKz3dYuq|$&vXS@ zZfhjm12JePKlJ;=oaSartj6>!(xWZt;R1RO49Efv$0_@6D>Mt~@N)U*KXsFBJRPii z=5~nml!0Y^7pGB%&1l4oslobEb8-1riQy$H2z1ZV%>?&-z>$SZ>rHlVi|{5b*ocz> zy#E^t9?w+*!EF!&?aezN2;BLn8DAX+mV~X7Vd2aNemC0U zlC>A`>;LyN<89oF%gc#EO}i=MxV{wOxa(oQ?9L6~jC6svf5)ovZj32 z=2#(tx}`sfXeu;NDF0-b9e)i_lt2Mbg~&Gd_aW%h3H74Ss%mP;R#HW_&*hu@*L(Xn z{_MS-9gnDa?Z=m{b8=6cEqII{09TPEZYnJf$Vm!}Te2q}`8*=1q{{N_*%D7*P9wlnEeOwlkx)!Z)J4 zZ0TOZu=P!Ow8^c{{-oLQoCV#)!vId;`i&H@g6Qd|X#uA}2%YY)K^8Z_m?JYcHEk*> zGgEfXb~g6oTR14cYc*V3M)Cp9@#;Zyr`!&nQB+dsTGIXUyf1!SrS z^(X6hi#H>wfZNaT8<@;b6$R(Z-KuYf%dLS=+8%%WN+!1TEBZ}PbB+4qQkyM&ZKhQR z2XMXnRJ7}|NI^6pDJ4G>PU0=InL~KFzrW%VnOwO=c|4(YLYvJ7*Nq)0JqE%cD1iNc zoAR)OMD#4kdT+}`z0F<*j(|@ zkTUfpsp_fxyN)bctloFt!&cNd z-^MaFKd{&{`J!zK+OxHm5@gB^Sp*a}W)Kxr!MzmuR0a@pQgR7b zB)X8B`6;=Ddn4F_Bmy)tJe5>b>_+7I9qjEzkdubMnB^yK%s4&%*{ zrCZMk72bdn+OVGe z+vcr(W8MwNCTp)*y7Nq5F>U7}<*I0Zk^pVJ9~0b2e#)0D&?p-Sn9~1g?CaOBGX4WC zY`t#+vIL>GIg4oG^*Gws6RJW(fINW_(17RnJVOYc4JeQp_mTU_5O61fpmby3Id1yg zz}@F8DpM=(NW9tZo^RgViqNE$$dvM;&~;kc(ZkdN=eS>-Q0TcSi`{;Cvj=f5iEDYT z_8#84)~HEO*TvGGAT58>qzE<) z+ZM}5Sa98!K)=gFfPwE-avnp|;D*GCvz2aWH^r9{HWJZe-DxyaCM6pz#@C+p&$vvj z--h?z?8zlyTq+8JYr9nou_Pb99*6=azUm$SBHsj>wqH}Bm^zXM%giyg)_BIgz+}Z5 zKUEzz@La$T-_=Dexev^e2A|Ia+C-fOGas31IyT(w4`rZ9sK;r+fY@cBn|>*0(z~Vtz)gCP2-&E@=uQ$+XTjDTfw|Wk^gP#ftyPDO+Rpf zC@AW3lIwPEhA$b75ecXZ_%~ZyBIf6RXG$` z$9&J)@-S<|GD*r=mHDPH$9BVC{3>JiDB}Pn~a*$`!_82+@ZiX(9f6uB3(vp zN#oP}q{Q#xQ-6d-%SoLRBjuZA%Crn>X zA|Pt6_q}eyAnOAWYyxoNW74rKU}+_PD5Vef)?2J*2h$tNu?tE$d;ZPle5q7E(Kj7` z@a?YHRAAGZWEe_UsZeQ`W|{gWG_pEBv*pAPBj zSZp@t$$gm0_zd7oiwtBe65mfv#7g~SaC)k`dMK^WH;FKFsKu=vtqkjvOTyopqPZB1UW6W@zv;;r}$ zGrduGkjnN6IY;WuSy}M%c>GEw*QZ}(bG%cmC-V%2Qoyv1lt?AEBv_RGn9NJ(j0!(7 z!LtqTBbj`p`+b)tVr#{6Vc;`falLK&ThzM&l!gJzL9?^E<+Nou+oc~~p(*BzfA8z? z{uH4$p%vHgaFJ^m&ztGVOq;WracFDs>D6e)RR=ci9F54`=L?oP&*`I>6OAxe`4@iX z_wRyky=GC;cbrG`-l8RIIk?H)t#%=s=4E22Tuis!|B072-9?OQpZXj(Hph~gQhR%E zl7_;Ew|95zB<{fv3ilsQR;|z%S`}#=viDHAws-!_+aSIh_#%&J3_SZ~cgkG6w1L;u z4NvsjeyZuzK~KsdY+r|^@+dFD)!YB^)1u?mr$?%#oGB~npsOU>@n|Saa+-D2AYJaHp z5M|+=+IuC|92l%MK{OcM8}fBZ@-wmlwZSAM*V-;LeLEIEzQmfK%c z3-K&h5Szfhz{nzAD5vyuD#eI^woX^Om??*s)zycj$V%3lO;agu-)i2T>93}BpK~Nq zL$l3fo(#%flub_+i*vFT10SVWQeNBhVUb7BLMWFgbE3(97ra<-vVN-(eSm?DRu4PWYep^$ zQ3VZPX$=p(v>O=abO~RAeVygO6 zU2{tIwE$3PNDtN!MimOsymo%2FJiW%J>{H=6}TP<|og4{ADXJ1B*+y zMBiwDm|vjlq2N+edxIcFsSr}=zLJsf!1+83oNRs;be1d1p>2a-cNjJIW2;i^8C-Vh z%ugQ1a_?Rt=;!VG_yR)`A8+FZ{S>;h|B{JZTnKAz1j$F;Y1oSWidbWr+q18xD-18j z^z8$wr-U(`im!1F5(2Ci8kurXE#2Gl{Id+4p)y}uB9q(Fu{8Rn4=TH)^z-&|FGwbW zUME)KS3+0p4n!!p%8vunraC%^1L=}IMs@4M9CofV5_M?x!=E0}kbSq>oV@a4iO=lP z#%BfLN`->BgKyR&!!XiwLnRpx@9+-fah>^|`Rffoib^qvzwrR$9}xtH?e+Pz=$L_; zgf1rwW}3+0>)jU-W4XPFWhhJ2_rl%2MethNkt$90iO&nA@QwCqzDClXscaW#?tW>w z=~_UWG+Z8;R|ik2BxF4kuwxv9FE1>OgiZU8m3&jF7&#xj>ZWrIlH4VtYa@i0IyEg+ zzBvQ^q;*FOFiGmt&V^1Z^v!h$#(ts zX%uJ|f3^DGh?VI9{{Y0-HyB!J_8$oN&vmen70|yDLjR+%#`p*x%gfFEqzcqNpy+WF zJ!1ve5d&hNcJ*O94dlFqz8gR2=*adWSP4Wx=!^XqH{fU7ME~$pw+|3r(_?VvQ?Z`Lz| zD4j4w&qXlHtI_Aocpw5hpp%70L_PtkQB9dw%W^0kZWvZ=`3Hc;7vB?{X)H8>`kxRM z(mRNic3AtLzQlbu0*Cp5+2dg_a^_Qx6u3A(-w|L_}PF0WQ_&in>5 z>el3mBq0Y$7!%`8-fdj`iAVckXZH$^t2iD z4UdWUyIO$2%x>|UL1xqYo6)Z^v&;dmE{z-H>|w z!z`qOtViDhEChaK;DM*7D+buQ$xA!pHsa;V*EFHKGx;f+a?Ckic8a8H&3)J)S?B8_ z=j(^Ievm&PP#8B#uZNn7DpKqI*V%b4{Hil7GW;uVTu%x6APESL=?xuaAo|DFKI8qR z#pz^=e|hCU+?4-+ur>cDwPoF_5O#ATBcE$Ne*R#8(98DmVjb41`UB_#kmUE->chbd zsiW7DYinyK6ZZ&|GM?aq+Ix8?v`GQsUyl()IV2;4%m8uR1E%-iE9HjGaxJ8%LMk7l zI>%wX5gHM>*+#Q8=6mh+UEdt8DUu#>?)2+CbUaLW7_Z9Hnk1F^x4t|EAkUz0sx`I~ zn>W?p%2+%ex4@j{U#$?-beN~sbv7UTf|47|P6??m@$lAgggpC^?YO5{szx^Uccu$R zqjn?5D~ZFny^GL9f&_R$@+vCPvq3kWC+L%fL(J@tyZ;ntxBLpZ^<#WStD6fRhG zZ$UO@|4ue7ILRuWI*)O?h>?w1oOXE7@|0IKuPEKrIFs#J;jN0p>Bm%ITzf-PzQJ!U zcFM~_-&>oj66!yhStJuPls+#Y*ZCRSlw&*pgqhs>DOL_a4&xj5hogMeGv$mZ)@bM1 z@q7QJKzoMi4E))!F>Hs4t8TFv`1WV2}0{7xP1 zX#!Z>CW`;4%Uk8EeL7)nGr+RxMo42ndJO$R@8H!twdV{MnEVOv)aP|Pw5_kpb2X)Qmkp5{+#XaJwTt95@*LwwsphGzI&^mD4TjdO#BsNuP>M6xJf8>B=elT3H@)^1a5(jDaP~D7*R=>QT44xDFSW{SbGBRfhq;s<0X28 z<-rqT>r5|eE=ervknKX<`RuH$f+FT)evUraJ_x$n*jyBy*}+~Bk>gQ2Y9L(I8+Avs zr$yPW>@z~mz}in+KTY>=6l%7cLz)6ShJdyapPRC9j&g}@SKQ;%lH0@?NqtLX`rYU% zb|Wlf4XY!*XmMU)-0v4Ou_{*p`ZEBxwhF9q2hZI*qmt@XYgrJ!mbr1F7xnGdSw^|< z%ic01E)Irg9+c*0x9%}h2izw>Ku{&?&d7VhJKF`Ut0vc<-0YTSuVHua7ZRTfT1-yT z^Gaa5Bi@7^s7PVTIqDRl_>3FZpbi1t-|CAy`t~~ZAElCPf?C_6 zdF56Oncb-K*53+kd&ViT+<|7_f2C3mex|tWrZIoF7-(U1hY!+oYWT}0qo7@3=^-9n zO8<<)G}O;!M*K&|S8w&jg5UhAtlfHXRD>@wIdA34m~Ka3sFv!3^^@lpqR$FoOjIf#XZbgd5iBHe; zs;oh}n6~~nRoU5h)NNGx&Ftfd(6{BHI%9Yb6^8{;@Ihu|vCFG^aRna#&X6yTL}~wsynysLIR)A2f^~Zn>{%dg^HI z+If5~D@X5&SVMF7dCDV%$NDa=-N)6O6Z9x4?IvD-rAic5ZQj_PaY;2>yh6?)&2BbSg##h5pDl1)Xr6^ z6HwkzysZsEx??5p+|;qt7u#;*rhZ=24I=kmSS?#GhK;y2X}Si@VN?DTE(0Jz5p46X?&X*sw@-FvesxB^m6Zpt--^P;W>RJ;VRI^?xt3~lBod+3I zQ0Honxbt-%?RcS*N+wu;!qJTH-5(~`#FBEmJLy|v!cotSBv0Y|-={WqfRH&3}S0Vw{e^7X~c>}=OHm_lxSeeyL^tvcw4DOipwLK+#D z?xt7UO;FcJcim!-igbseHbY-px*L7Zzx#HVDx5+gE~zTQPQWJ2yfA6}2| ztXY@3J^ymWKt>6Ec*Pn#9mfRvAt0V8{X)I?18QQdy^4Qwf8=oC5QoJC;9fyQnAd!! z+2VnHeHSK$?y}omxn+HP+&bUY=O#u$!oHl0J8Guiy~inG5-s<+QQM)71frvB*mGCi z#Mf`~o40iB@_tH1Q8^u-j5+N_;gAoUR*6}b5VtHH=!lqqPziDo5bkv{#bA96w<)zNAhqZ=s&9a4B6G!}ZF07RB@L6qekEHpWgHJv7Ov7CP* zxcbZ&S`f8mP#02WRjdXk;&^Edn-e+p(+%jpR@OSBIGtNjB_AFm9oyrr^0u|!{s_M? ztGDd>y~j&yRc}Do-txGC_qR7OvlB1|m6lIeGGS5+KEI8j-nzmoDqLE|+V)z5!49tJ zENcAHEFh(jbN-1be>Qr|-Qa@KHV;V;N8QMq&SB6Dtc0RHYHj^VmpbQ7BG^5W4P7i( zEbZ6@T_%6JmkTZNl(MN2(}Y{x(`NObY~P(xhx03xgf+&}P^6CgAc`lxevMZjO&Tmm zI5e7@db}_x_z|wd8T(OEH@(>#z&Br2i)Uv)o2R`DMH$q22wF)1M8j@@hKt|}E6Pd6 zmu(1DZ}oUCxzoMm`$>P+nI0%L zxjJ1|n`3r$L0!A0w=RRsp{KUucx2A}?XR9`Iys%3EB725uaYO@DLJldVSalRTOBlI z8Z!DlQtBO!t>OnxM1=07iE%JKxZ`8Ryxt-LF-Mrjd%&>}klb{m0$KNr4_YNeA8}fR zb{Nz>;!+385BgQ_?5-E^pGbZ}et%gf$<`p&ab!-ol}I|bm+gI|a~x1I%1P1SRP0!9 z6YM~#rEu5$gK0&fb+4Z<>`q^gE`B}G*K?pRO)729%1$-@b|?`xnUCak#cS$6LKH?k zJF>Wid9hMV)unrrTzsie!;;gn$@_4=^Q+^5o(`@L3EXcjr{H{)4PDrY_vZi7MIHS2(F_Bc^a!9x&h9quk*Anv zLE?p(RvG$4hDC|Gea)eFEa{KY+B3377&hph&q76-cUn}DV#jnVqm{O9hc@iaHe=}F)HWc*z(g&_^JNa1Ksk(X7JczzkMl4u|eS{D<8@T!Bfze8-JBAzRg_@Yx!JmHul7d zkLYsj@g@FRkY>XL{(B9C(qbb{oc1>h>h;v(X>n7eAK?btFue z9rxk9?3&k(=%G)SG3Eg2M9vf&*fuEsdbiwe>UsSe<@k?vb-PpVDnlG11Lz14^s}Nx zW~Gy<_G79J2Ihqy5=F+Q%jj2JUck6tP)EE*SP6j@x9KvOMY_dydGZeufVu$9K8EmIfYMvS}7QEPBkBz}-$Oz*V# z0CNT7lojO#S5CDP@hgd?wkZYtK0CyRYIux2YuH^^cRXPJ_)uN!>u$s8)t`?U2e8Y% zI{0}T=Of6K4Jtm%|K~f!u8wais_f*e8SnImlf;fD)BC=&v4}jjc0DbLw~-H;u87X z{fV7kjOOO+7qzcqY5#K)i>f)#8KWJ13^@#SjFuNzmB1YbBga)kgWDlRF#cq?MMHe! zf>DvFw+K_?IrK+o>r!x`XepeWUN|*Q^|aDSV?e?9-juy z{gDA3eQdIds%}?`n!ziQRTq8I{`nCR?IgT|E+5z{)eAxgI~Ks>GiTN#>w1l4TfR;L zX9S;$D0m3iFb^pLo7{(0d!UQ1l%yG-a)&_6pfE@==Y8|45l4t=kHn*=UVj{PaN;hq zNla@Jtw)1OkgX1zA1faj=uVss$!$3B0#9pRd!(xg;)t%mGC0CIrML0lK?5Q3M$tb0 z`;N~~JzYh$;*PKH=)_mwyXriSvtK2oHC=AjX2TJW#+4+7mZKVci|b!-J(^4emq2rB5Sf# z+Wr1cjwoHDoT5`z?zp5Ej!G<3vp+OF%t<*1*@an#@^IgKRSPy!;*0pN1%Qrz_)WcH zV^nSR7p&~LKPLZ(Y~=hQqEv)le`n9>f?Q5vFIf0Clg?@9?>t8Wc(!NXgt!wUfRv{b_tf!`S1x5_61wdy5$BN zn3JVOD7LrT2HE|a$_Cjt_C=aojjRmGWo{HZ>PRk^)UvutbBlujw{tjKZjD33wr_b~ z+V4_$nh{JV6EprrH~oEH0#1s`L6&*)L?y-ULxt%Q=p>lh1p_vPFB$&}by z#k^9BaIiUM*$Ql0S81D8Vu!7Zd#vJ@-$!Tc^z9aG@{ic3w9tt=tyLae*|*3I;51_v zFkc(;H(`jYVL;GNr%WKH+arg!&ZoOQVI|Dp-YHS@<#43crFKsYrq?@TAD{*c>KxZr zUB6L_gxwD1&)M)lcKF?Xsb0y8418K|_XM|UcHyo+^Tk0C{kxD9(t{WAY22z72$mMP zmaR6wvoClljp`ytcUzl$S)gwZgjF~PSu&61=mFFeCBZCCL@o~g_*vjzbo!SwFqthM0k{GJo#>>qe5drqmPJj z@FvSj!M&_Wn^;XkLr0G;pu9)v0U#Hcp;mc?i5|!j9J>^{Rr3I|()_%6RM>4>@>;He zdIC1~!1=B1GG9A)#Yd+Vx^*#|TVMrRs)}UwsbPaKf!-8DkB6DM3|+IzO>z%*{+Wt| z&Y~7vK>4vBdAruV1k<~F|19FOLCsK&mkwPLp-XoMsvogp&j0Cc@TkzXc}kNbR(>ln z){VE=wSZZgLq*F=t9xREWw@Dp5*goE8cuKh5qcfl$o`4kFvZ1O$#mFpu8`N!YW zo=R@~kW6vmba*?B(g?c^)J@;5D3VL{HZ1>(xVH?5W9!;PkpRI7(zru#2<~pdT^rZn!QDcF1PH<1A-KCsaCesk z57M~X6gg+UdFS4_cjn*x1)8qCdw11ZkFAJ3qT2v9n^VDfnkFwR>@%`j)%c)rt=u)? zW*$$rgpe^hzKwf7_J#4Hh47;tSPd*ykDD5UTRR%4p4V^|qc#RD`nQKfeoiHIC#g6! zx>C|$i$RVM_DUK{=85-3)LjN|osaoD{bKh!eIH#tiAc?uauGoG>DUb^d4kC;LaZM9 z1#(PoC>g3cc<=sf&pr$cw6>XI?wVbaP}=XBX(^uW8_Z3N`9;~y4-J{<*fwY{Au89J z=#icD!LVU|kCK(><;ER5T2H->wv8wr3{RnJpHJ%!N-?13NpiiMrM@bs)!)F~0Wfgj zVOLlcfQ87jt8TmL$EBoaXlSU}FsBRdr|F*6F>p^!myvy9XVb}w2~z&*k2|zGmy@xC zKeRJGMXHn&h`GL(-$*BlSW1$7lJ`Eeo8T>96uT?&CKw?;Ayj#hYGpu}rIt6>D7DBWrtJ z1Uyl?G3h-VD5X7&a&ULu;&2KfuD|tviW;v}lNIMTtmyUopwznDa!xFf!xwUFTN7zM zOv_RsVe>_GjDe!-=S^t=##JZtaFM26m}b7P=rAC9GFj!?>x0?h4Xgu~c}q*Tw6sWj zrOii`=`&(ytg;lw-3v$)+BK$F+aAO&#FL!r~i&YudB3 zn7$U9?pA01p=lTIlE8}0+1)sDNGCJN%@NtX0IKwN+oSV%3L_~`1Si3L|3_u1ryo)m z5mn565W5!lI450QP5x|VZ~ygcU-8dsMjvWTg}a8L)E;;lW zCN%hVs$)nFy3aPb4L`S?g;}R}{Q-MjPY$6Ug!=Ur2Z`s!VH{}TO%y4bQLCVPw_wV0 zoM;8FRMvc63hT5NRx|vRNa_q`J-ENt0cT>H5~0&*FST0yTpQDPsDWH$YA($x2-!e% z-LcJa25+(>(zULRi8V`pr0kxdqI-w%mCO@I9Qwk5?Wb+bEVo#j1%iaaY$M7{WFxcr zBU?(s6rcAHdSf}WSuzbmf%VxX1Y+&;9XlYsp3N$rIB_*;72jeA(+bjF3TTaDpo!J?hG%<~R52kNo1me-SiDq<< zMa^%@hZM$@XC{;oVlVIczc^K!l~sJt8}9XTx4g!Ct4oa!wGj*>0BSs6D&zby{8Q?% zRwYAqil#IT=ZBKD=RJP34ETNz*9L1r9#P7Aus5&X&J>_syNkKIY^X+<+7S_EdT`@!TU;uShDvN1wcDz*b zo30F34Ug>GUn8)r)=m#aHy>xIVOTkgTb&T|Yzs(~)e*oseXFkLd+hsI-L*WFbQ9Rl-55FMXfQRCzOVoalq5Bc zumBM;Qfo_zv@KL&hBt)wGYs!bNy-+$`J(kC1OI<3CqTm3du`d>uHqH)k%4ZlTY<1= zful)<;mMKwC!N$`3}=D|0(q#o!rDqm;}Uf3_9yWmIx9awm#`wo!SL=Vp&;Z7|Gt?j zbh67V<{0#H3bq~$!2uTZ8 zE6!8QJof*EnPI^Lw#2&s)E1QPGzfby`6&pgft{}4DK0brEB2lDcF-IIJg!B6q3WH{ zh>-6V7p}YqKqG0SQt_#xu{4nyjn|_39M6p zD~!eI11<-PS(M@>$^JOxr?s=Wm{^kVn3_Z>aO4iDK5`K-?NSn&j}(auZ6JtP=a6rN@xyIYhO#IOsd9N?Iwco2=f!9)Dc%{&~B+ z6CQT009p@JwNGyjqh2w$^H#Qq1^V@ku6|F!wy5J|3%h$xhJ((E1|5x99SZSFhh{PP zo#ABP7PtIp)+98|9}?e|AmkI|$4#mdWY`EiA;kv9*%u5OzfADTy5J$i)#B1v;JMcDd>FnY7Io;)3wwe80|8}(tf`u9Tq(CQ(Z&Km&T~M0N zt%#9-d^<&tGjd)$y7OWC+>^1BBJdXXvtDb1jTRyPs7oaqwe^ezf@`lNMU?Zv%*d)1 z8&#uWo}eY|F&XN=z^CS#o2gB4kN;((eLc{ z2O;VyOD_lAQ&I-L!`2yK3a+!?-$Dr=8nOTSuC+@g8`$C=Xt@7krFSE~+A)IP{s<#n zDr^5i&$?Wm;neg(P%CwtlbHAE?3_ZxqF}65u4;#O#_I+~?VCgq z6^A0~wIsx_=iaSZwZ8Hn_U->rJQ=$+JRZfjDTHVrL32KF^{qW1YeKmwb?*@oM8#6(EM39VGL((9w zW#5^LP7;S_@wUNxBii1Ke&Lf&uXQ*WeB=isK}nd{g{zEyZWId=#L%HbIZzv+{be1q z_(N8YD~caVtFrYW$8j{<^v?R_z*{*3FS9fR-Gub=KxNDgpV+{7gW74R~SIB$0tW?<*fDY#2#DVc@rV+v5HQ-25b<7`Lj>=TK6t4p+>jxJ1_x^wi}tum zj5F#QZ@5p#9VKA5@LuOfqmRYj-GX-ezt9)#50RRWdpaO!Zm@w~Z`vW>6to09sJ$;> zZQ7q<0z={4h9@(7VbIS2`~#B1;Gt%^5?Y|?znuY&OTNQHAPkLf4j~o$!v84zr&yXx zp$=IiRjO&%f!`nH*h)U&6BKY@LQSB<6>QPlrW_t_-1{3oxD567uYD(v{m&e;-&m(t zM?lC|iHG&$C#j#*P(qmByY@N9lCvuK+Hn5MLpOOy^l0N^-7)8Pn=?+VF0#0XJcN-V zEi}M7J%nGzZTNJpEn2KYc6kAR=9}p5j2r}k*(R8*L!0BS(1N34lBRw7e5BO-d+0U0 ze0d!x28E)5nj__6_sm*w=c$>mp{ye;g5uz2LNR0;G<@xHcD~ZS0WB7)o#pKv5^prY zomHbluyMPvtjjQsG9yB^!>nV1MQSoJRlGTkomxiCF}L76a0ucXbOw?1pz&;MbIItM zJ{2WKvL(iD4#|-JPvK{RXpUQVfIKJy4us6X$w3|VYR`5_X!-yWXSomr>uaJLm_GlN zD&10wY>j!Qlih~V+sp*m)i5jh(vJoTBCgoz${#w%WIQD^7Hws#b{BO<1(*T{5(ur$ zettZOXl4o$lBq=I-?n#9X0Af7tDCI?3+xmn^bf-ciJ|r#%K0=Jwd59sju=cNn>lM zP5ZG_Ei(?k++j~f%)&UMwz){Z6#=LHD_yJeMhDTFVlKC>f_IBYH2L^{ikBQ#8l$<^ zGH5GA+W)H%Xp&=Yk`SV`0s;fn(Bbt3M+0rjn=Fo&>dpca&nqyq8mpEW5bVGDE(YYZ zkHLL$g8N}K`9e$zJU^VDIijfjkdFo@Xc!nM`m-_sk8{)PmV6llNSJA%9jZMZ5yMMa zLFONvwvKPq5xw^epZ8`xzu0urLXQZKauWA-hINaYEz}KQkVboP5SfwD;JyYtBCUQ8 z(AYwN&`7!R<6ry2zpb=mF4p7CmeAKdfH@|6X|k~i90Py7=&u~b8byG&hx%K_Ofj9j zoC|8ed=Y^1KlkGQrkGYL8+i$^aRV>F&JNWH+|3#ADgS+cuswujHmk+?UJcU&HC+=z*!k4)mMt+9$Y@p>5tC4LkOn!H-lxIqnvX7 z#crj1U*RJPlU+>Dx|%lj?blM03-fKNwVnzN#l1;O)V=^ zY7Xh@+xUXK9mLviojK1|;dyjb8pH@JD`s3dK#B?A@Ox#l`JHVuEvM)ToR%|+11xX0qP*` z0-BNv)Z!a+Ak<>+>CN_sP*j@$37%~Si0+@d@!{+OS8m^45W3^QEEekRMNK5HWAeWu-^Yl?LFK zDf}ZfCHu0;zPZi>Gbt(JL)m~1`me8UBH9FH`@-Oy`rMNq)SnFwbggB2Jo$T}-7}~u z%GWHCLFE1Vy4KB!VGRK`Qp*@hJI@*b!Zm^AOyN%*!b+UW%bJ}={B1SqZ^muY9zust zT(Yvznw5+8l`vtdS6=B*wfX9X=p0fOy6M1f8;q^;=6TB@%9JyfP)qg%et*VYQLBiE z<=B-34C-fNT+~_^oKkG=SJ~Zl&Ib|7v1R$LPF`y`bC_64e$JcPGgXg%j!FRtsaVQ= z@44zS@~jhUQda{8GSGSCLFkQI93#PWhb76~=rLc|xXMt!<>{vgT@v;XW|d49+Yy_A zTQoI?c75ozAV_{}B$q+*i({gLUwV9abbLZ-_A;lAG_9xSKZN`X7l zuf1TeTOQ&we58r@RVjwAf4s?U=*u|YPTXcFZ%@>h-mT9xHzYH{+M!skW10V~&oP0l zK4SfQe(wtaJqVV$?4(oLqrNjiV4wFt5^AM}&v?k_Yx>)Biur2{%|aW`3EUH)wCEbG zuNT-Od@vXo--(A$@?K+-6_(%qAxuwsVF7*m_Loir7*ZOr1`nQMhJ$+lqrO?z{uZTf z^h0H{EE`d{&1Z143!U(9BOsgiZNsPDL9FdgU+2~1Ygj(2^u5fC8}352XASxl9q4bu zhcAeJ+7V5fK+qZDu*t4CGt+9UNXs$-VZ7bYe%uJR?slww(4o_fvo$}jf8CDQ%D(xg zM}4R1O!(}#Z^mH|@umi~*UKMlYu&N5?ejtAsr6KKU)*?Wf7b_`2(0O^NI&Vu37Ri% z=(LqkKb3Yk`^>&6Q@T*BR+FztuL30u@JA;8a%ft9r4wY3OEZ|5IiF;l`I)mXb&vKmDW2$c+v_`7iU6yWK*T?fs78eF{A2L_f`|h)Czeq9ixnQuW6A4OW*I z`B46MH~vKDh@djfY0Tra8qLz%LI$n1nT0jFmV%a=w$r!kyheupoF##?HbMr8MPEp4 zy})K!fq{vet6xa)Z5;W(f2-~2O4jGTi0Pi-eF90fZZJyk*+@sQ1nzOrt2#6t1Gw5B z^%a>MM&85N%DxW;PreEY?c70Y>KjCK%Uo^em-=5tBxuPJ@n63^7qv&JVVObD z5Xv8;4Vgco56%Q(JUYc|(0rfB&^5Zks5AraMwEti_Q&q7%O?oxzP zN6A_nyfnjQcy*z}^^E;l{DTK3q|F2lRie^%vo8Wn_WBnACStI!f&{XiH5rC;qU~aO zu2$l(*2)cL4=dMk)mE`4WWU&|SaqEdpQBDWiWwUK)brpXVK~V4c4O?lUc|_q^6nJs z-vo_if0jL8a9c0|#oh*l*=>$C=DlIRTRWw2d>oCBm`GJ$Zh2b6!2SoTKZRjJ`0+2* zVLwnEN}JhdNByk|&$PEBQRafyC{goV6-8W)|L(}Ej#pIG+rb38OvRC>egj!bYzz5* zLEfjL4%T@nZgeO>g`p}kh6&^+dm;$?^WBrxZaw_qu`4y47@!e&T>ib!?ZR2lUCEZ9 z9bPMA(FVfebHz*4y|-#p!lT)!FUM`#IL)KQYNK(p4boHI{Z=M8*L zk7z;UJ&2WWR;dq`g!NLRG_RBsrHy^wUMI`y0K!cOx$Uv(px#-OH|?a<*{qTpDC1mr z$hs*lbSg-4XdoHW#%ZewCha>c;}G2KWsQf3hoBAiBgQ8tP8*IOL5YyKHgF8`T0_yQ z11l%n4PH=ca5@ZG{fLIBya0&xMaDFSDyG>RIh1Ahx#M<}C<}KwST^a^0b zLw~oU5@I&&*@1XV%cZ2iVI^&&cfV=(w^Tz@*2{4a*uG5#a7bR@Vz(3hmaO=AsYn)c4ssvH-l{X9JS$``aOzX zc#Cq!}LcJZrZ{(*}3pPE_N#8=*`6z4%INVCK%CKOLwA%PxWOtjRH1uL@F z0=q(NHu>F#ZQ}+Pf2xP7em$klDPbUf*}pip%p+kNPUhYHxAfuT!R1BP8Cc^gznRx% zE23?d2o5Or_p2nBEUE7ojl9p+Yu{BVds;+le=zzOa7lCdE|c1bpGP#h9kcfIU6AJ3 ztky4u_S#y?cP|%X!{ZvgO*Jfn&<>K~s6FeA9${e^9K7qW_pj%UWBQ%CCUz(^JlfI# z;8swynohogcM~~pM2VLdTR))}T3qa?Ym51N$1APXU}Y%VUyPUO`Pf)<2J}e01n-$2Jw6 z+@=z+`9q4|mk0&s)s{c-bARdo0W6dOo`k2awsDiMqx{f@c(}()eGEof|42b$KN6-n zjmY910VGmRjvoczgp2OpJPWH8R2R;5ykC9D8-c>dMDsX;jNjt!a0)1sP}U8{EoBFa z3(Rx{YAqihe*!iYr81<_Zy9WYxwSQ=jGJB>&`0B~;%UBC9p7O`3=EJ%x+Zfd zY%T%0L6+k4>SgPl6$L{yRt=t|SwuJ_KZINqmIpLkh^=`qek%s5dAHOXRN;=XV8(T{S>40F^du(Eid(C3Z@IP$Y7$a4^TJl$s#_{K}Du_mLo2(K$ zdw?)GQLemb5`028fMSNJq)AJN;Hd4m9oC5*ZOPj{huAAMeh4PnNhKv^VVNj5?S1f- z-g)mqfiqC3$d5UaB1leJ)E6;gqrJ!ywi z>B-Q>=b5s!0fseWslDDagDbE4_V#{JfICyb-E#N{(Ta^bg(cN?edFljFNL>qgZmMFO2VAjIBqX6H-l40=tR3^w%OgK_TKv7>CR>mG;K3GStv${#4ox_cWz*Chc~Vm)^0np)O>XA zA$z{WzevUbv_u;a&5%n#=6w4t7Xfmxd&^y+p1(%r{jAP&GjOk%{c+3#*4NaOiyU zuQ1)@FyDFVsqJUnMq1YRolr}q;)N|^U6WQsXw42Mf;#2k`8*&`XWvy@rjvT_Cn=ni zEwUYYakV@`oCE2;s;U>F>zngHz|+m`E2FChC*9cPemj>i0*sS)0QH>YGq+N=yq)KS zaVf>gSF~nx!$-e4nqV}L4ShUT(__Vyewos1RX|xQ!grhqmI|Z)N|Vz^=Ggp#NvKCC zXKn1yj@qosnA_YuX{-&JadCL
!&O%O9?-W8=m=Bj)9rDQ#GSAk~jj7q9N|T z?ATjrkD(j_DXS`Yy506z`^{R)e*_nKQFh~w>*uL(@aC4Dpt-PeeWp&W) zts}P>*I0NB2+X{25wOwm>m`!s9w7%!-qrF|s ze>Q140UUj+E82S8^k!TS%L_>GDAtv(&4EEa6_ai}?}@HC0$X`isJN zT?ul=29}oL#prGBI{G{eOT#KV;p4^Cv0n!u`Z2AfEyy9iTN!@Wmzsi=D~43vl9{7Q zKhrRKA#N2Jta}eGWMm*y3n2bZi`n+k(V*}o%X@~DY(kr*?529b_|ye@eZ7qX6^`a$ z@Ab}ZJFlSILGv4HX!(ydk8&%)j5l(Y-Z>_>Nrg=F-ZAXL=DM#J-mK`h@EsMR3S!kU zSN{3s3!cU7%<6a1V9{6r7xSoCT#Y^V>&$AT^IvJ+PkXQ!jGTGgwxnA^aD3QTI7dY+b zjWUBJijLx6@pdw1zky2(#q@p6no^eI5g_$`oG#BZ+W`DtDOdo9s+qJlm+L})uetMg z$mVMnD%FLm8a2q3s=;zI$4fOPh+hs>!nC$8NqQC-{t#ShD>uUMGq_wrKG#hvGQB%W zWb`<6(pFS4)#l(f1$W=|^M%=fnkWU>hR3=rVS+P-60QGD`$SDuiAHvRMqgc7xIyv* zONZU}7sn<5daC3BA#FhQYcp5Q`K+w|`=KQ7wAMLLXjyj9rWoNA`B|ANc*&xYROmGt zQ5($K)t65~e0%4=|G^bse4V&8fKGcH19baEHK4A{^`#KTe3o*<0e-My{#*=oFAF_a zfAzw_M&CSM2X>@`JD?Aq#j>%EjmdY+{BM@q^FFUKoD5J#g`z^`z96plqH|w244|QC zIe442$SAOrgnXM9;7>e(04NNkEexQ99)PkZd=)^pdWJB)xUKjoeRXL0Gx>Tnb3!xH z)wH^RRI$~bTduxBm|M``t!Bo64Czv@rKXYQXjZX4V!IVy-wY6r0}LU;KJmr_J}?>6 zM1Cy&Lv<@+DeeHhmzt6ogGw7j;XaJQR&iog_~1tlcw67;Rl z=ed!2PTND+K7kq6O6{ZjAb@@V)TpryC?gJ}>P7Ta$J_uI3zWg<5KKqro>Z)*aN8Q}PtZz%)T_Cx1b zyrdWDg0;Rrul>R_ob^I{qS|g;v8z|PIUu71&LQ&y_uA39;O@^#zo4YiLu-_W+bf9q zp;n;Ik5SE#bHc+l;y=-CVkNuxnvixM&AHpgeP9F+*;T#&y8i5ZZQs&}d)49iY~lW) z{s^2CFiJ=5;`lSZbzaYtwQO$doyrY?2tFTZaMp@xE$Tw&m`WvK;9*Bm^G5fBA7>L! zdMR=p7AN^OqwluU^5{iWGVEs=u>)u!RMVRwac&qW+Q+UNiS!Uq<%u3OgM+ zWIrp!T*T*`!Q;ACS|2*p1R#9;jukh(n9->Ak z`i>sM1F-k%phQvVR&rZuO?eB{P|D3**a3Dv^Jr3%q3$9Vp)O%!*m)g9-8@bw>Fxx= zT4}8M8fSbymuzh>O~WRh96mciJ^cZvpM3=94Vu;D{#zRzy2z0gKXj^lKi%^20keA2 zm(1?0+9rBEeK%TVw3*F6jvd^~Msx(t+N8Zq4`}C>d0T;v?r_tL$Vl)m4&!d^g!Yr` zcdSt)`PBMdS*3RvZ;fcpH?MDlhC}jON)7v&l=s?x4UQHyNY1^!3D)+oqn%HYy_5=)rS0LQ{bD)-sNA zyjTr6IWh23uW?dueoY1$r2kfknPdQ5)y^f(+0-;8BnL<)#9L;#uXk8F%*XF+730wb zPJ+M%_5|&@ibC~o^{-ODo+?in7!B zT7_y*r2@E#$HJ9$LR!#w--af_wB_%H$us>)dbaPq1s-p7LDks1gnkr;;O*WX z^j^JyI?b-$@h56rqSl6{_57cN8bhkQi56fKS-9cD#%VukVid2}`>=~RAC%2-Uys^` z`Gw51s)Qe$OjFhiRco~(WsYAK-!BdII+h?)7ksMQ4o+q@VBigk|ER!JilPh8UG01U z?@>8PeOQz087BGPLr_s_)}-|aB3f1 zd?yRMa`AnuZfVVt(CAhBY;*5Al+u{sgB5kOok6w#BA_Jaj{ixR#Ky6;?sZW1lD;O1 zt1p30hvotJ0|5O*0+y11iW%AX?|FFV;w?YB??Ms%9@`sL6|9zpf4;P$FmHjm90E@7 z>bjcwxfI%5gS^T+{G-e>50sj%Z*f`>#K#IFmEaQq^^3Vc9Y7P83f^ziwFkR3uvfQv z>Q-8vv;6wWUlKPC{?0&Zrty}cAa3%z609)lGxjUIO+YrDOkVnwW)F7)KR||^73jIh zga{#3e^KJsB9M+7_4^oelgZjj!RP^Ib{;4)hu{U=>5|GjXKS1xLb6=tfU)G`9HU=D z2-~@XYE0e%0KtEU01JUPS{S?v(xSgcC-V3Oy`-r83Gt{MJf>FJ=9yxyP@ZBj&U_(c zPebpKpOH#7x}BE@1mz%zNbUFg{9U>CgW~mu4cC@zb}KX+GTcIv-#pXwR=tLM|1>uK zNwS+;vSFIxyuQm9w`H=T7Sn}6c|RllPA5XS&!UH0N)yQ??fEb!~ z2Aq>vZz!m+I4RnXowvSFS4ThN{Gc(Wf_%eMAJ24F7$UHF$gH6PMDpJtRc4aa|DJ-% z3%qgUgbE;{tpjMo{BMeb0OqE3x+E+kS{T7%`g0?99A z;1W@QOH`SjQ;gIm<#HmP4Rv*Z&bk2V41k4&@8Eh3Y#m^C0|dzR|72?X{{&tC!;1dz zLT~=pqn!Yj_J2FO>8t#8HCraWowz{qGj}<}obg_HIRc=JvKb>Bk#lx8K{mD`BbvO6 zK4n9SpZaj2PLUQ?fBE9q`sMY{i1YG`{5xK8Lpfisb-!mFyr%0kWvX&^x`u@iow@V! zSo?N)x6{`<5mhr|{r=LMLn#ya8Q!aM=%P))pEo zrJYJ8mtc2Ew3i*ryh8-YdiBF74AdZLjVW7sqQ!NWtX)I2$1-d5$0Xl(azq zLO0A;369rogn5Ca=VZB}UqpDM0CX1*Yi|BHXUc)e4RWpB$o$XLE8t>OJQfw8b} z9b{f&s>pMMzb3#Y1tTB4C8<8w4Xv&&W;T?8%c4~Y{%VY(Wq9R~m)aCaf*ZQJwi}mi zO&8hdFnajRjkF8aO?B-AhsuCpaeTV*Xv$beE~{jN;< zU1NE6FEyoW$7a0e6;;+0e{26d)OvR)8O^!J=@sL1d#hr(LemwAc+koC0^H&ID%g~c z<{nOo8mb{bkNh#v1nk=*?QS|Y)wdXb?5&FbY`{f+Rat6NoP=Q8a(BK%ENS?xY8L%6 zM=+TwG&Na?l0P$~ouEkN$`we@ebaj136rpQm4u=GO$lIPG?<+}NLmS6OcQQuHrQ;- znuF63Evf=|%+ZptFe1q(nYi2B{*pA61T7xCYx+*J<1nN`GC|b)6i=W#{#g2lyzMT01tic+rbviDekiLu5o{q7o~)-p|Dh%Fwu%zt+%6M^xUg*k%)zTj4-?gTO!vGK}>rsX^G zmulZKY3%D0CTPf0tMb?>2;OREzswH||Kyuw#bzy|*GJGFU(sJp^ItOt$u{b0iULJm zCL+BRx~VMCvfLZVbD-h>HSjQ+IM02;^MYwNFZgOht92UpJmdkPTteUf)Fh{Oqo7@c zsi}cDLTSQ$`9Z?QF$J8T)-YwOXrva?n3Rxv+!M8ibnFXGei3K{w)9Kv=3OQ0xLZo7 zwXKjio2}vfcTtW!6L*K3(BF}PW~<}>NN?;d&%Uzx^Z%g$+ZRT!w!L|bVh9o%G)gRe zX$FlCTc8rs<{|`m>vn~Q=hV@y3k03I6GkhlWhQ~Rh7};L0b*rhHwwk?uo+v~4s($J z%;mGTbufwoC>IK5jFZ)S&mA^5-#I$HiYh-*N@0xgF8Cu7F{Y5wsjoj0Ty<3x>TbP8 z;zdoVxb7qjUx!*Z-PWBO8S2$+`Pq)GRmzp$B`-J#)FWrM%$JHpq*rb4v+i@M znss-$9Z+pS+7eZ`E%N1`=Bt6Jc6$!a&gXrRgpx>55y}50p22<6fX_M&%t;Vfm4;I$ z+RF_RB1I$SqavkI|1Yu3f8J2Bi|$Zw?-DpgnqT@VsQ*YH%X*L6B&=qCqrjhQf9*aA zt3opFp6wLI$!ibpmx*9jjS}-2R9MY@{VjS}lz+1|{fuec?%lO20H7&t;k$PiOD9hvH377^sZM{BY2-8ecvsE^^`OVGCp`_k?xD3&yqm9h7FG zP9=MRgF;nV@t*3kzg!2m$+idRoLF_(DwlW#6uP?&n*%A)>UUla$5x9uZv_XpgfB>! zr6gvP!u(WS?f;=!B>me{)mxJ(N%csYf^a==$%CF+hAp7o_D48#CBiZ#fS0vKOqQ=(i!(4Prsl2W$SL$1 z5!08_bf{@&u1TM^Vp^6wz|eRvEKy6ZrZH<`M?vp0so*qe>|P|wmyfOR+Y>gC*CL{X z9pPGI;J3t83}vC<;#K_J)x?_9U6u0JTf06u62+5L-Umt6Y0xY5yzQB&La3MfK9`RS z$LVD1m$cHxlvuHSt-7n}rb*@Hl&1-$^@mbSLUoG=P3kTXZeDgUD&P6OmABCZzDw{% z=}3twYaY%q=%d)8k<+&d9RVe?vn=E0LuUsT1`EOve(;y&bT1^t=DcYk4ilpo>! zh~vgtfx)W+SDuyzA7*PkO4>K9-!98HJL($h_u$!r`O6+RSocK7gxx$L$X3= zi!s(rYpaY4l+ZYA7pxkT@^ZCyG`^G~D9HEs(*O85DJ^BnGWappQIi|ZO3BEuDBXyj zJ;jglw*&j;Z;97FDtbFw(^PDhdoA{9M$sk#pOme`vC->Bjf8zL4uX;n zH~#%#1NrUn<>8v0R!qg)$!~WK{rFg}tTm2@)=qsm)G@X4f*lnOHKsxz13tYZPP{r< z7uZEQUDi9au5L_7`}td#G+IKD7S$P@C@bqf|Fs`1|7@PxSQZ_WpGh&(plneL->sd2 zP5h=I*5)DcA-1ohHvP(2UK(gP%q?2XAFFKLn*LoLEvY!KgfLYg61Gg2FX7C)ag(n0 z;IO%~R?!xO(lq3E2`^YCl+e|?F(^yzn7XwFcxF?*1I_pKJhr~}nqH{7#&gmvL;c!l zk$q$2MfWOvhOcR9t4%%;>>PAv1;ZVaR5~$tYQH!iVbZ+e(oXwpsThPWUFSQ^BWzZk zWN<@92W2Y)8AjfkF@{vEv!$LsP zhE9VAEwZVEsz9HYDc4(>)S~?VrSU{&{P^JfFo{18kNQYE(O>B_XS>w$aD$zpve1AG zSf1n$zn`@8vma*b(W=Yz85p*mb)xg5Q7_qw0@TY_sL?sjqs6mHOH*TVpGFY27go{e zr0`oqgZ1}uIj&Gqh7jU%YuX$|eMQF2PU~eRW_#~oUQTwvhWcOsfl}4Ld%#fxd>KBY z)Q^5FXyoORqq}*Vf52VI4&rl0Oo92e%Wdbhu|oG)NJ%hHvww+*1Mbfz+)B$iM2TpXdnlkwW!t*f#5t82v7jlL<68=ESlTOtT^YlggBR ziuR1NPxuRyuC$4m0zOrd!95#YQ#%s#M6|mU-5UhO>+0ffk|t{{!@5|fjz5LF@pgkM zE3Ay5*XQY!n*=5Sk@YNl z-XR+Ly_opL>+Nh5{c4Yeo9~EAFo}S} zH0cW_FO+=a|B_i}59SehGsn4*d-1U-8YdF5vc+4sDjpC~ub z;QUQ$9C6O7x!nBKfe#MTlSIN&7_DXPCI8QhVUkefUyDj{F(~r@8P-}!HdQ5{ z;KR{6Dl}yUR)dJo$m6Dbm9QI?J}Rh3lq~sBab(z#~iR<;d<^ruW8%&>{Ty=q+1DE5>;$1JMtXe27kd30P!(U zvfx|+I?6Ycswh`<%=|4y@m5Gz$ptb~P`6EE6oHP@DV>}2fnvwEp_Fzw9rNO&6jT9$F==#8? zmnX4{2H>568*#O;_?V@X=2aDI6fJSrBj3)$el;?=kD7(;&E`^Q7wN{_D?FcAn*Ba2 z#_rm^9>wewah#!sMaQLq<5oA3+)w%Jj)NcGfR?jf^LT$rGS%HxN2Q>*4<`B7Hw`!l zNyIVcd8BAAFRIHGV<7Q@i#x$s5bReC+0fAkMRt?ps{0D4(H9>6-L-~+XF;e1-+mCw_`O5k2(9A}XzFPO<}nFPc@f-!4NuD!T?O_bD1xYT1$JfoR2{(8cN#U1(R(Fj&s%*#b}c%efca z%R_Z!0X=#9aenyr_{T75I|J9<@f3O;ld;Xu#*TB~ryb-@ynp`E$@a{0Wp742 zX8IL`$V2&4Y)%C(Q9$~7l4c%G)SpH8aoK9G$P6lAi2c@}A=~fqK3!L>!wnE*km!uE zJs2?lDB%_%kjMI5%-x~QsfU7bkLYwqhpPC~694G@Xo__E2qw!&M1SQ^948sma_alg zW-YIdjOAUzNtQbp8$d~-YU~}n+ zWY#jQAnrN_zq|!z?9faP5eig>?gQ1-nY>-d`-$ zTojKgQ}R>JYn@#pGxGY(u1@q7Mko=;Wl6NX7_gA_KmFUR9Neil>izlAQey~V#`j*n zerp_YG=mxWi1i+9z?(M>gPt~>$je0{R-Q0u@o8RfXPo|kZkc!UI;KgUc`JWJ7Cwx9M*CLF^e|Io>1>ER9kkiG+E8_i;nXN!Pmwn&dc!>Uq(WPp z=yYh0|MGo{IOLV8-=PB_hk3d9^TM&a%Dd*;HwSRitjuk?6^v8G^Y2Ojw8#6*K72y~ zxhho4J;L+l$0ZM9+K>#}2@$CQSAe7DvD@R%+nO#_r2v?J9Nrj79US2uoWQeRNB!BR z4Bn0p;%B<(^mQ;jC*N{Pwv~iuaWP{7dZ`=L9byn2JTN&d4^IyW)>=R(y^*RD;m~tq z9$0v~9z)iSh~nfe^I&5CP`h5G-c5LI+1(d^D=>;FYK;>L8? z{b6K30#$BlX-it#`}=2pQQJYoHydjT(esH?tyf|moL4GT9>Tb^z=8N47$G!747{S9 zCEQ}VJ76{v)_k52j;ThR9TKn4GWl`1y=dGaACLH``1Co?L2+<>(M%W`!_pIivOW%X zQU8*{o)!LVE`$ebVrAvtShoHSB%Irs_=a|ByD9bsJ!!qsk^JQ9jkqjn7{uuUXK>8S zM*U$`gFALuIow&utWaJRS+@2SQ*Pb&9(}I)Rjr+wYEQyHCE+A|oIK06lpcS;q*t}~ zpVfj}63H}Y}NYt?tv+e_UEWA zmMcp?@sZpM>k9ij>sLptnXfvR$&I&n0fB8m&KzKx3{XnqS`sdW>>2d=g~SUE`diN5 zV(cGOtc`S(?^rC@x-JO!DTZBf*e04kYd6<~D|dA1=)~v4X;9(WRJk@Rcn?h#eJC%P ze9XUU|G^2;a7ZcVtWUVneSavn^6l$dV&-Q8U@b-S=6P-{RR#!#)S^${+h$i6#}aW} zS|(=(MOSj|9caPb-0>vuPFpFULw5XUeWcaRml#sDKGzgj9ll{dd?d;Z7h6+ju8#=N z^L=OWdxmcpuTY^cQT4?2y+wt?*bA~?-G^h*)Oo2ISmt2-KA7+fApsQt#Wv^V;k z`U7l{%`o4=VBf-g(&)s%``>cwUMiH^P$m^x!&gXS7T+ z7zIrZ@K78OcU)TgR)j{AE0wRYLvL5YJ%0L`ScjJI43u& zWrM0OG0WIWVajB{QN3l0_}_NxN7B31>D>{pru)r&8@%hC-{FtPR$t#Ar+eS~^^+C5 zlvv)q+oyE!j?K+IT&p$|9qDRWc>TiU(!dY1Po0R_acm1u`2(#>t7bese)-B3mF+oI zU7)iOgHmJkL#LkQ+Vgc^X?U}?)MM2Q*(~nfM{+CeXD^(X6`NBPE|VX*{HcAMoA!lb z^O?O}AJ>Fuzj<7kpNmFdfmw{AJ#1Tke#!u+$P>jknu<- zSc;)RNW_>=0lk?68Xi6To~r|N7Q0hjxI-QzLq^Sh?Fk(}Vj1f}*D5e*HqMs-%}arM zv@a<+{2f~l801%lsGs#e=ibq>RQ`Wm{OPoCfB$|UXLI`bY0+_-HYpoDfTvY6G-SNw zVO{1wUr&C@gy-|B^;ASWZYu((s~9@GfmayZ|2?H5LQ1Rdn>g^wh659C5qU?0MEd%_ zMTM=8zon;WdB^=ZeSJ>u*Of^NWJ1?T|2y-R^{)7v6LZ7$7Jjre0r~!M=doVNSl-=j zOWW6+{<87G%-faIfLGl2bIVEdq`%qgCwKY78)iwq9@m#!=f(z0FJE^r#-&jjse0uct!E!=x9!~S!s~OZ-vzq+NrmZezM|9me&*Sd0Iw%S_nscT@=Ir z&C<84yVS*i6&iy zEcmr}nV|XNxyzP|=*e-;NuT??lhwvOOTNW0FoFGzN`>4Lc92^NKi_J!eeVBpzQKIE zr!_lMZTD7{RzEIvE%VB?(Xd)`dV9xd)>m8Hf2Z1Rj=bgE`_{-ej^|+oi;MEZ{x$O5 zEkLhx*+?V^E7|aTI>z*F;wI-(zC$xS{PzE`O3&}oU1L4{iMf~y$kll_cn-uJPW`fS z@{xe5e{=co?tH$rC6{x8AHm+&X(SS-a12Y6Nx{-8{T$&f0Xd^<{padpm_nkItJH z-(}7J3Dl=JP+|4{*uz-f*dnGqhyE-*cv=7d$GO*DNgfsEt>Ay+zyeSg`Yp~EKq8*5 KelF{r5}E+Dfn){% literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index c2a024ee69..3f8d489fb7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -17,30 +17,13 @@ ms.date: 03/01/2018 Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. -| **Type of device** | **How WDAC relates to this type of device** | **WDAC components that you can use to protect this kind of device** | -|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | - VBS (hardware-based) protections, enabled.

• WDAC in enforced mode, with UMCI enabled. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

• WDAC in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a WDAC policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

• WDAC, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | +| **Type of device** | **How WDAC relates to this type of device** | +|------------------------------------|------------------------------------------------------| +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | +| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | -## WDAC deployment in virtual machines - -WDAC can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine. - -WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine: - -```powershell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - - -### Requirements for running WDAC in Hyper-V virtual machines - - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - WDAC and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. - - Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity. - - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 158b2fede1..7840f034bc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -23,7 +23,28 @@ Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. -## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709) +## How to turn on HVCI in Windows 10 version 1803 + +Beginning with Windows 10, version 1803, HVCI can be enabled using any of these options: +- Windows Defender Security Center +- Windows Intune (or other MDM provider) +- System Center Configuration Manager +- Group Policy + +### Enable HVCI using Group Policy + +1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. +2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. +3. Double-click **Turn on Virtualization Based Security**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**. + + ![Enable HVCI using Group Policy](images\enable-hvci-gp.png) + +5. Click *Ok** to close the editor. + +To apply the new policy on a domain-joined computer, either restart or run `gpupdate \force` in an elevated command prompt. + +## How to turn on HVCI in Windows 10 Fall Creators Update (version 1709) These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -70,3 +91,20 @@ C. If you experience a critical error during boot or your system is unstable aft 1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity. 2. Restart the device. 3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. + +## HVCI deployment in virtual machines + +HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine. + +WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine: + +```powershell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +### Requirements for running HVCI in Hyper-V virtual machines + - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. + - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. + - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. + - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. + - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. \ No newline at end of file